# Detection Coverage 875 built-in patterns across 43 buckets. Toggle individual buckets in `secret-stripper menu -> Detection Settings -> Categories`, or switch presets under `Presets`. This file is auto-generated by `just patterns-doc`. Do not edit by hand. ## Presets Detection buckets are grouped into three cumulative presets, switchable from `menu -> Detection Settings -> Presets`. Manual per-bucket toggles show as `Custom`. - **Minimal** - popular PII only: emails, phones, dates of birth, credit cards, IBANs, and IP / host addresses. Lowest noise; no credential scanning. - **Balanced** (default for new installs) - Minimal plus the developer and credential buckets (cloud, auth, payments, messaging, VCS / CI, AI, databases, crypto keys, SaaS, and more). Excludes regional government IDs, threat intel, banking, healthcare, password-hash artifacts, crypto wallets / exchanges / RPC, and other niche or high-false-positive buckets. Tuned for near-zero false positives on everyday clipboard text. - **Full** - Balanced plus every remaining bucket, including password hashes, crypto wallets / exchanges / RPC, regional government IDs, biometric, geo, gaming, IoT, ad-tech and other niche verticals. Existing installs keep Full (all buckets) until you pick a different preset. ## Severity tiers Every built-in pattern and every custom rule carries a severity tier. The tier does NOT change what gets redacted - if a secret matches, it is redacted regardless of tier. The one functional job of severity is the soft-wrap rejoin pass: when a secret is split across a line break (e.g. an API key wrapped mid-token), the scanner glues the halves back together before re-scanning. Re-joining can fabricate false matches, so only `Critical` / `High` patterns (prefix-anchored shapes like `AKIA...`, `ghp_...`, `sk_live_...`) and patterns with a checksum validator (Luhn, IBAN, passport MRZ, ...) are admitted into the rejoin pass. Format-only `Low` / `Medium` patterns are not. **Practical guidance for custom rules:** pick `critical` or `high` if your pattern is distinctive / anchored and you want it recovered even when soft-wrapped; pick `medium` / `low` for loose, format-only shapes where a cross-line rejoin would be risky. The tier never makes your rule redact more or less in the normal (single-line) case. **Tiering policy for built-ins:** `Critical` = live credential / private key (plus Luhn-checked payment cards and passport MRZ); `High` = scoped or hashed token; `Medium` = direct PII (most government IDs, emails-as-PII); `Low` = network / device identifiers. ## Buckets | Bucket | Patterns | What it covers | |---|---|---| | `legacy` | 37 | Legacy patterns preserved for backward compatibility. | | `cloud_aws` | 31 | AWS access keys, secret keys, STS session tokens, ABIA/AIDA/AROA IDs, signed URLs. | | `cloud_gcp` | 14 | GCP service-account keys, OAuth client secrets, API keys, OAuth refresh tokens. | | `cloud_azure` | 15 | Azure Storage / Service Bus / Cosmos connection strings, AAD client secrets, SAS tokens. | | `cloud_other` | 28 | Cloudflare, Heroku, DigitalOcean, Linode, Vultr, Render, Fly, and other PaaS credentials. | | `infra` | 24 | Terraform Cloud, Vault, Consul, Nomad, etcd, and other infra-tool tokens. | | `networking` | 39 | VPN preshared keys, BGP secrets, SNMP communities, RADIUS / TACACS secrets. | | `payments` | 25 | Stripe, Square, PayPal, Plaid, Adyen, Coinbase Commerce, Razorpay keys. | | `messaging` | 25 | Slack, Discord, Telegram, Twilio, SendGrid, Mailgun, Postmark tokens and webhook secrets. | | `vcs_ci` | 23 | GitHub / GitLab / Bitbucket PATs and deploy tokens, CircleCI / Travis / Jenkins / Buildkite tokens. | | `ai` | 24 | OpenAI, Anthropic, Cohere, HuggingFace, Replicate, Mistral, Perplexity API keys. | | `monitoring` | 36 | Datadog, New Relic, Sentry, PagerDuty, Honeycomb, Grafana / Loki / Tempo API keys. | | `databases` | 25 | Postgres / MySQL / MongoDB / Redis / MSSQL connection URLs, plus DBaaS API keys (Supabase, PlanetScale, Neon, Turso). | | `edge` | 13 | Cloudflare Workers, Fastly, Vercel, Netlify, Akamai, Bunny CDN API tokens. | | `crypto_keys` | 15 | PEM-encoded RSA / EC / DSA / OpenSSH / PGP private key blocks. | | `auth_tokens` | 29 | JWTs, OAuth bearer tokens, basic-auth URLs, refresh tokens, session IDs. | | `packages` | 12 | NPM, PyPI, RubyGems, Cargo (crates.io), Maven Central, NuGet publish tokens. | | `healthcare` | 6 | NHS, NPI, DEA, Medicaid IDs and other healthcare identifiers. | | `pii_contact` | 11 | Email addresses, phone numbers (E.164 with separator tolerance), full names. | | `pii_financial` | 22 | Credit / debit cards (Luhn-validated), IBAN, BIC / SWIFT, ABA routing numbers. | | `pii_govid_us` | 12 | US Social Security Number, ITIN, EIN, US passport, driver's license formats. | | `pii_govid_eu` | 26 | EU national IDs (codice fiscale, NIE, DNI, BSN, etc.), EU passport, MRZ. | | `pii_govid_intl` | 28 | International passports, MRZ formats, ABN / CPF / Aadhaar / MyKad and similar. | | `pii_geo` | 11 | Postal addresses, postal / ZIP codes, geographic coordinates. | | `pii_biometric` | 4 | Biometric identifiers, fingerprint hashes, biometric template tokens. | | `pii_network` | 19 | IPv4 (including with port), IPv6, MAC addresses, CIDR blocks, hostnames. | | `hashes` | 29 | bcrypt, scrypt, argon2, MD5, SHA, NTLM password hashes. | | `structured` | 17 | Secrets embedded in JSON values, dotenv lines, k=v shapes, YAML scalars. | | `wallets` | 29 | BTC / ETH / SOL and other wallet addresses, BIP39 seed phrases, keystore JSON. | | `exchanges` | 17 | Binance, Coinbase, Kraken, Bitfinex, KuCoin and other exchange API keys. | | `rpc_chain` | 23 | Infura, Alchemy, QuickNode, Moralis, Ankr RPC URLs and project IDs. | | `mobile` | 14 | Firebase / FCM / APNS tokens, Android / iOS platform API keys. | | `gaming` | 10 | Steam, Epic, PSN, Xbox Live, Riot Games and other gaming-platform tokens. | | `iot` | 15 | AWS IoT certs, MQTT broker credentials, device-specific provisioning keys. | | `saas_iam` | 18 | Okta, Auth0, OneLogin, Ping, Azure AD tenant secrets and management tokens. | | `saas_collab` | 11 | Notion, Linear, Jira, Asana, Trello, Confluence integration tokens. | | `saas_crm_marketing` | 20 | HubSpot, Salesforce, Mailchimp, Intercom, Segment, Customer.io keys. | | `saas_hr_finance` | 24 | Workday, BambooHR, Gusto, ADP, NetSuite, QuickBooks API tokens. | | `ad_tech` | 21 | Google Ads, Facebook Ads, AppNexus / Xandr, MoPub, Criteo API credentials. | | `banking` | 24 | Bank routing / SWIFT / IBAN composite shapes and banking-API client secrets. | | `threat_intel` | 18 | VirusTotal, AbuseIPDB, GreyNoise, MISP, AlienVault OTX API tokens. | | `industry_other` | 24 | Niche vertical APIs (logistics, hospitality, education) not covered by another bucket. | | `extra_ids` | 7 | Miscellaneous ID shapes, asset tags, and internal account formats. | ## Patterns ### `legacy` Legacy patterns preserved for backward compatibility. | Name | Severity | Regex | |---|---|---| | AWS Access Key ID | Critical | `(?i)AKIA[0-9A-Z]{16}` | | AWS Secret Access Key | Critical | `(?i)\b[A-Za-z0-9+/]{40}\b` | | GitHub Personal Access Token | Critical | `(?:ghp\|gho\|ghu\|ghs\|ghr)_[A-Za-z0-9_.]{36,600}` | | GitLab Personal Access Token | Critical | `glpat-[A-Za-z0-9\-_]{20,40}` | | GitLab Personal Access Token (routable) | Critical | `\bglpat-[0-9A-Za-z_-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b` | | Slack Bot Token | Critical | `xoxb-[0-9A-Za-z\-]{10,80}` | | Slack Webhook URL | Critical | `https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+` | | Generic API Key | High | `(?i)(api[_-]?key\|apikey\|api[_-]?secret\|app[_-]?secret)['"]?\s*[:=]\s*['"][A-Za-z0-9_\-]{16,64}['"]` | | Bearer Token | High | `(?i)bearer\s+[A-Za-z0-9_\-\.]{20,200}` | | Private Key Block | Critical | `(?s)-----BEGIN[A-Z0-9 ]*PRIVATE KEY(?: BLOCK)?-----.*?-----END[A-Z0-9 ]*PRIVATE KEY(?: BLOCK)?-----` | | Private Key (RSA/DSA/EC) | Critical | `-----BEGIN\s?(RSA\|DSA\|EC\|OPENSSH\|PGP)?\s?PRIVATE KEY-----` | | JWT Token | High | `eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}` | | JWE Token | High | `\beyJ[A-Za-z0-9_\-]{16,}\.[A-Za-z0-9_\-]*\.[A-Za-z0-9_\-]{8,}\.[A-Za-z0-9_\-]{16,}\.[A-Za-z0-9_\-]{8,}` | | Google OAuth Client Secret | Critical | `(?i)GOCSPX-[A-Za-z0-9_\-]{20,40}` | | Heroku API Key | Critical | `(?i)heroku[A-Za-z0-9_\-]{20,40}` | | Discord Bot Token | Critical | `[A-Za-z0-9_\-]{24}\.[A-Za-z0-9_\-]{6}\.[A-Za-z0-9_\-]{27}` | | Stripe API Key | Critical | `(?:sk_live\|pk_live\|sk_test\|pk_test)_[A-Za-z0-9]{24,40}` | | Twilio API Key | High | `SK[A-Za-z0-9]{32}` | | Docker Registry Auth | High | `(?i)auth\s*=\s*[A-Za-z0-9+/=]{40,200}` | | Social Security Number | Critical | `\b\d{3}-\d{2}-\d{4}\b` | | US Passport Number | High | `(?i)\bpassports?\s*(?:no\.?\|number\|#\|:)?\s*[:#]?\s*(\d{9})\b` | | IPv4 Address | Low | `\b(?:(?:25[0-5]\|2[0-4]\d\|1?\d\d?)\.){3}(?:25[0-5]\|2[0-4]\d\|1?\d\d?)(?::\d{1,5})?\b` | | MAC Address | Low | `\b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\b` | | MAC Address | Low | `\b(?:[0-9A-Fa-f]{4}\.){2}[0-9A-Fa-f]{4}\b` | | Database Connection String | Critical | `(?i)(postgres(?:ql)?\|mysql\|mongodb(?:\+srv)?\|redis\|rediss)://[A-Za-z0-9_%]+:[^@\s]+@` | | Slack Token (xapp) | Critical | `xapp-[0-9A-Za-z\-]{10,80}` | | NPM Token | Critical | `(?i)npm_[A-Za-z0-9]{36}` | | SSH Private Key inline | Critical | `-----BEGIN OPENSSH PRIVATE KEY-----` | | OpenAI API Key | Critical | `\bsk-(?:[A-Za-z0-9_-]{20,}T3BlbkFJ[A-Za-z0-9_-]{20,}\|[A-Za-z0-9]{48})\b` | | Google API Key | Critical | `AIza[0-9A-Za-z\-_]{35}` | | Google OAuth Access Token | Critical | `ya29\.[0-9A-Za-z\-_]{50,200}` | | Azure Storage Account Key | Critical | `(?i)AccountKey=[A-Za-z0-9+/=]{80,100}` | | Azure Service Principal | Critical | `(?i)AZURE_.*[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}` | | Telegram Bot Token | Critical | `\b[0-9]{8,10}:[A-Za-z0-9_-]{35,45}\b` | | Kubernetes Service Account Token | Critical | `eyJhbGciOiJSUzI1NiIsImtpZCI6[A-Za-z0-9_\-]{50,500}\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+` | | PGP Private Key Block | Critical | `-----BEGIN PGP PRIVATE KEY BLOCK-----` | | DigitalOcean Personal Access Token | Critical | `(?i)dop_v1_[0-9a-f]{40}` | ### `cloud_aws` AWS access keys, secret keys, STS session tokens, ABIA/AIDA/AROA IDs, signed URLs. | Name | Severity | Regex | |---|---|---| | AWS STS Temporary Access Key | Critical | `\bASIA[0-9A-Z]{16}\b` | | AWS STS Bearer Token Unique ID | High | `\bABIA[0-9A-Z]{16}\b` | | AWS Context-Specific Credential ID | Medium | `\bACCA[0-9A-Z]{16}\b` | | AWS IAM User Unique ID | Medium | `\bAIDA[0-9A-Z]{16}\b` | | AWS EC2 Instance Profile ID | Medium | `\bAIPA[0-9A-Z]{16}\b` | | AWS IAM Role Unique ID | Medium | `\bAROA[0-9A-Z]{16}\b` | | AWS Server Certificate ID | Medium | `\bASCA[0-9A-Z]{16}\b` | | AWS Public Key ID | Medium | `\bAPKA[0-9A-Z]{16}\b` | | AWS IAM User Group ID | Low | `\bAGPA[0-9A-Z]{16}\b` | | AWS Managed Policy ID | Low | `\bANPA[0-9A-Z]{16}\b` | | AWS Managed Policy Version ID | Low | `\bANVA[0-9A-Z]{16}\b` | | AWS IAM ARN | Medium | `arn:aws:iam::\d{12}:(?:user\|role\|group\|policy\|instance-profile)/[A-Za-z0-9+=,.@_/-]+` | | AWS STS Assumed-Role ARN | High | `arn:aws:sts::\d{12}:assumed-role/[A-Za-z0-9+=,.@_-]+/[A-Za-z0-9+=,.@_-]+` | | AWS KMS Key ARN | Medium | `arn:aws:kms:[a-z0-9-]+:\d{12}:key/[0-9a-f-]{36}` | | AWS Secrets Manager ARN | High | `arn:aws:secretsmanager:[a-z0-9-]+:\d{12}:secret:[A-Za-z0-9/_+=.@-]+-[A-Za-z0-9]{6}` | | AWS DynamoDB Stream ARN | Medium | `arn:aws:dynamodb:[a-z0-9-]+:\d{12}:table/[^/\s]+/stream/\d{4}-\d{2}-\d{2}T[0-9:.]+` | | AWS IoT Thing ARN | Medium | `arn:aws:iot:[a-z0-9-]+:\d{12}:thing/[A-Za-z0-9_-]+` | | AWS AppSync API Key | High | `\bda2-[a-z0-9]{26}\b` | | AWS Cognito User Pool ID | Medium | `\b[a-z]{2}-[a-z]+-\d_[A-Za-z0-9]{9}\b` | | AWS S3 Presigned URL | Critical | `https://[^/\s]+\.s3[.-][^/\s]+/[^\s]*[?&]X-Amz-Signature=[0-9a-f]{64}` | | AWS S3 Presigned URL (legacy v2) | Critical | `[?&]AWSAccessKeyId=(?:AKIA\|ASIA)[0-9A-Z]{16}&[^\s]*Signature=[A-Za-z0-9%/+=]+` | | AWS CloudFront Signed URL | Critical | `[?&]Signature=[A-Za-z0-9~_-]+&Key-Pair-Id=APKA[0-9A-Z]{16}` | | AWS EKS aws-auth Bearer Token | Critical | `\bk8s-aws-v1\.[A-Za-z0-9_-]{20,}` | | AWS SigV4 Authorization Header | Critical | `AWS4-HMAC-SHA256 Credential=(?:AKIA\|ASIA)[0-9A-Z]{16}/[0-9A-Za-z/_-]+` | | AWS MWS Auth Token | Critical | `amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-zA-Z]{12}` | | AWS SP-API LWA Refresh Token | Critical | `Atzr\\|[A-Za-z0-9_-]{20,}` | | AWS SP-API LWA Access Token | Critical | `Atza\\|[A-Za-z0-9_-]{20,}` | | AWS Bedrock API Key (long-lived) | Critical | `\bABSK[A-Za-z0-9+/]{109,269}={0,2}` | | AWS Bedrock API Key (short-lived) | Critical | `bedrock-api-key-[A-Za-z0-9.-]{10,}` | | AWS SageMaker Notebook Token URL | Critical | `https://[^/\s]+\.notebook\.[a-z0-9-]+\.sagemaker\.aws/?\?token=[A-Fa-f0-9]+` | | AWS RDS IAM Auth Connection String | High | `mysql://[A-Za-z0-9_]+@[A-Za-z0-9.-]+\.rds\.amazonaws\.com:3306/[^\s]*AWSAuthenticationPlugin` | ### `cloud_gcp` GCP service-account keys, OAuth client secrets, API keys, OAuth refresh tokens. | Name | Severity | Regex | |---|---|---| | GCP OAuth Client ID | Medium | `\b\d+-[a-z0-9]{32}\.apps\.googleusercontent\.com\b` | | GCP OAuth Refresh Token | Critical | `\b1//[A-Za-z0-9_-]{20,}` | | GCP Service Account client_email | Medium | `\b[A-Za-z0-9-]+@[A-Za-z0-9-]+\.iam\.gserviceaccount\.com\b` | | GCP Service Account JSON Type | Critical | `(?i)"type"\s*:\s*"service_account"` | | GCS HMAC Access ID | Critical | `\bGOOG1[A-Z0-9]{50,70}\b` | | GCP FCM Legacy Server Key | Critical | `\bAAAA[A-Za-z0-9_-]{7}:APA91b[A-Za-z0-9_-]{100,}` | | GCP Firebase Database URL | Low | `https://[A-Za-z0-9-]+\.firebaseio\.com/?` | | GCP reCAPTCHA Key | High | `\b6L[A-Za-z0-9_-]{38}\b` | | GCP GA4 Measurement ID | Low | `\bG-[A-Z0-9]{10}\b` | | GCP UA Legacy Property ID | Low | `\bUA-\d{4,10}-\d{1,4}\b` | | GCP Tag Manager Container ID | Low | `\bGTM-[A-Z0-9]{6,8}\b` | | GCP Cloud Run Service URL | Medium | `https://[A-Za-z0-9-]+\.[a-z]\.run\.app/?` | | Yandex Cloud API Key | High | `\bAQVN[A-Za-z0-9_-]{35,}\b` | | Yandex Cloud IAM Token | High | `\bt1\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}` | ### `cloud_azure` Azure Storage / Service Bus / Cosmos connection strings, AAD client secrets, SAS tokens. | Name | Severity | Regex | |---|---|---| | Azure Storage Connection String | Critical | `DefaultEndpointsProtocol=https;AccountName=[a-z0-9]{3,24};AccountKey=[A-Za-z0-9+/]{86}==` | | Azure Storage SAS Token | Critical | `[?&]sv=\d{4}-\d{2}-\d{2}&[^\s]*sig=[A-Za-z0-9%/+=]{20,}` | | Azure Service Bus Connection String | Critical | `Endpoint=sb://[^;\s]+\.servicebus\.windows\.net/;SharedAccessKeyName=[^;\s]+;SharedAccessKey=[A-Za-z0-9+/=]{20,}` | | Azure Cosmos DB Connection String | Critical | `AccountEndpoint=https://[a-z0-9-]+\.documents\.azure\.com:443/;AccountKey=[A-Za-z0-9+/]{86}==` | | Azure Cosmos DB Account Endpoint | Low | `https://[a-z0-9-]+\.documents\.azure\.com:443/?` | | Azure Key Vault Secret URI | High | `https://[a-z0-9-]+\.vault\.azure\.net/secrets/[A-Za-z0-9-]+/[0-9a-f]{32}` | | Azure App Configuration Connection String | Critical | `Endpoint=https://[^.\s]+\.azconfig\.io;Id=[^;\s]+;Secret=[A-Za-z0-9+/=]{20,}` | | Azure Functions URL with Code | Critical | `https://[^/\s]+\.azurewebsites\.net/api/[^?\s]+\?code=[A-Za-z0-9_/=-]{20,}` | | Azure SQL Connection String | Critical | `Server=tcp:[^,\s]+\.database\.windows\.net,1433;[^\s]*Password=[^;\s]+` | | Azure App Service Publish Profile Password | Critical | `(?i)]*userPWD="[A-Za-z0-9]+"` | | Azure Application Insights Connection String | Medium | `InstrumentationKey=[0-9a-f-]{36};IngestionEndpoint=https://[^;\s]+` | | Azure Application Insights Instrumentation Key | Medium | `InstrumentationKey=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}` | | Azure Entra App Client Secret | Critical | `\b[A-Za-z0-9_~.-]{3}\dQ~[A-Za-z0-9_~.-]{31,34}\b` | | Azure Tenant via login.microsoftonline.com | Medium | `https://login\.microsoftonline\.com/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}` | | Azure Managed Identity Issuer | Medium | `https://sts\.windows\.net/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}` | ### `cloud_other` Cloudflare, Heroku, DigitalOcean, Linode, Vultr, Render, Fly, and other PaaS credentials. | Name | Severity | Regex | |---|---|---| | Oracle Cloud Tenancy OCID | Medium | `\bocid1\.tenancy\.oc1\.\.[a-z0-9]{20,}\b` | | Oracle Cloud User OCID | Medium | `\bocid1\.user\.oc1\.\.[a-z0-9]{20,}\b` | | Oracle Cloud Compartment OCID | Low | `\bocid1\.compartment\.oc1\.\.[a-z0-9]{20,}\b` | | Oracle Cloud Vault/Secret OCID | Medium | `\bocid1\.(?:vault\|secret)\.oc1\.[a-z0-9-]+\.[a-z0-9]{20,}\b` | | Oracle Cloud Object Storage Endpoint | Low | `\bobjectstorage\.[a-z0-9-]+\.oraclecloud\.com\b` | | Alibaba RAM AccessKey ID | Critical | `\bLTAI[A-Za-z0-9]{12,20}\b` | | Alibaba OSS Signed URL | Critical | `[?&]OSSAccessKeyId=LTAI[A-Za-z0-9]+&Signature=[^&\s]+&Expires=\d+` | | Tencent Cloud SecretId | Critical | `\bAKID[A-Za-z0-9]{32}\b` | | Tencent COS Signed URL | Critical | `[?&]q-ak=AKID[A-Za-z0-9]+&[^\s]*q-signature=[a-f0-9]{40}` | | DigitalOcean OAuth Refresh Token | Critical | `(?i)\bdor_v1_[a-f0-9]{64}\b` | | DigitalOcean OAuth Access Token | Critical | `(?i)\bdoo_v1_[a-f0-9]{64}\b` | | DigitalOcean Spaces Access Key | Critical | `\bDO[A-Z0-9]{18}\b` | | DigitalOcean Spaces Endpoint | Low | `\b[a-z0-9.-]+\.digitaloceanspaces\.com\b` | | Linode Object Storage Endpoint | Low | `\b[a-z0-9.-]+\.linodeobjects\.com\b` | | Scaleway Access Key | High | `\bSCW[A-Z0-9]{17}\b` | | Exoscale API Key | Critical | `\bEXO[A-Za-z0-9]{16,}\b` | | Fly.io API Token (fo1) | Critical | `\bfo1_[A-Za-z0-9_-]{40,}` | | Fly.io API Token (macaroon) | Critical | `FlyV1 fm2_[A-Za-z0-9_-]+` | | Render API Key | Critical | `\brnd_[A-Za-z0-9]{20,}\b` | | Heroku API Key (HRKU) | Critical | `\bHRKU-[A-Za-z0-9_-]{20,}` | | Northflank API Token | Critical | `\bnf_[A-Za-z0-9]{40,}` | | Snowflake Account Endpoint | Medium | `\b[a-z0-9-]+\.[a-z0-9-]+\.snowflakecomputing\.com\b` | | Databricks PAT | Critical | `\bdapi[a-f0-9]{32}\b` | | PlanetScale Service Token | Critical | `\bpscale_tkn_[A-Za-z0-9_-]{40,}` | | PlanetScale OAuth Token | Critical | `\bpscale_oauth_[A-Za-z0-9_-]{20,}` | | Cloudflare R2 S3 Endpoint | Low | `\b[a-z0-9-]+\.r2\.cloudflarestorage\.com\b` | | Vercel Access Token | Critical | `\b(?:vc[piark]\|cl)_[A-Za-z0-9]{20,68}\b` | | DigitalOcean GenAI Key | Critical | `\bsk-do-[A-Za-z0-9_-]{20,}\b` | ### `infra` Terraform Cloud, Vault, Consul, Nomad, etcd, and other infra-tool tokens. | Name | Severity | Regex | |---|---|---| | HashiCorp Vault Service Token | Critical | `\bhvs\.[A-Za-z0-9_-]{24,}\b` | | HashiCorp Vault Batch Token | Critical | `\bhvb\.[A-Za-z0-9_-]{24,}\b` | | HashiCorp Vault Recovery Token | Critical | `\bhvr\.[A-Za-z0-9_-]{24,}\b` | | HashiCorp Vault Transit Ciphertext | High | `\bvault:v[0-9]+:[A-Za-z0-9+/=_-]{20,}` | | HashiCorp Terraform Cloud Token | Critical | `\b[A-Za-z0-9]{14}\.atlasv1\.[A-Za-z0-9_-]{60,200}\b` | | Pulumi Access Token | Critical | `\bpul-[a-f0-9]{40}\b` | | Ansible Vault Encrypted Blob | Critical | `\$ANSIBLE_VAULT;1\.[12];AES256` | | Doppler Service Token | Critical | `\bdp\.pt\.[A-Za-z0-9]{40,}` | | Doppler CLI Token | Critical | `\bdp\.ct\.[A-Za-z0-9]{40,}` | | Doppler Service Account Token | Critical | `\bdp\.sa\.[A-Za-z0-9]{40,}` | | Doppler Personal Token | Critical | `\bdp\.pa\.[A-Za-z0-9]{40,}` | | Docker Hub Personal Access Token | Critical | `\bdckr_pat_[A-Za-z0-9_-]{27,}` | | Proxmox API Token | Critical | `\b[A-Za-z0-9._-]+@[a-z]+![A-Za-z0-9_-]+=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | SettleMint Personal Access Token | High | `\bsm_pat_[A-Za-z0-9]{16,}` | | SettleMint Application Access Token | High | `\bsm_aat_[A-Za-z0-9]{16,}` | | SettleMint Service Access Token | High | `\bsm_sat_[A-Za-z0-9]{16,}` | | Infisical Service Token | Critical | `\bst\.[A-Za-z0-9._-]{50,}` | | Akeyless Token | Critical | `\bt-[A-Za-z0-9]{40,}` | | 1Password Secret Key | Critical | `\bA3-[A-Z0-9]{6}-[A-Z0-9]{6}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}\b` | | 1Password Service Account Token | Critical | `\bops_[A-Za-z0-9_-]{40,}` | | Age Secret Key | Critical | `AGE-SECRET-KEY-1[A-Z0-9]{58}` | | Doppler SCIM/Audit/Service-Account Token | Critical | `\bdp\.(?:said\|scim\|audit)\.[A-Za-z0-9]{40,44}\b` | | Bitwarden Secrets Manager Machine Token | Critical | `\b0\.[0-9a-fA-F-]{36}\.[A-Za-z0-9_-]{20,}:[A-Za-z0-9+/]{20,}={0,2}` | | Keeper KSM One-Time Token | High | `\b(?:US\|EU\|AU\|GOV\|JP\|CA):[A-Za-z0-9_-]{40,50}\b` | ### `networking` VPN preshared keys, BGP secrets, SNMP communities, RADIUS / TACACS secrets. | Name | Severity | Regex | |---|---|---| | Cisco Type 0 Cleartext Password | Critical | `(?i)(?:enable\s+password\|password\|username\s+\S+\s+password)\s+0\s+\S+` | | Cisco Type 7 Password | High | `(?i)(?:password\|key\|secret)\s+7\s+[0-9A-Fa-f]{4,}\b` | | Cisco Type 5 Secret | High | `\$1\$[A-Za-z0-9./]{1,8}\$[A-Za-z0-9./]{22}\b` | | Cisco Type 8 Secret | High | `\$8\$[A-Za-z0-9./]{14}\$[A-Za-z0-9./]{43}\b` | | Cisco Type 9 Secret | High | `\$9\$[A-Za-z0-9./]{14}\$[A-Za-z0-9./]{43}\b` | | Cisco ASA Encrypted Password | High | `(?i)passwd\s+[A-Za-z0-9./]{13,}\s+encrypted` | | Juniper Junos $9$ Secret | High | `\$9\$[A-Za-z0-9./]{8,}` | | Juniper Junos $8$ Secret | High | `\$8\$[a-z0-9-]+\$[a-z0-9-]+\$\d+\$[A-Za-z0-9+/=]{8,}` | | FortiGate Encrypted Password | High | `(?i)set\s+(?:passwd\|password)\s+ENC\s+[A-Za-z0-9+/=]{40,}` | | FortiManager Access Token | Critical | `\baccess_token=[A-Za-z0-9]{30,}` | | Palo Alto PAN-OS API Key | Critical | `\bLUFRP[A-Za-z0-9+/=]{60,}` | | Cisco RADIUS/TACACS Key Type 7 | High | `(?i)(?:radius\|tacacs)-server\s+key\s+7\s+[0-9A-Fa-f]{4,}` | | Cisco RADIUS/TACACS Key Cleartext | Critical | `(?i)(?:radius\|tacacs)-server\s+key\s+0?\s*\S+` | | SNMP Community String | High | `(?i)snmp-server\s+community\s+\S+\s+(?:RO\|RW)` | | SNMPv3 USM Credentials | High | `(?i)snmp-server\s+user\s+\S+\s+\S+\s+v3\s+auth\s+(?:md5\|sha)\s+\S+\s+priv\s+(?:des\|aes\d*)\s+\S+` | | FreeRADIUS Shared Secret | High | `(?i)secret\s*=\s*(?:"[^"]{6,}"\|\S{6,})` | | BIND rndc.key HMAC Secret | Critical | `(?i)secret\s+"[A-Za-z0-9+/=]{20,}";` | | NS1 API Key | Critical | `(?i)X-NSONE-Key:\s*[A-Za-z0-9]{20}` | | Cloudflare User API Token | Critical | `\bcfut_[A-Za-z0-9]{48}\b` | | Cloudflare Account API Token | Critical | `\bcfat_[A-Za-z0-9]{48}\b` | | HAProxy Stats Auth | Critical | `(?i)stats\s+auth\s+\S+:\S+` | | HAProxy Insecure Password | Critical | `(?i)user\s+\S+\s+insecure-password\s+\S+` | | strongSwan IPsec PSK | Critical | `(?i):\s*PSK\s+(?:"[^"]+"\|0x[0-9a-fA-F]+\|0s[A-Za-z0-9+/=]+)` | | WireGuard Private Key | Critical | `(?i)PrivateKey\s*=\s*[A-Za-z0-9+/]{43}=` | | WireGuard Preshared Key | Critical | `(?i)PresharedKey\s*=\s*[A-Za-z0-9+/]{43}=` | | WireGuard Public Key | Low | `(?i)PublicKey\s*=\s*[A-Za-z0-9+/]{43}=` | | OpenVPN Static Key | Critical | `(?s)-----BEGIN OpenVPN Static key V1-----.*?-----END OpenVPN Static key V1-----` | | Tailscale Auth Key | Critical | `\btskey-auth-[A-Za-z0-9]{8,}-[A-Za-z0-9]{20,}` | | Tailscale API Key | Critical | `\btskey-api-[A-Za-z0-9]{8,}-[A-Za-z0-9]{20,}` | | Tailscale OAuth Client Secret | Critical | `\btskey-client-[A-Za-z0-9]{8,}-[A-Za-z0-9]{20,}` | | Splunk HEC Token | Critical | `(?i)Authorization:\s*Splunk\s+[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}` | | Sumo Logic Access ID | High | `(?i)accessid['"]?\s*[:=]\s*['"]?su[A-Za-z0-9]{12}\b` | | OpenStack Keystone Fernet Token | High | `\bgAAAAA[A-Za-z0-9_-]{100,}` | | Cloudflare API Token (cfk_) | Critical | `\bcfk_[A-Za-z0-9]{48}\b` | | NetBox v2 API Token | Critical | `\bnbt_[A-Za-z0-9]{20,}\.[A-Za-z0-9]{20,}\b` | | NetBird Access Token | Critical | `\bnbp_[A-Za-z0-9]{40,}\b` | | Defined Networking API Key | Critical | `\bdnkey-[a-z0-9=_-]{26}-[a-z0-9=_-]{52}\b` | | Porkbun API Credential | High | `\b(?:pk1\|sk1)_[a-f0-9]{40,}\b` | | Cloudflare Access Service Token ID | Critical | `\b[0-9a-f]{32}\.access\b` | ### `payments` Stripe, Square, PayPal, Plaid, Adyen, Coinbase Commerce, Razorpay keys. | Name | Severity | Regex | |---|---|---| | Stripe Restricted Key (live) | Critical | `\brk_live_[A-Za-z0-9]{24,99}\b` | | Stripe Restricted Key (test) | High | `\brk_test_[A-Za-z0-9]{24,99}\b` | | Stripe Org Secret Key | Critical | `\bsk_org_[A-Za-z0-9]{20,99}\b` | | Stripe Webhook Signing Secret | Critical | `\bwhsec_[A-Za-z0-9]{32,99}\b` | | Stripe OAuth Refresh Token | Critical | `\brt_(?:test_)?[A-Za-z0-9]{24,99}\b` | | Braintree Access Token (production) | Critical | `access_token\$production\$[a-z0-9]+\$[a-f0-9]{32}` | | Braintree Access Token (sandbox) | High | `access_token\$sandbox\$[a-z0-9]+\$[a-f0-9]{32}` | | Square Access Token (legacy) | Critical | `\bsq0atp-[A-Za-z0-9_-]{22}\b` | | Square OAuth Secret | Critical | `\bsq0csp-[A-Za-z0-9_-]{43}\b` | | Square Personal Access Token | Critical | `\bEAAA[A-Za-z0-9_-]{60,}\b` | | Adyen API Key | Critical | `\bAQE[A-Za-z0-9]{170,}\b` | | Razorpay Key ID | High | `\brzp_(?:test\|live)_[A-Za-z0-9]{14}\b` | | Mollie API Key | Critical | `\b(?:live\|test)_[A-Za-z0-9]{30}\b` | | Klarna API Credentials | Critical | `\bPK[0-9]+_[a-z0-9]+:[A-Za-z0-9]+\b` | | Flutterwave Public Key | Medium | `\bFLWPUBK_TEST-[A-Za-z0-9]{32}-X\b` | | Flutterwave Secret Key | Critical | `\bFLWSECK_TEST-[A-Za-z0-9]{32}-X\b` | | Flutterwave Encryption Key | Critical | `\bFLWSECK_TESTencryption[A-Za-z0-9]+\b` | | GoCardless API Token | Critical | `\b(?:live\|sandbox)_[A-Za-z0-9_-]{40,}\b` | | EasyPost API Token | Critical | `\bEZAK[A-Za-z0-9]{54}\b` | | EasyPost Test API Token | High | `\bEZTK[A-Za-z0-9]{54}\b` | | Stripe Ephemeral Key | High | `\bek_(?:test\|live)_[A-Za-z0-9]{20,}\b` | | Paddle API Key | Critical | `\bpdl_(?:live\|sdbx)_apikey_[a-z0-9]{26}_[A-Za-z0-9]{22}_[A-Za-z0-9]{3}\b` | | Plaid Access Token | Critical | `\baccess-(?:sandbox\|development\|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | PayPal OAuth Access Token | Critical | `\bA21AA[A-Za-z0-9_-]{80,}\b` | | Mercado Pago Access Token | Critical | `\b(?:APP_USR\|TEST)-\d{8,}-[0-9a-f]{6}-[0-9A-Za-z]{20,}-\d{6,}\b` | ### `messaging` Slack, Discord, Telegram, Twilio, SendGrid, Mailgun, Postmark tokens and webhook secrets. | Name | Severity | Regex | |---|---|---| | Slack User Token | Critical | `\bxoxp-[0-9]{10,13}-[0-9]{10,13}-[0-9]{10,13}-[a-f0-9]{32}\b` | | Slack Workflow Token | High | `\bxwfp-[A-Za-z0-9-]{40,}\b` | | Slack Configuration Access Token | Critical | `\bxoxe\.xox[bp]-[0-9]+-[A-Za-z0-9]+\b` | | Slack Configuration Refresh Token | Critical | `\bxoxe-[0-9]+-[A-Za-z0-9-]+\b` | | Slack Legacy Token | Critical | `\bxox[so]-[A-Za-z0-9-]{20,}\b` | | Slack Legacy Workspace Token | High | `\bxox[ar]-[A-Za-z0-9-]{20,}\b` | | Slack Session Cookie Token | High | `\bxoxc-[A-Za-z0-9-]{20,}\b` | | Discord Webhook URL | High | `https://discord(?:app)?\.com/api/webhooks/[0-9]+/[A-Za-z0-9_-]+` | | Microsoft Teams Webhook URL | High | `https://[a-z0-9-]+\.webhook\.office\.com/webhookb2/[a-f0-9-]+@[a-f0-9-]+/IncomingWebhook/[a-f0-9]+/[a-f0-9-]+` | | Twilio Account SID | Medium | `\bAC[a-f0-9]{32}\b` | | SendGrid API Key | Critical | `\bSG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}\b` | | Mailgun Private API Key | Critical | `\bkey-[a-f0-9]{32}\b` | | Mailgun Public Validation Key | Medium | `\bpubkey-[a-f0-9]{32}\b` | | Mailchimp API Key | Critical | `\b[a-f0-9]{32}-us[0-9]{1,2}\b` | | Brevo API Key | Critical | `\bxkeysib-[a-f0-9]{64}-[A-Za-z0-9]{16}\b` | | Resend API Key | Critical | `\bre_[A-Za-z0-9_]{32,}\b` | | WhatsApp Business Cloud API Token | Critical | `\bEAA[A-Za-z0-9]{60,}\b` | | Meta Graph API Page Access Token | Critical | `\bEAA[MC][A-Za-z0-9]{30,}\b` | | Plivo Auth ID | Medium | `\bMA[A-Z0-9]{18}\b` | | Pushbullet Access Token | High | `\bo\.[A-Za-z0-9]{32}\b` | | Notion API Token | High | `\bntn_[A-Za-z0-9]{40,}\b` | | Notion Internal Integration Token (legacy) | High | `\bsecret_[A-Za-z0-9]{43}\b` | | Intercom API Token | High | `\bdG9rOg==[A-Za-z0-9+/=]{40,}\b` | | Asana Personal Access Token | High | `\b1/[0-9]+:[A-Za-z0-9]{32}\b` | | Telnyx API Key | Critical | `\bKEY[0-9A-Za-z_-]{55}\b` | ### `vcs_ci` GitHub / GitLab / Bitbucket PATs and deploy tokens, CircleCI / Travis / Jenkins / Buildkite tokens. | Name | Severity | Regex | |---|---|---| | GitHub Fine-grained PAT | Critical | `\bgithub_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59}\b` | | GitLab Pipeline Trigger Token | High | `\bglptt-[A-Fa-f0-9]{40}\b` | | GitLab Runner Authentication Token | High | `\bglrt-[A-Za-z0-9_-]{20}\b` | | GitLab Runner Registration Token | High | `\bGR1348941[A-Za-z0-9_-]{20}\b` | | GitLab Deploy Token | High | `\bgldt-[A-Za-z0-9_-]{20}\b` | | GitLab CI/CD Job Token | High | `\bglcbt-[A-Za-z0-9_-]{20,}\b` | | GitLab Feed Token | Medium | `\bglft-[A-Za-z0-9_-]{20,}\b` | | GitLab Feature Flag Client Token | Medium | `\bglffct-[A-Za-z0-9_-]{20,}\b` | | GitLab Incoming Mail Token | Medium | `\bglimt-[A-Za-z0-9_-]{25,}\b` | | GitLab Kubernetes Agent Token | High | `\bglagent-[A-Za-z0-9_-]{50,}\b` | | GitLab OAuth Application Secret | Critical | `\bgloas-[A-Za-z0-9_-]{64}\b` | | GitLab SCIM Token | High | `\bglsoat-[A-Za-z0-9_-]{20}\b` | | GitLab Session Cookie | High | `_gitlab_session=[A-Za-z0-9%]{20,}` | | Bitbucket App Password | Critical | `\bATBB[A-Z0-9]{24,32}\b` | | Atlassian API Token (modern) | Critical | `\b(?:ATATT\|ATCTT)3xFfG[A-Za-z0-9\-_=]{170,}` | | Sourcegraph Access Token | High | `\bsgp_(?:[a-f0-9]{16}_)?[A-Fa-f0-9]{40}\b` | | CircleCI Personal API Token | High | `\bCCIPAT_[A-Za-z0-9]+_[a-f0-9]{40}\b` | | Buildkite Agent Token | High | `\bbkua_[a-f0-9]{40,}\b` | | Buildkite API Access Token | High | `\bbkaa_[A-Za-z0-9]{40,}\b` | | Octopus Deploy API Key | Critical | `\bAPI-[A-Z0-9]{26}\b` | | Harness Personal Access Token | High | `\bpat\.[A-Za-z0-9_]+\.[A-Za-z0-9_]+\.[A-Za-z0-9_]+\b` | | Harness Service Account Token | High | `\bsat\.[A-Za-z0-9_]+\.[A-Za-z0-9_]+\.[A-Za-z0-9_]+\b` | | TravisCI Repo Encrypt Key | High | `(?i)secure:\s*"[A-Za-z0-9+/]{40,}={0,2}"` | ### `ai` OpenAI, Anthropic, Cohere, HuggingFace, Replicate, Mistral, Perplexity API keys. | Name | Severity | Regex | |---|---|---| | OpenAI Service Account Key | Critical | `\bsk-svcacct-[A-Za-z0-9_-]{40,}\b` | | OpenAI Admin API Key | Critical | `\bsk-admin-[A-Za-z0-9_-]{40,}\b` | | OpenAI User Key (no project) | Critical | `\bsk-None-[A-Za-z0-9_-]{40,}\b` | | OpenAI Organization ID | Medium | `\borg-[A-Za-z0-9]{24}\b` | | Anthropic API Key | Critical | `\bsk-ant-api03-[A-Za-z0-9_-]{93,108}\b` | | Anthropic Admin API Key | Critical | `\bsk-ant-admin01-[A-Za-z0-9_-]{93,108}\b` | | Groq API Key | Critical | `\bgsk_[A-Za-z0-9]{52}\b` | | Replicate API Token | Critical | `\br8_[A-Za-z0-9]{37}\b` | | HuggingFace User Access Token | Critical | `\bhf_[A-Za-z0-9]{34,40}\b` | | HuggingFace Organization API Token | Critical | `\bapi_org_[A-Za-z0-9]{34}\b` | | OpenRouter API Key | Critical | `\bsk-or-v1-[A-Fa-f0-9]{64}\b` | | Perplexity API Key | Critical | `\bpplx-[A-Za-z0-9]{48,56}\b` | | Fireworks AI API Key | Critical | `\bfw_[A-Za-z0-9]{24,}\b` | | Anyscale Endpoints API Key | Critical | `\besecret_[A-Za-z0-9]{20,}\b` | | LangSmith API Key | High | `\bls__[a-f0-9]{32}\b` | | LangChain API Key | High | `\blsv2_pt_[A-Za-z0-9_-]{20,}\b` | | Helicone API Key | High | `\bsk-helicone-[A-Za-z0-9_-]{30,}\b` | | LlamaIndex Cloud Key | High | `\bllx-[A-Za-z0-9]{40,}\b` | | Deepgram API Key | High | `\bdg_[a-f0-9]{40}\b` | | OpenAI Realtime Ephemeral Key | High | `\bek_[A-Za-z0-9_-]{40,}\b` | | Firecrawl API Key | High | `\bfc-[0-9a-f]{32}\b` | | LangSmith API Key | Critical | `\blsv2_(?:pt\|sk)_[a-f0-9]{32}_[a-f0-9]{10}\b` | | Pinecone API Key | High | `\bpcsk_[A-Za-z0-9]{5,6}_[A-Za-z0-9]{63}\b` | | ElevenLabs API Key | High | `\bsk_[a-f0-9]{48}\b` | ### `monitoring` Datadog, New Relic, Sentry, PagerDuty, Honeycomb, Grafana / Loki / Tempo API keys. | Name | Severity | Regex | |---|---|---| | Datadog API Key | Critical | `(?i)dd[_-]?api[_-]?key\s*[:=]\s*[a-zA-Z0-9-]{32}\b` | | Datadog Application Key | Critical | `(?i)dd[_-]?app(?:lication)?[_-]?key\s*[:=]\s*[a-zA-Z0-9-]{40}\b` | | New Relic User API Key | Critical | `\bNRAK-[A-Z0-9]{27}\b` | | New Relic Admin Key (legacy) | Critical | `\bNRAA-[A-F0-9]{27}\b` | | New Relic Insert Key | High | `\bNRII-[A-Z0-9]{32}\b` | | New Relic Browser API Token | High | `\bNRJS-[A-Z0-9]{19}\b` | | New Relic License Key | Critical | `\b[a-f0-9]{36}NRAL\b` | | Sentry Org Auth Token | Critical | `\bsntrys_[A-Za-z0-9+/=]{60,}` | | Sentry User Auth Token | Critical | `\bsntryu_[A-Fa-f0-9]{64}\b` | | Sentry DSN | Medium | `https?://[a-f0-9]{32}@(?:o\d+\.)?ingest\.sentry\.io/\d+` | | Honeycomb API Key | High | `\bhc[abcmpsu]ic_[a-z0-9]{58}\b` | | Grafana API Key (legacy) | High | `\beyJrIjoi[A-Za-z0-9_+/=]{40,}` | | Grafana Cloud API Token | High | `\bglc_[A-Za-z0-9_+/=]{60,}` | | Grafana Service Account Token | High | `\bglsa_[A-Za-z0-9]{32}_[a-f0-9]{8}\b` | | Sumologic Access ID | Medium | `(?i)sumo[a-z0-9_-]*\s*[:=]\s*su[A-Za-z0-9]{12}\b` | | Sumologic Access Key | Critical | `(?i)sumo[_-]?access[_-]?key\s*[:=]\s*[A-Za-z0-9]{64}\b` | | Dynatrace API Token | Critical | `\bdt0c01\.[A-Z0-9]{24}\.[A-Z0-9]{64}\b` | | PagerDuty API Token | High | `(?i)Token token=[A-Za-z0-9_+-]{20}\b` | | Opsgenie API Key | High | `(?i)opsgenie[a-z0-9_-]*\s*[:=]\s*[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}` | | Rollbar Access Token | High | `(?i)rollbar[a-z0-9_-]*\s*[:=]\s*[a-f0-9]{32}\b` | | Bugsnag API Key | High | `(?i)bugsnag[a-z0-9_-]*\s*[:=]\s*[a-f0-9]{32}\b` | | Mixpanel API Secret | High | `(?i)mixpanel[a-z0-9_-]*\s*[:=]\s*[a-f0-9]{32}\b` | | Amplitude API Key | High | `(?i)amplitude[a-z0-9_-]*\s*[:=]\s*[a-f0-9]{32}\b` | | Segment Write Key | Medium | `(?i)segment[_-]?write[_-]?key\s*[:=]\s*[A-Za-z0-9]{32}\b` | | PostHog Project API Key | Medium | `\bphc_[A-Za-z0-9]{43}\b` | | PostHog Personal API Key | High | `\bphx_[A-Za-z0-9]{43}\b` | | Statsig Server Secret | High | `\bsecret-[A-Za-z0-9]{40,}` | | LaunchDarkly SDK Key | High | `\bsdk-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | LaunchDarkly Mobile Key | Medium | `\bmob-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | LaunchDarkly Access Token (Personal) | Critical | `\bapi-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | GrowthBook API Key | High | `\bsecret_[A-Za-z0-9]{32,}` | | LogRocket App ID | Medium | `(?i)logrocket[a-z0-9_-]*\s*[:=]\s*[a-z0-9]{6}/[a-z0-9-]+\b` | | FullStory Org ID | Medium | `(?i)fullstory[a-z0-9_-]*\s*[:=]\s*[A-Za-z0-9]{12}\b` | | Dynatrace Platform Token | Critical | `\bdt0s(?:16\|02\|08)\.[A-Z0-9]{8}\.[A-Za-z0-9]{64}\b` | | Datadog RUM Client Token | Medium | `\bpub[0-9a-f]{32}\b` | | Statsig Console Key | Critical | `\bconsole-[A-Za-z0-9]{20,}\b` | ### `databases` Postgres / MySQL / MongoDB / Redis / MSSQL connection URLs, plus DBaaS API keys (Supabase, PlanetScale, Neon, Turso). | Name | Severity | Regex | |---|---|---| | JDBC Connection String with Password | Critical | `jdbc:[a-z0-9]+://[^\s?]+\?(?:[^\s&]+&)*[Pp]assword=[^\s&]+` | | ODBC/SQLServer Connection String | Critical | `(?i)(?:Server\|Data Source)=[^;\s]+;[^\n]*?Password=[^;\s]+` | | AMQP Connection String with Credentials | Critical | `amqps?://[A-Za-z0-9_%.+-]+:[^@\s]+@[A-Za-z0-9.-]+` | | Kafka SASL Connection String | Critical | `SASL_(?:PLAINTEXT\|SSL)://[A-Za-z0-9_%.+-]+:[^@\s]+@[A-Za-z0-9.-]+:\d{2,5}` | | ClickHouse Cloud URL with Credentials | Critical | `https://[A-Za-z0-9_%.+-]+:[^@\s]+@[a-z0-9-]+\.clickhouse\.cloud` | | Elasticsearch URL with Credentials | Critical | `https?://[A-Za-z0-9_%.+-]+:[^@\s]+@[A-Za-z0-9.-]+(?:\.elastic-cloud\.com\|:9200)` | | MongoDB Atlas SRV Host | Medium | `\b[a-z0-9-]+\.[a-z0-9]{5}\.mongodb\.net\b` | | Databricks OAuth Token | Critical | `\bdose[A-Za-z0-9]{32,}\b` | | PlanetScale Database Password | Critical | `\bpscale_pw_[A-Za-z0-9_.-]{20,}` | | Neon Project API Key | Critical | `\bnapi_[A-Za-z0-9_-]{40,}` | | CockroachDB Cloud API Key | High | `\bCCDB1_[A-Za-z0-9]{8,}_[A-Za-z0-9]{8,}\b` | | FaunaDB Server Key | Critical | `\bfnAA[A-Za-z0-9_-]{40,}\b` | | Firebase Cloud Messaging Server Key (legacy) | Critical | `\bAAAA[A-Za-z0-9_-]{7}:APA91b[A-Za-z0-9_-]{130,}` | | Firebase Database URL with Secret | Critical | `https://[a-z0-9-]+\.firebaseio\.com/[^\s]*\.json\?auth=[A-Za-z0-9_-]{10,}` | | ClickHouse Cloud API Secret | Critical | `\b4b1d[A-Za-z0-9]{52}\b` | | MotherDuck Service Token | High | `motherduck_token=eyJ[A-Za-z0-9_.-]{20,}` | | Convex Deploy Key | Critical | `\bprod:[a-z0-9-]+:[A-Za-z0-9_-]{40,}` | | Xata API Key | Critical | `\bxau_[A-Za-z0-9]{32,}\b` | | Upstash Redis REST Token | Critical | `UPSTASH_REDIS_REST_TOKEN[=:\s]+[A-Za-z0-9_.-]{40,}` | | Supabase Secret Key | Critical | `\bsb_secret_[A-Za-z0-9_-]{20,}\b` | | Supabase Publishable Key | Low | `\bsb_publishable_[A-Za-z0-9_-]{20,}\b` | | Supabase Service Key (legacy sbp_) | Critical | `\bsbp_[a-z0-9]{40}\b` | | PlanetScale Database Token | Critical | `\bpscale_tkn_[A-Za-z0-9_=.-]{32,}\b` | | PlanetScale OAuth Token | Critical | `\bpscale_oauth_[A-Za-z0-9_=.-]{32,}\b` | | InfluxDB v3 API Token | Critical | `\bapiv3_[A-Za-z0-9_-]{40,}\b` | ### `edge` Cloudflare Workers, Fastly, Vercel, Netlify, Akamai, Bunny CDN API tokens. | Name | Severity | Regex | |---|---|---| | Cloudflare Origin CA Key | Critical | `\bv1\.0-[A-Za-z0-9_-]{160,}` | | Fastly API Token | High | `(?i)Fastly-Key:\s*[A-Za-z0-9_-]{32,}` | | Akamai EdgeGrid Client Token | Critical | `\bakab-[A-Za-z0-9-]{20,}` | | Bunny.net API Key | High | `(?i)AccessKey:\s*[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}` | | Netlify Personal Access Token | Critical | `\bnfp_[A-Za-z0-9]{36,}` | | Deno Deploy Token | High | `\bdd[pw]_[A-Za-z0-9]{36}\b` | | Shopify Access Token | Critical | `\bshpat_[A-Fa-f0-9]{32}\b` | | Shopify Custom App Access Token | Critical | `\bshpca_[A-Fa-f0-9]{32}\b` | | Shopify Private App Token | Critical | `\bshppa_[A-Fa-f0-9]{32}\b` | | Shopify Shared Secret | Critical | `\bshpss_[A-Fa-f0-9]{32}\b` | | Apple App Store Connect Key File | Critical | `\bAuthKey_[A-Z0-9]{10}\.p8\b` | | Cloudinary URL | Critical | `\bcloudinary://[0-9]{15}:[A-Za-z0-9_-]{20,}@[a-z0-9-]+` | | RevenueCat Secret Key | Critical | `\bsk_(?:appl\|goog\|amzn\|mac\|strp\|rcb)_[A-Za-z0-9]{20,}\b` | ### `crypto_keys` PEM-encoded RSA / EC / DSA / OpenSSH / PGP private key blocks. | Name | Severity | Regex | |---|---|---| | SSH Public Key (RSA) | Low | `\bssh-rsa AAAAB3NzaC1yc2[A-Za-z0-9+/]{50,}={0,3}` | | SSH Public Key (Ed25519) | Low | `\bssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA[A-Za-z0-9+/]{40,}={0,3}` | | SSH Public Key (DSS) | Low | `\bssh-dss AAAAB3NzaC1kc3[A-Za-z0-9+/]{50,}={0,3}` | | SSH Public Key (ECDSA) | Low | `\becdsa-sha2-nistp(?:256\|384\|521) AAAAE2VjZHNhLXNoYTItbmlzdHA[A-Za-z0-9+/]{40,}={0,3}` | | SSH Public Key (FIDO Ed25519) | Low | `\bsk-ssh-ed25519@openssh\.com AAAA[A-Za-z0-9+/]{40,}={0,3}` | | SSH Public Key (FIDO ECDSA) | Low | `\bsk-ecdsa-sha2-nistp256@openssh\.com AAAA[A-Za-z0-9+/]{40,}={0,3}` | | SSH2 Public Key Block | Low | `---- BEGIN SSH2 PUBLIC KEY ----` | | PuTTY Private Key File | Critical | `PuTTY-User-Key-File-[23]: (?:ssh-rsa\|ssh-ed25519\|ssh-dss\|ecdsa-sha2-nistp(?:256\|384\|521))` | | Encrypted PKCS#8 Private Key | Critical | `-----BEGIN ENCRYPTED PRIVATE KEY-----` | | PEM Encrypted Header | Critical | `Proc-Type: 4,ENCRYPTED` | | OpenVPN Static Key | Critical | `-----BEGIN OpenVPN Static key V1-----` | | X.509 Certificate | Low | `-----BEGIN CERTIFICATE-----` | | X.509 Certificate Request | Low | `-----BEGIN CERTIFICATE REQUEST-----` | | PGP Public Key Block | Low | `-----BEGIN PGP PUBLIC KEY BLOCK-----` | | DKIM Private Key Record | High | `(?i)v=DKIM1;\s*(?:k=rsa;\s*)?p=[A-Za-z0-9+/]{60,}={0,3}` | ### `auth_tokens` JWTs, OAuth bearer tokens, basic-auth URLs, refresh tokens, session IDs. | Name | Severity | Regex | |---|---|---| | HTTP Basic Authorization Header | High | `(?i)Authorization:\s*Basic\s+[A-Za-z0-9+/]{16,512}={0,2}` | | HTTP Token Authorization Header | High | `(?i)Authorization:\s*Token\s+[A-Za-z0-9_\-]{20,200}` | | curl Basic Auth Flag | Critical | `curl\s+(?:[^\s]+\s+)*-u\s+[^\s:]+:[^\s]+` | | OAuth2 client_secret Parameter | Critical | `(?i)client_secret=[A-Za-z0-9._\-]{16,200}` | | OAuth2 refresh_token Parameter | Critical | `(?i)refresh_token=[A-Za-z0-9._\-]{20,200}` | | OAuth2 access_token Parameter | High | `(?i)[?#&]access_token=[A-Za-z0-9._\-]{20,200}` | | OAuth2 client_assertion Parameter | Critical | `(?i)client_assertion=eyJ[A-Za-z0-9._\-]{20,}` | | OAuth2 grant_type password | High | `(?i)grant_type=password&[^\s]*password=[^\s&]{4,}` | | OAuth2 Authorization Code Callback | High | `(?i)[?&]code=[A-Za-z0-9._\-]{20,200}&(?:state\|session_state\|scope)=` | | OAuth2 Device Code | High | `(?i)device_code=[A-Za-z0-9._\-]{20,200}` | | SAML Response (POST binding) | High | `(?i)SAMLResponse=(?:PHNhbWxw\|PD94bWw)[A-Za-z0-9%+/=]{40,}` | | SAML Request (POST binding) | Medium | `(?i)SAMLRequest=(?:PHNhbWxw\|PD94bWw)[A-Za-z0-9%+/=]{40,}` | | JWT alg none | Critical | `\beyJhbGciOiJub25lI[A-Za-z0-9_\-]{4,}\.eyJ[A-Za-z0-9_\-]{10,}\.` | | Session Cookie Header | High | `(?i)Cookie:\s*(?:session\|sessionid\|sid\|jsessionid\|connect\.sid\|auth_token)=[A-Za-z0-9%._\-+/]{16,}` | | Framework Session Cookie | High | `(?i)\b(?:__(?:Host\|Secure)-)?(?:sessionid\|laravel_session\|connect\.sid\|JSESSIONID\|PHPSESSID\|wordpress_logged_in_[0-9a-z]+\|_[A-Za-z0-9]+_session\|SSESS[0-9a-f]+\|sb-[a-z0-9-]+-auth-token\|sb-refresh-token\|__clerk_db_jwt\|__Secure-next-auth\.session-token)=[A-Za-z0-9%._/+-]{20,}` | | Flask Signed Session Cookie | High | `(?i)\bsession=[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{6,}\.[A-Za-z0-9_-]{20,}` | | ASP.NET Core Auth Cookie | High | `(?i)\.AspNetCore\.(?:Identity\.Application\|Cookies\|Session)=[A-Za-z0-9%._/+-]{20,}` | | Cognito Refresh Token Cookie | Critical | `CognitoIdentityServiceProvider\.[A-Za-z0-9_]+\.[^.\s]+\.refreshToken=[A-Za-z0-9._-]{20,}` | | ASP.NET ViewState | Medium | `__VIEWSTATE=[A-Za-z0-9%+/=]{40,}` | | PKCE code_verifier | High | `(?i)[?&]code_verifier=[A-Za-z0-9._~-]{43,128}` | | OAuth PAR request_uri | High | `request_uri=urn:ietf:params:oauth:request_uri:[A-Za-z0-9._-]{6,}` | | OAuth CIBA auth_req_id | High | `(?i)[?&]auth_req_id=[A-Za-z0-9._-]{20,}` | | OAuth Token Exchange Token | High | `(?i)[?&](?:subject_token\|actor_token)=[A-Za-z0-9._-]{20,}` | | OIDC id_token_hint | High | `(?i)[?&]id_token_hint=eyJ[A-Za-z0-9._-]{20,}` | | DPoP Proof JWT | High | `\bDPoP\s+eyJ[A-Za-z0-9._-]{20,}` | | GitLab PRIVATE-TOKEN Header | Critical | `(?i)PRIVATE-TOKEN:\s*[A-Za-z0-9_-]{20,}` | | Azure Functions Key Header | Critical | `(?i)x-functions-key:\s*[A-Za-z0-9_=/+-]{30,}` | | API Key Auth Header | High | `(?i)x-(?:api-key\|auth-token):\s*[A-Za-z0-9_=/.+-]{20,}` | | Negotiate/NTLM Authorization Header | High | `(?i)Authorization:\s*(?:Negotiate\|NTLM)\s+(?:YII\|TlRMTVNT)[A-Za-z0-9+/=]{16,}` | ### `packages` NPM, PyPI, RubyGems, Cargo (crates.io), Maven Central, NuGet publish tokens. | Name | Severity | Regex | |---|---|---| | PyPI Upload Token | Critical | `\bpypi-AgEIcHlwaS5vcmc[A-Za-z0-9_-]{50,}\b` | | TestPyPI Upload Token | Critical | `\bpypi-AgENdGVzdC5weXBpLm9yZ[A-Za-z0-9_-]{50,}\b` | | RubyGems API Key | Critical | `\brubygems_[a-f0-9]{48}\b` | | crates.io API Token | Critical | `\bcio[A-Za-z0-9]{32}\b` | | NuGet API Key | Critical | `\boy2[a-z0-9]{43}\b` | | JFrog Artifactory API Key | Critical | `\bAKCp[A-Za-z0-9]{60,}\b` | | Artifactory Reference Token | Critical | `\bcmVmdGtu[A-Za-z0-9+/=]{50,}\b` | | Clojars Deploy Token | Critical | `\bCLOJARS_[a-f0-9]{60}\b` | | Packagist API Token | Critical | `\bpackagist_[a-z]{3,4}_[a-f0-9]{64,}\b` | | Endor Labs Token | Critical | `\bendr\+[A-Za-z0-9]{20,}\b` | | Socket.dev Token | Critical | `\bsktsec_[A-Za-z0-9_-]{20,}\b` | | Duffel Access Token | Critical | `\bduffel_(?:test\|live)_[A-Za-z0-9_-]{43}\b` | ### `healthcare` NHS, NPI, DEA, Medicaid IDs and other healthcare identifiers. | Name | Severity | Regex | |---|---|---| | US NPI (labeled) | Medium | `(?i)\bNPI[:#\s]+\d{10}\b` | | US NPI Card Number | Medium | `\b80840\d{10}\b` | | US DEA Number | Medium | `\b[ABCDEFGHJKLMNPRSTUX][A-Z9]\d{7}\b` | | UK NHS Number (labeled) | Medium | `(?i)\bNHS[:#\s]+\d{3}[ -]?\d{3}[ -]?\d{4}\b` | | FHIR Patient Resource ID | Medium | `\bPatient/[A-Za-z0-9\-]{1,64}\b` | | Doximity API Token | High | `\bdx_live_[A-Za-z0-9]{20,40}\b` | ### `pii_contact` Email addresses, phone numbers (E.164 with separator tolerance), full names. | Name | Severity | Regex | |---|---|---| | Email Address | Low | `\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b` | | Phone Number (US) | Medium | `(?:\+1[ .\-]?)?\(?\d{3}\)?[ .\-]?\d{3}[ .\-]?\d{4}\b` | | International Phone (E.164) | Medium | `\+[1-9](?:[ \-]?\d){9,16}\b` | | Phone Number (UK) | Medium | `\+44[ .\-]?0?(?:[ .\-]?\d){9,11}\b` | | Phone Number (Italy) | Medium | `\+39[ .\-]?0?(?:[ .\-]?\d){8,12}\b` | | Phone Number (France) | Medium | `\+33[ .\-]?0?(?:[ .\-]?\d){9,11}\b` | | Phone Number (Germany) | Medium | `\+49[ .\-]?0?(?:[ .\-]?\d){6,12}\b` | | Phone Number (Spain) | Medium | `\+34[ .\-]?(?:[ .\-]?\d){9,11}\b` | | Phone Number (Brazil) | Medium | `\+55[ .\-]?(?:[ .\-]?\d){10,12}\b` | | Phone Number (India) | Medium | `\+91[ .\-]?(?:[ .\-]?\d){10,12}\b` | | Date of Birth (labeled) | Medium | `(?i)\b(?:dob\|date[_\s-]?of[_\s-]?birth\|birth[_\s-]?date)\s*[:=]?\s*(?:19\|20)[0-9]{2}-(?:0[1-9]\|1[0-2])-(?:0[1-9]\|[12][0-9]\|3[01])\b` | ### `pii_financial` Credit / debit cards (Luhn-validated), IBAN, BIC / SWIFT, ABA routing numbers. | Name | Severity | Regex | |---|---|---| | Visa Card | Critical | `\b4\d{3}(?:[ -]?\d{4}){3}(?:[ -]?\d{3})?\b` | | Mastercard Card | Critical | `\b(?:5[1-5]\d{2}\|222[1-9]\|22[3-9]\d\|2[3-6]\d{2}\|27[01]\d\|2720)(?:[ -]?\d{4}){3}\b` | | American Express Card | Critical | `\b3[47]\d{2}[ -]?\d{6}[ -]?\d{5}\b` | | Discover Card | Critical | `\b(?:6011\|64[4-9]\d\|65\d{2}\|622\d{3})(?:[ -]?\d{4}){2}[ -]?\d{1,4}\b` | | Diners Club Card | Critical | `\b3(?:0[0-5]\|[68]\d)\d{11}\b` | | JCB Card | Critical | `\b35(?:2[89]\|[3-8]\d)\d{12}\b` | | UnionPay Card | Critical | `\b62\d{14,17}\b` | | Maestro Card | Critical | `\b(?:5018\|5020\|5038\|5893\|6304\|6759\|676[1-3])\d{8,15}\b` | | Dankort Card | Critical | `\b5019\d{12}\b` | | Mir Card | Critical | `\b220[0-4]\d{12}\b` | | UATP Card (labeled) | Critical | `(?i)\buatp\b[:#=\s]+1\d{14}\b` | | IBAN | Medium | `\b[A-Z]{2}\d{2}[A-Z0-9]{11,30}\b` | | IBAN (Germany) | Medium | `\bDE\d{20}\b` | | IBAN (United Kingdom) | Medium | `\bGB\d{2}[A-Z]{4}\d{14}\b` | | IBAN (France) | Medium | `\bFR\d{12}[A-Z0-9]{11}\d{2}\b` | | IBAN (Italy) | Medium | `\bIT\d{2}[A-Z]\d{10}[A-Z0-9]{12}\b` | | IBAN (Spain) | Medium | `\bES\d{22}\b` | | BIC / SWIFT (labeled) | Low | `(?i)\b(?:bic\|swift)\b[:=\s]+[A-Z]{6}[A-Z0-9]{2}(?:[A-Z0-9]{3})?\b` | | US Bank Routing Number (labeled) | Medium | `(?i)routing(?:\s*number)?[:#=\s]+\d{9}\b` | | US Bank Account Number (labeled) | Medium | `(?i)account(?:\s*(?:number\|no))?[:#=\s]+\d{6,17}\b` | | UK Sort Code (labeled) | Medium | `(?i)sort\s*code[:\s]+\d{2}-\d{2}-\d{2}\b` | | SEPA Creditor Identifier (labeled) | Medium | `(?i)\b(?:creditor[\s_-]?id\|sepa[\s_-]?ci)\b[:=\s]+[A-Z]{2}\d{2}[A-Z0-9]{3}[A-Z0-9]{1,28}\b` | ### `pii_govid_us` US Social Security Number, ITIN, EIN, US passport, driver's license formats. | Name | Severity | Regex | |---|---|---| | US ITIN | Medium | `\b9\d{2}[-\s]?(?:5\d\|6[0-5]\|7\d\|8[0-8]\|9[0-2]\|9[4-9])[-\s]?\d{4}\b` | | US EIN (labeled) | Medium | `(?i)\bEIN[:#\s]+\d{2}-\d{7}\b` | | US PTIN | Medium | `\bP\d{8}\b` | | US Medicare MBI | Medium | `\b[1-9][ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY0-9]\d[ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY0-9]\d[ACDEFGHJKMNPQRTUVWXY]{2}\d{2}\b` | | US DEA Number | Medium | `\b[ABCDEFGHJKLMNPRSTUX][A-Z9]\d{7}\b` | | Canada SIN (labeled) | Medium | `(?i)\bSIN[:#\s]+\d{3}[-\s]?\d{3}[-\s]?\d{3}\b` | | Canada Quebec RAMQ | Medium | `\b[A-Z]{4}\d{8}\b` | | Canada Ontario OHIP | Medium | `\b\d{4}-\d{3}-\d{3}-[A-Z]{2}\b` | | Canadian Passport | Medium | `\b[A-Z]{2}\d{6}\b` | | Mexico CURP | Medium | `\b[A-Z]{4}\d{6}[HM][A-Z]{5}[A-Z0-9]\d\b` | | Mexico RFC | Medium | `\b[A-Z]{4}\d{6}[A-Z0-9]{3}\b` | | US Driver's License (distinctive state format) | Medium | `\b(?:[A-Z]\d{12,14}\|\d{2}[A-Z]{3}\d{5}\|[A-Z]{3}\d{6})\b` | ### `pii_govid_eu` EU national IDs (codice fiscale, NIE, DNI, BSN, etc.), EU passport, MRZ. | Name | Severity | Regex | |---|---|---| | UK NINO | Medium | `\b[ABCEGHJ-PRSTW-Z][ABEHJ-NPRSTW-Z]\d{6}[A-D]\b` | | UK NHS Number (labeled) | Medium | `(?i)\bNHS[:#\s]+\d{3}[ -]?\d{3}[ -]?\d{4}\b` | | Ireland PPSN | Medium | `\b\d{7}[A-W][AHWTX]?\b` | | Ireland Eircode | Medium | `\b[A-Z]\d{2}\s?[A-Z0-9]{4}\b` | | France NIR (labeled) | Medium | `(?i)\b(?:NIR\|INSEE)[:#\s]+[12]\d{2}(?:0[1-9]\|1[0-2])\d{2}\d{3}\d{3}\d{2}\b` | | Germany Steuer-ID (labeled) | Medium | `(?i)\b(?:Steuer-?ID\|Steuernummer\|tax[\s-]?ID)[:#\s]+\d{11}\b` | | Germany Steuernummer | Medium | `\b\d{2,3}/\d{3,4}/\d{4,5}\b` | | Italy Codice Fiscale | Medium | `\b[A-Z]{6}\d{2}[A-EHLMPRST]\d{2}[A-Z]\d{3}[A-Z]\b` | | Italy Partita IVA (labeled) | Medium | `(?i)\b(?:Partita\s?IVA\|P\.?IVA\|VAT)[:#\s]+IT?\d{11}\b` | | Italy Passport | Medium | `\b[A-Z]{2}\d{7}\b` | | Spain DNI/NIE (labeled) | Medium | `(?i)\b(?:DNI\|NIE)\b[:#=\s]+[XYZ]?\d{7,8}[A-Za-z]\b` | | Spain NIE | Medium | `\b[XYZ]\d{7}[A-Z]\b` | | Spain NIF (business) | Medium | `\b[A-HJ-NP-SUVW]\d{7}[0-9A-J]\b` | | Spain SSN | Medium | `\b\d{2}/\d{8}/\d{2}\b` | | Netherlands BSN (labeled) | Medium | `(?i)\bBSN[:#\s]+\d{8,9}\b` | | Belgium Rijksregisternummer | Medium | `\b\d{2}\.\d{2}\.\d{2}-\d{3}\.\d{2}\b` | | Sweden Personnummer | Medium | `\b(?:19\|20)?\d{6}[-+]\d{4}\b` | | Finland HETU | Medium | `\b\d{6}[-+ABCDEFUVWXY]\d{3}[0-9A-Y]\b` | | Estonia Isikukood | Medium | `\b[1-6]\d{2}(?:0[1-9]\|1[0-2])(?:0[1-9]\|[12]\d\|3[01])\d{4}\b` | | Czech/Slovak Rodne cislo | Medium | `\b\d{6}/\d{4}\b` | | Romania CNP | Medium | `\b[1-9]\d{2}(?:0[1-9]\|1[0-2])(?:0[1-9]\|[12]\d\|3[01])\d{6}\b` | | Russia SNILS | Medium | `\b\d{3}-\d{3}-\d{3}\s\d{2}\b` | | Poland PESEL (labeled) | Medium | `(?i)\bPESEL\b[:#=\s]+\d{11}\b` | | Netherlands BSN (labeled) | Medium | `(?i)\b(?:BSN\|burgerservicenummer)\b[:#=\s]+\d{9}\b` | | Belgium Rijksregisternummer (labeled) | Medium | `(?i)\b(?:rijksregisternummer\|RRN\|NISS)\b[:#=\s]+[\d.\-]{11,17}` | | France NIR (labeled) | Medium | `(?i)\b(?:NIR\|INSEE\|secu)\b[:#=\s]+[\d ]{15,25}` | ### `pii_govid_intl` International passports, MRZ formats, ABN / CPF / Aadhaar / MyKad and similar. | Name | Severity | Regex | |---|---|---| | India PAN | Medium | `\b[A-Z]{5}\d{4}[A-Z]\b` | | India GSTIN | Medium | `\b\d{2}[A-Z]{5}\d{4}[A-Z][A-Z0-9]Z[A-Z0-9]\b` | | India IFSC | Medium | `\b[A-Z]{4}0[A-Z0-9]{6}\b` | | India Aadhaar (labeled) | Medium | `(?i)\baadhaar[:#\s]+[2-9]\d{3}\s?\d{4}\s?\d{4}\b` | | Brazil CPF | Medium | `\b\d{3}\.?\d{3}\.?\d{3}-?\d{2}\b` | | Brazil CNPJ | Medium | `\b[0-9A-Z]{2}\.?[0-9A-Z]{3}\.?[0-9A-Z]{3}/?[0-9A-Z]{4}-?\d{2}\b` | | Chile RUT | Medium | `\b\d{1,2}\.\d{3}\.\d{3}-[\dkK]\b` | | Argentina CUIL/CUIT | Medium | `\b(?:20\|23\|24\|27\|30\|33\|34)-\d{8}-\d\b` | | China Resident ID | Medium | `\b\d{6}(?:19\|20)\d{2}(?:0[1-9]\|1[0-2])(?:0[1-9]\|[12]\d\|3[01])\d{3}[0-9Xx]\b` | | China Passport | Medium | `\b[GE]\d{8}\b` | | Taiwan National ID | Medium | `\b[A-Z][12]\d{8}\b` | | Korea RRN | Medium | `\b\d{6}-[1-8]\d{6}\b` | | Pakistan CNIC | Medium | `\b[1-7]\d{4}-\d{7}-\d\b` | | Sri Lanka NIC (old) | Medium | `\b\d{9}[VvXx]\b` | | Singapore NRIC/FIN | Medium | `\b[STFGM]\d{7}[A-Z]\b` | | Malaysia MyKad | Medium | `\b\d{6}-\d{2}-\d{4}\b` | | Indonesia NPWP | Medium | `\b\d{2}\.\d{3}\.\d{3}\.\d-\d{3}\.\d{3}\b` | | Indonesia NIK (labeled) | Medium | `(?i)\bnik[:#\s]+\d{16}\b` | | UAE Emirates ID | Medium | `\b784-\d{4}-\d{7}-\d\b` | | Egypt National ID | Medium | `\b[23]\d{13}\b` | | Ghana Card PIN | Medium | `\bGHA-\d{9}-\d\b` | | South Africa ID (labeled) | Medium | `(?i)\bsouth africa id[:#\s]+\d{13}\b` | | Turkey TC Kimlik No | Medium | `\b[1-9]\d{10}\b` | | Israel Teudat Zehut (labeled) | Medium | `(?i)\b(?:teudat[\s-]?zehut\|israeli?[\s-]?id)\b[:#=\s]+\d{8,9}\b` | | Australia TFN (labeled) | Medium | `(?i)\btfn[:#\s]+\d{3}\s?\d{3}\s?\d{2,3}\b` | | New Zealand NHI | Medium | `\b[A-HJ-NP-Z]{3}\d{4}\b` | | Passport MRZ (TD3) | Critical | `P[A-Z<][A-Z]{3}[A-Z<]{39}[\r\n]+[A-Z0-9<]{44}` | | Canada Driver's License (distinctive province format) | Medium | `\b(?:[A-Z]\d{4}-?\d{5}\d[0156]\d[0123]\d\|[A-Z]\d{12}\|[A-Z]{5}\d{9})\b` | ### `pii_geo` Postal addresses, postal / ZIP codes, geographic coordinates. | Name | Severity | Regex | |---|---|---| | Geo URI | Medium | `(?i)\bgeo:[-+]?\d{1,3}(?:\.\d+)?,[-+]?\d{1,3}(?:\.\d+)?` | | ISO 6709 Coordinates | Medium | `[-+]\d{1,3}(?:\.\d+)?[-+]\d{1,3}(?:\.\d+)?/` | | Map Link Coordinates | Medium | `/@-?\d{1,2}\.\d{3,},-?\d{1,3}\.\d{3,}` | | KML Coordinates | High | `\s*[-+]?\d+\.\d+,[-+]?\d+\.\d+` | | GeoJSON Point | Medium | `"type"\s*:\s*"Point"\s*,\s*"coordinates"\s*:\s*\[\s*-?\d{1,3}(?:\.\d+)?\s*,\s*-?\d{1,3}(?:\.\d+)?` | | what3words Address | Medium | `///\p{L}{2,}\.\p{L}{2,}\.\p{L}{2,}` | | Plus Code (Open Location Code) | Medium | `\b[23456789CFGHJMPQRVWX]{8}\+[23456789CFGHJMPQRVWX]{2,3}\b` | | WKT Geometry | Medium | `\b(?:POINT\|POLYGON\|LINESTRING\|MULTIPOLYGON)\s*\(\s*-?\d` | | GPX Track Point | High | `(?i)<(?:trkpt\|wpt\|rtept)\b[^>]*\blat="[-+]?\d` | | EXIF GPS Tag | High | `(?i)\bGPS(?:Latitude\|Longitude\|Position\|Coordinates)(?:Ref)?\b` | | NMEA Sentence | High | `\$(?:GP\|GN\|GL)(?:GGA\|RMC\|GLL)\b[^*\n]*\*[0-9A-Fa-f]{2}` | ### `pii_biometric` Biometric identifiers, fingerprint hashes, biometric template tokens. | Name | Severity | Regex | |---|---|---| | Consumer DNA Raw Data Header | High | `(?i)(?:#\s*)?\brsid\s+chromosome\s+position\s+genotype\b` | | VCF Genomic File Header | High | `##fileformat=VCFv4` | | FASTQ Sequence Record | High | `(?m)^@[^\n]{1,80}\r?\n[ACGTNacgtn]{15,}\r?\n\+` | | FASTA Sequence Record | High | `(?m)^>[^\n]{1,80}\r?\n[ACDEFGHIKLMNPQRSTVWYacgtn*]{25,}` | ### `pii_network` IPv4 (including with port), IPv6, MAC addresses, CIDR blocks, hostnames. | Name | Severity | Regex | |---|---|---| | IPv6 Address | Low | `\b(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}\b` | | IPv6 Address (compressed) | Low | `(?:[0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4}){0,5}` | | IPv6 Address (link-local) | Low | `(?i)\bfe80::[0-9a-f]{1,4}(?::[0-9a-f]{1,4}){0,3}\b` | | CIDR Block (IPv4) | Low | `\b(?:(?:25[0-5]\|2[0-4]\d\|1?\d\d?)\.){3}(?:25[0-5]\|2[0-4]\d\|1?\d\d?)/(?:3[0-2]\|[12]?\d)\b` | | CIDR Block (IPv6) | Low | `(?:[0-9A-Fa-f]{1,4}:){1,7}:?(?:[0-9A-Fa-f]{1,4})?/(?:12[0-8]\|1[01]\d\|\d{1,2})\b` | | UUID/GUID | Low | `(?i)\b[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b` | | IMEI | Low | `(?i)\bimei\s*[:=]?\s*\d{15}\b` | | IMSI | Low | `(?i)\bimsi\s*[:=]?\s*\d{14,15}\b` | | ICCID | Low | `(?i)\biccid\s*[:=]?\s*89\d{17,18}\b` | | MEID | Low | `(?i)\bmeid\s*[:=]?\s*[0-9A-Fa-f]{14}\b` | | BSSID (labeled) | Low | `(?i)\bbssid\s*[:=]?\s*(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\b` | | FCM Registration Token | Medium | `\b[\w-]{8,22}:APA91b[\w-]{100,}\b` | | TLS SHA-256 Fingerprint | Low | `\b(?:[0-9A-Fa-f]{2}:){31}[0-9A-Fa-f]{2}\b` | | TLS SHA-1 Fingerprint | Low | `\b(?:[0-9A-Fa-f]{2}:){19}[0-9A-Fa-f]{2}\b` | | SSH Key Fingerprint (SHA256) | Low | `\bSHA256:[A-Za-z0-9+/]{43}\b` | | HPKP Pin (pin-sha256) | Low | `pin-sha256="[A-Za-z0-9+/]{43}="` | | Google Analytics Cookie | Low | `\bGA1\.\d\.\d{6,12}\.\d{9,10}\b` | | Facebook Pixel Cookie | Low | `\bfb\.\d\.\d{13}\.\d{5,}\b` | | Adobe Experience Cloud ID | Low | `\b[0-9A-F]{24}@AdobeOrg\b` | ### `hashes` bcrypt, scrypt, argon2, MD5, SHA, NTLM password hashes. | Name | Severity | Regex | |---|---|---| | bcrypt Hash | High | `\$2[abcxy]?\$\d{2}\$[./A-Za-z0-9]{53}` | | md5crypt Hash | High | `\$1\$[./A-Za-z0-9]{1,8}\$[./A-Za-z0-9]{22}` | | sha256crypt Hash | High | `\$5\$(?:rounds=\d+\$)?[./A-Za-z0-9]{1,16}\$[./A-Za-z0-9]{43}` | | sha512crypt Hash | High | `\$6\$(?:rounds=\d+\$)?[./A-Za-z0-9]{1,16}\$[./A-Za-z0-9]{86}` | | yescrypt Hash | High | `\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]+\$[./A-Za-z0-9]+` | | gost-yescrypt Hash | High | `\$gy\$[./A-Za-z0-9]+\$[./A-Za-z0-9]+\$[./A-Za-z0-9]+` | | argon2 Hash | High | `\$argon2(?:id\|i\|d)\$v=\d+\$m=\d+,t=\d+,p=\d+(?:,keyid=[A-Za-z0-9+/]+)?(?:,data=[A-Za-z0-9+/]+)?\$[A-Za-z0-9+/]+\$[A-Za-z0-9+/]+` | | scrypt Hash | High | `\$scrypt\$ln=\d+,r=\d+,p=\d+\$[A-Za-z0-9+/=]+\$[A-Za-z0-9+/=]+` | | PBKDF2 Hash | High | `\$pbkdf2-sha(?:1\|256\|512)\$\d+\$[A-Za-z0-9+/=]+\$[A-Za-z0-9+/=]+` | | phpass Hash | High | `\$P\$[./A-Za-z0-9]{31}` | | phpBB3 Hash | High | `\$H\$[./A-Za-z0-9]{31}` | | Drupal7 Hash | High | `\$S\$[./A-Za-z0-9]{52}` | | Apache apr1 Hash | High | `\$apr1\$[./A-Za-z0-9]{1,8}\$[./A-Za-z0-9]{22}` | | Kerberos krb5 Hash | High | `\$krb5(?:asrep\|tgs)\$\d+\$[^\s]{20,512}` | | NTLM Hash (labeled) | High | `(?i)\bNTLM[:=\s]+[a-fA-F0-9]{32}\b` | | pwdump Hash Line | Critical | `[^:\s]+:\d+:[A-Fa-f0-9]{32}:[A-Fa-f0-9]{32}:::` | | htpasswd Hash Line | Critical | `(?m)^[A-Za-z0-9._-]+:\$(?:2[aby]?\|apr1\|1\|5\|6\|y)\$[./A-Za-z0-9$,=+]+` | | shadow Hash Line | Critical | `(?m)^[A-Za-z0-9._-]+:\$[0-9a-z]+\$[^:]+:` | | LDAP/Dovecot {SCHEME} Hash | Critical | `(?i)\{(?:s?sha(?:256\|512)?\|s?md5\|crypt\|cleartext\|plain\|argon2i?d?\|pbkdf2\|blf-crypt\|sha(?:256\|512)?-crypt\|md5-crypt\|des-crypt\|ntlm\|lanman\|cram-md5\|digest-md5\|scram-sha-(?:1\|256))\}\S{6,}` | | PostgreSQL SCRAM-SHA-256 Verifier | Critical | `SCRAM-SHA-256\$\d+:[A-Za-z0-9+/=]+\$[A-Za-z0-9+/=]+:[A-Za-z0-9+/=]+` | | WPA Handshake Hash | High | `\bWPA\*0[12]\*[0-9A-Fa-f*]{20,}` | | Application $tag$ Hash | High | `\$(?:DCC2\|krb5pa\|keepass\|ansible\|7z\|zip2\|RAR3\|rar5\|office\|pdf\|bitlocker\|luks\|fvde\|bitcoin\|electrum\|sshng\|odf\|axcrypt\|telegram\|ethereum\|metamask\|blockchain\|monero\|multibit\|androidbackup\|itunes_backup)\$[^\s]{6,512}` | | Cisco Type 8/9 Hash | High | `\$[89]\$[A-Za-z0-9./]{12,}\$[A-Za-z0-9./]{20,}` | | GRUB2 PBKDF2 Hash | Critical | `grub\.pbkdf2\.sha512\.\d+\.[0-9A-Fa-f]+\.[0-9A-Fa-f]+` | | MySQL caching_sha2 Hash | High | `\$A\$[0-9]{3}\$\S{20,}` | | Django PBKDF2 Password Hash | High | `\bpbkdf2_sha(?:1\|256)\$\d+\$[A-Za-z0-9+/=._-]{4,}\$[A-Za-z0-9+/=._-]{16,}` | | Werkzeug PBKDF2 Hash | High | `\bpbkdf2:sha(?:1\|256):\d+\$[A-Za-z0-9$+/=._-]{16,}` | | NetNTLMv2 Hash | Critical | `\b[^\s:]{1,64}::[^\s:]{0,64}:[A-Fa-f0-9]{16}:[A-Fa-f0-9]{32}:[A-Fa-f0-9]{16,}` | | MySQL Native Password Hash | High | `\*[0-9A-F]{40}\b` | ### `structured` Secrets embedded in JSON values, dotenv lines, k=v shapes, YAML scalars. | Name | Severity | Regex | |---|---|---| | Dotenv Secret Line | Critical | `(?im)^\s*[A-Z0-9_]*(?:SECRET\|TOKEN\|PASSWORD\|PASSWD\|APIKEY\|API_KEY\|PRIVATE_KEY\|ACCESS_KEY)[A-Z0-9_]*\s*=\s*\S{6,}` | | npmrc Auth Token | Critical | `//[^/\s]+/:_authToken=\S+` | | pypirc Password | Critical | `(?im)^\s*password\s*=\s*\S{6,}` | | Git Credentials URL | Critical | `https://[^:/\s]+:[^@/\s]+@[^/\s]+` | | Netrc Credentials | Critical | `(?i)machine\s+\S+\s+login\s+\S+\s+password\s+\S+` | | Docker Config Auth | Critical | `"auth"\s*:\s*"[A-Za-z0-9+/=]{16,}"` | | Sidekiq Sensitive URL | Critical | `https?://[^:/\s]+:[^@/\s]+@(?:gems\|enterprise)\.contribsys\.com` | | Bundler Enterprise Creds | Critical | `BUNDLE_(?:ENTERPRISE\|GEMS)__CONTRIBSYS__COM=[A-Za-z0-9:_-]+` | | NuGet ClearText Password | Critical | `(?i)` | | OAuth2 access_token Param | Critical | `(?i)[?&#]access_token=[A-Za-z0-9._-]{20,}` | | OAuth2 id_token Param | High | `(?i)[?&#]id_token=eyJ[A-Za-z0-9_-]+` | | OAuth2 code Param | High | `(?i)[?&]code=[A-Za-z0-9_-]{20,}` | | Password Manager Export Header | Critical | `(?im)^(?:name,url,username,password\|folder,favorite,type,name,notes,fields,reprompt,login_uri,login_username,login_password,login_totp\|url,username,password,totp,extra,name,grouping,fav\|"Account","Login Name","Password","Web Site")` | | 1Password 1PIF Concealed Field | Critical | `"k"\s*:\s*"concealed"` | | PostgreSQL .pgpass Line | Critical | `(?m)^(?:\*\|[A-Za-z0-9_.-]+):(?:\*\|\d{1,5}):(?:\*\|[A-Za-z0-9_.-]*):[^:\n]+:\S{4,}$` | | AWS Secret Access Key (labeled) | Critical | `(?i)aws_secret_access_key\s*=\s*[A-Za-z0-9/+]{40}` | | kubeconfig client-key-data | Critical | `client-key-data:\s*[A-Za-z0-9+/=]{100,}` | ### `wallets` BTC / ETH / SOL and other wallet addresses, BIP39 seed phrases, keystore JSON. | Name | Severity | Regex | |---|---|---| | Bitcoin BIP32 Extended Private Key (xprv) | Critical | `\bxprv[1-9A-HJ-NP-Za-km-z]{107,112}\b` | | Bitcoin BIP49 Extended Private Key (yprv) | Critical | `\b[yY]prv[1-9A-HJ-NP-Za-km-z]{107,112}\b` | | Bitcoin BIP84 Extended Private Key (zprv) | Critical | `\b[zZ]prv[1-9A-HJ-NP-Za-km-z]{107,112}\b` | | Bitcoin BIP32 Extended Public Key (xpub) | Low | `\bxpub[1-9A-HJ-NP-Za-km-z]{107,112}\b` | | Bitcoin BIP49/84 Extended Public Key (ypub/zpub) | Low | `\b[yYzZ]pub[1-9A-HJ-NP-Za-km-z]{107,112}\b` | | Bitcoin WIF Private Key | Critical | `\b[5KL][1-9A-HJ-NP-Za-km-z]{50,51}\b` | | Bitcoin P2PKH Address | Low | `\b1[1-9A-HJ-NP-Za-km-z]{25,34}\b` | | Bitcoin P2SH Address | Low | `\b3[1-9A-HJ-NP-Za-km-z]{25,34}\b` | | Bitcoin Bech32 Address | Low | `\bbc1[02-9ac-hj-np-z]{11,71}\b` | | Bitcoin Taproot Address (P2TR) | Low | `\bbc1p[02-9ac-hj-np-z]{58}\b` | | Litecoin Address | Low | `\b(?:ltc1[02-9ac-hj-np-z]{11,71}\|[LM][1-9A-HJ-NP-Za-km-z]{25,34})\b` | | EVM Private Key (labeled) | Critical | `(?i)\b(?:private[_ ]?key\|privkey)\b\W{0,3}(?:0x)?[a-fA-F0-9]{64}\b` | | EVM Address | Low | `\b0x[a-fA-F0-9]{40}\b` | | Solana Keypair Byte Array | Critical | `\[\s*(?:\d{1,3}\s*,\s*){63}\d{1,3}\s*\]` | | Solana Address | Low | `\b[1-9A-HJ-NP-Za-km-z]{32,44}\b` | | Cardano Shelley Address | Low | `\baddr1[02-9ac-hj-np-z]{50,}\b` | | Cardano Stake Address | Low | `\bstake1[02-9ac-hj-np-z]{50,}\b` | | Cosmos Ecosystem Address | Low | `\b(?:cosmos\|osmo\|juno\|stars\|akash\|kava\|secret\|inj\|sei\|celestia\|dydx\|terra\|regen\|band\|kujira\|evmos\|axelar\|stride\|chihuahua\|comdex\|migaloo\|noble\|persistence\|umee\|agoric\|gravity)1[02-9ac-hj-np-z]{38,}\b` | | Tezos Address | Low | `\b(?:tz1\|tz2\|tz3\|KT1)[1-9A-HJ-NP-Za-km-z]{33}\b` | | Tezos edsk Private Key | Critical | `\bedsk[1-9A-HJ-NP-Za-km-z]{50,}\b` | | XRP Ledger Address | Low | `\br[1-9A-HJ-NP-Za-km-z]{24,34}\b` | | Stellar Public Key | Low | `\bG[A-Z2-7]{55}\b` | | Stellar Secret Seed | Critical | `\bS[A-Z2-7]{55}\b` | | Tron Address | Low | `\bT[1-9A-HJ-NP-Za-km-z]{33}\b` | | Monero Address | Low | `\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b` | | Ethereum v3 Keystore JSON | Critical | `(?i)"crypto"\s*:\s*\{[^}]*"ciphertext"` | | MetaMask Vault | Critical | `\{"data":"[A-Za-z0-9+/=]+","iv":"[A-Za-z0-9+/=]+","salt":"[A-Za-z0-9+/=]+"\}` | | Sui Private Key | Critical | `\bsuiprivkey1[02-9ac-hj-np-z]{59}\b` | | Aptos Private Key (AIP-80) | Critical | `\b(?:ed25519\|secp256k1)-priv-0x[0-9a-fA-F]{64}\b` | ### `exchanges` Binance, Coinbase, Kraken, Bitfinex, KuCoin and other exchange API keys. | Name | Severity | Regex | |---|---|---| | Coinbase CDP API Key Name | Critical | `organizations/[0-9a-f-]{36}/apiKeys/[0-9a-f-]{36}` | | Coinbase Pro API Secret | Critical | `(?i)(?:cb-access\|coinbase)[a-z_-]*(?:secret\|key)['"]?\s*[:=]\s*['"]?[A-Za-z0-9+/]{86,88}={0,2}` | | Kraken API Key | Critical | `(?i)kraken[a-z_-]*(?:key\|secret)['"]?\s*[:=]\s*['"]?[A-Za-z0-9+/]{56}` | | Binance API Key | Critical | `(?i)binance[a-z_-]*(?:api[_-]?key\|secret(?:[_-]?key)?)['"]?\s*[:=]\s*['"]?[A-Za-z0-9]{64}` | | Gemini API Key (master) | Critical | `\bmaster-[A-Za-z0-9]{20,30}\b` | | Gemini API Key (account) | Critical | `\baccount-[A-Za-z0-9]{20,30}\b` | | KuCoin Passphrase | Critical | `(?i)kucoin[a-z_-]*pass(?:phrase)?['"]?\s*[:=]\s*['"]?[A-Za-z0-9!@#$%^&*_-]{6,32}` | | OKX Secret Key | Critical | `(?i)okx[a-z_-]*(?:secret\|api[_-]?key)['"]?\s*[:=]\s*['"]?[A-F0-9]{32}` | | Bybit API Secret | Critical | `(?i)bybit[a-z_-]*(?:api[_-]?key\|secret)['"]?\s*[:=]\s*['"]?[A-Za-z0-9]{18,36}` | | Bitget API Key | Critical | `(?i)bitget[a-z_-]*(?:api[_-]?key\|secret\|pass(?:phrase)?)['"]?\s*[:=]\s*['"]?[A-Za-z0-9!@#$%^&*_-]{16,64}` | | Gate.io API Key | Critical | `(?i)gate(?:io\|\.io)?[a-z_-]*(?:api[_-]?key\|secret)['"]?\s*[:=]\s*['"]?[A-Za-z0-9]{32}` | | MEXC API Key | Critical | `\bmx0[A-Za-z0-9]{30,40}\b` | | HTX (Huobi) API Key | Critical | `(?i)(?:htx\|huobi)[a-z_-]*(?:api[_-]?key\|secret)['"]?\s*[:=]\s*['"]?[0-9a-f]{8}-[0-9a-f]{8}-[0-9a-f]{8}-[0-9a-f]{6}` | | Crypto.com Exchange API Key | Critical | `(?i)crypto[_.]?com[a-z_-]*(?:api[_-]?key\|secret)['"]?\s*[:=]\s*['"]?[A-Za-z0-9]{20,40}` | | dYdX StarkEx Stark Key | Critical | `(?i)(?:dydx\|stark)[a-z_-]*key['"]?\s*[:=]\s*['"]?0x[a-fA-F0-9]{63,64}` | | Fireblocks API Key | Critical | `(?i)fireblocks[a-z_-]*(?:api[_-]?key\|key)['"]?\s*[:=]\s*['"]?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}` | | Robinhood Crypto API Key | High | `\brh-api-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | ### `rpc_chain` Infura, Alchemy, QuickNode, Moralis, Ankr RPC URLs and project IDs. | Name | Severity | Regex | |---|---|---| | Infura Endpoint URL with Project ID | Critical | `[a-z0-9-]+\.infura\.io/v3/[0-9a-f]{32}` | | Infura Endpoint URL with Project Secret | Critical | `https://:[0-9a-f]{32}@[a-z0-9-]+\.infura\.io/v3/[0-9a-f]{32}` | | Alchemy Endpoint URL with API Key | Critical | `[a-z0-9-]+\.g\.alchemy\.com/v2/[A-Za-z0-9_-]{32}` | | Alchemy Webhook Signing Key | High | `\bwhsec_[A-Za-z0-9]{20,40}\b` | | QuickNode Endpoint URL with Key | Critical | `[a-z0-9-]+\.quiknode\.pro/[0-9a-f]{40}` | | Ankr Multichain Endpoint URL with Token | Critical | `rpc\.ankr\.com/multichain/[0-9a-f]{64}` | | Helius Endpoint URL with API Key | Critical | `[a-z0-9-]+\.helius-rpc\.com/\?api-key=[0-9a-f-]{36}` | | Chainstack Endpoint URL with Key | Critical | `[a-z0-9-]+\.p2pify\.com/[0-9a-f]{32}` | | Etherscan Family API Key | High | `(?i)(?:etherscan\|bscscan\|polygonscan\|arbiscan\|snowtrace\|basescan\|ftmscan\|gnosisscan)[a-z_-]*(?:api[_-]?key)['"]?\s*[:=]\s*['"]?[A-Z0-9]{34}` | | The Graph Gateway API Key | Critical | `gateway\.thegraph\.com/api/[0-9a-f]{32}` | | Covalent / GoldRush API Key | High | `\bcqt_[A-Za-z0-9]{26,40}\b` | | Bitquery OAuth Token | Critical | `\bory_at_[A-Za-z0-9._-]{20,}` | | dRPC Endpoint URL with Key | Critical | `\.drpc\.org/\?dkey=[A-Za-z0-9_-]{20,}` | | WalletConnect / Reown Project ID | High | `(?i)(?:walletconnect\|reown\|appkit\|rainbowkit)[a-z_-]*project[_-]?id['"]?\s*[:=]\s*['"]?[a-f0-9]{32}` | | Pinata API Key | Critical | `(?i)pinata[a-z_-]*(?:api[_-]?key\|secret)['"]?\s*[:=]\s*['"]?[A-Za-z0-9]{32,80}` | | Web3.Storage DID Key | Critical | `\bdid:key:z[1-9A-HJ-NP-Za-km-z]{40,}` | | Pimlico Endpoint URL with API Key | Critical | `api\.pimlico\.io/v\d+/[a-z0-9]+/rpc\?apikey=[A-Za-z0-9_-]{20,}` | | ZeroDev Endpoint URL with Project ID | Critical | `rpc\.zerodev\.app/api/v\d+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}` | | Biconomy Paymaster URL with API Key | Critical | `paymaster\.biconomy\.io/api/v\d+/\d+/[A-Za-z0-9_-]{32,}` | | Stackup Paymaster URL with API Key | Critical | `api\.stackup\.sh/v\d+/[a-z0-9]+/[A-Za-z0-9]{32,}` | | 1inch API Key | High | `(?:api\|portal)\.1inch\.dev/[^\s?]*[?&]apiKey=[A-Za-z0-9]{22}` | | 0x API Key Header | High | `(?i)0x-api-key['"]?\s*[:=]\s*['"]?[A-Za-z0-9-]{32,40}` | | Etherspot Bundler URL with API Key | Critical | `[a-z]+\.etherspot\.io/api/v\d+\?apikey=[A-Za-z0-9_-]{20,}` | ### `mobile` Firebase / FCM / APNS tokens, Android / iOS platform API keys. | Name | Severity | Regex | |---|---|---| | Apple Pay Merchant ID | Low | `\bmerchant\.[A-Za-z0-9][A-Za-z0-9.-]{3,}` | | Apple App-Specific Password | Critical | `\b[a-z]{4}-[a-z]{4}-[a-z]{4}-[a-z]{4}\b` | | Apple iOS UDID (2018+) | Low | `\b[0-9A-F]{8}-[0-9A-F]{16}\b` | | AdMob Ad Unit ID | Low | `\bca-app-pub-[0-9]{16}/[0-9]{10}\b` | | AdMob App ID | Low | `\bca-app-pub-[0-9]{16}~[0-9]{10}\b` | | Google Sign-In OAuth Client ID | Medium | `\b[0-9]{6,}-[a-z0-9]{32}\.apps\.googleusercontent\.com\b` | | Branch.io Live Key | Medium | `\bkey_live_[A-Za-z0-9]{32}\b` | | Branch.io Test Key | Low | `\bkey_test_[A-Za-z0-9]{32}\b` | | Branch.io Live Secret | Critical | `\bsecret_live_[A-Za-z0-9]{32}\b` | | Branch.io Test Secret | Medium | `\bsecret_test_[A-Za-z0-9]{32}\b` | | OneSignal REST API Key | Critical | `\bos_v2_app_[a-z0-9_]{20,}` | | Kochava App GUID | Medium | `\bkokochava[a-z0-9]{10,}\b` | | Expo Push Token | Medium | `ExponentPushToken\[[A-Za-z0-9_-]{22}\]` | | Expo EAS Access Token | Critical | `\bexpo_[A-Za-z0-9]{24,}\b` | ### `gaming` Steam, Epic, PSN, Xbox Live, Riot Games and other gaming-platform tokens. | Name | Severity | Regex | |---|---|---| | Steam Web API Key | Critical | `(?i)(?:webapi_key\|steam[_-]?api[_-]?key\|[?&]key)\s*[=:]\s*[A-F0-9]{32}\b` | | Steam Trade URL Token | Medium | `https://steamcommunity\.com/tradeoffer/new/\?partner=[0-9]+&token=[A-Za-z0-9_-]{8}` | | PlayFab Developer Secret Key | Critical | `(?i)X-SecretKey\s*[=:]\s*[A-Z0-9]{40,}` | | Twitch Client ID | Low | `(?i)twitch[_-]?client[_-]?id\s*[=:]\s*[a-z0-9]{30}\b` | | Twitch Client Secret | Critical | `(?i)twitch[_-]?client[_-]?secret\s*[=:]\s*[a-z0-9]{30}\b` | | Twitch OAuth Token | Critical | `\boauth:[a-z0-9]{30}\b` | | Roblox .ROBLOSECURITY Cookie | Critical | `_\\|WARNING:-DO-NOT-SHARE-THIS\.[^\|]+\\|_[0-9A-F]{100,}` | | Riot Games API Key | Critical | `\bRGAPI-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | Epic Online Services Client ID | Medium | `\bxyz[A-Za-z0-9]{37,}\b` | | Xbox Live XUID | Low | `(?i)xuid\s*[=:]\s*[0-9]{16}\b` | ### `iot` AWS IoT certs, MQTT broker credentials, device-specific provisioning keys. | Name | Severity | Regex | |---|---|---| | AWS IoT Core ATS Endpoint | Low | `\b[a-z0-9]+-ats\.iot\.[a-z0-9-]+\.amazonaws\.com\b` | | Azure IoT Hub Device Connection String | Critical | `HostName=[^;\s]+\.azure-devices\.net;DeviceId=[^;\s]+;SharedAccessKey=[A-Za-z0-9+/=]{40,}` | | Azure IoT Hub X.509 Connection String | High | `HostName=[^;\s]+\.azure-devices\.net;DeviceId=[^;\s]+;x509=true` | | Azure DPS ID Scope | Medium | `\b0ne[0-9A-F]{12,15}\b` | | Azure DPS Symmetric Key | Critical | `(?i)symmetric[_-]?key\s*[=:]\s*[A-Za-z0-9+/]{42,}={0,2}` | | The Things Stack API Key | Critical | `\bNNSXS\.[A-Z2-7]{52}\.[A-Z2-7]{52}\b` | | LoRaWAN AppKey | Critical | `(?i)(?:appkey\|nwkskey\|appskey)\s*[=:]\s*[0-9A-Fa-f]{32}\b` | | Balena Cloud Device API Key | Critical | `(?i)deviceapikey\s*[=:]\s*[0-9a-f]{32}\b` | | Adafruit IO Key | Critical | `\baio_[A-Za-z0-9]{28}\b` | | Tuya Cloud Access ID | High | `(?i)tuya[_-]?(?:access[_-]?id\|client[_-]?id)\s*[=:]\s*[a-z0-9]{20}\b` | | Tuya Cloud Access Secret | Critical | `(?i)tuya[_-]?(?:access[_-]?secret\|client[_-]?secret)\s*[=:]\s*[a-z0-9]{32}\b` | | Tuya Device Local Key | Critical | `(?i)local_key\s*[=:]\s*[a-z0-9]{16}\b` | | RTSP Credentials URL (Hikvision) | Critical | `rtsp://[^:/\s]+:[^@\s]+@[0-9.]+(?::[0-9]+)?/Streaming/Channels/[0-9]+` | | RTSP Credentials URL (Dahua) | Critical | `rtsp://[^:/\s]+:[^@\s]+@[0-9.]+(?::[0-9]+)?/cam/realmonitor\?channel=` | | RTSP Credentials URL (generic) | Critical | `rtsp://[^:/?@\s]+:[^@\s]+@[A-Za-z0-9.-]+(?::\d+)?/\S*` | ### `saas_iam` Okta, Auth0, OneLogin, Ping, Azure AD tenant secrets and management tokens. | Name | Severity | Regex | |---|---|---| | Okta API Token (SSWS) | Critical | `(?i)\bSSWS [A-Za-z0-9_-]{40,}\b` | | Auth0 Management API Token | Critical | `eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]*?aud[A-Za-z0-9_-]*?\.[A-Za-z0-9_-]{10,}` | | Duo Security Integration Key | High | `\bDI[A-Z0-9]{18}\b` | | Duo Security API Hostname | Low | `\bapi-[a-f0-9]{8}\.duosecurity\.com\b` | | 1Password Service Account Token | Critical | `\bops_eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+` | | 1Password Secret Reference URI | Low | `op://[A-Za-z0-9_ -]+/[A-Za-z0-9_ -]+/[A-Za-z0-9_ -]+` | | Bitwarden Secrets Manager Access Token | Critical | `\b0\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.[A-Za-z0-9+/=_-]{20,}:[A-Za-z0-9+/=_-]{20,}` | | Microsoft Entra ID Refresh Token | Critical | `\b0\.[A-Za-z0-9_-]{200,}` | | YubiKey OTP | High | `\b[cbdefghijklnrtuv]{44}\b` | | SAML Certificate (PEM) | Medium | `-----BEGIN CERTIFICATE-----[A-Za-z0-9+/=\s]+?-----END CERTIFICATE-----` | | Salesforce Session ID | Critical | `\b00D[A-Za-z0-9]{12,15}![A-Za-z0-9._]{80,200}\b` | | Salesforce Refresh Token | Critical | `\b5Aep[A-Za-z0-9._=-]{40,}\b` | | Stytch Secret | Critical | `\bsecret-(?:test\|live)-[0-9a-zA-Z=_-]{36}\b` | | Stytch Project ID | Low | `\bproject-(?:test\|live)-[0-9a-f-]{36}\b` | | Ory API Key | Critical | `\bory_(?:pat\|wak\|apikey\|st\|at\|rt\|ac)_[A-Za-z0-9._-]{20,}\b` | | Ramp API Credential | Critical | `\bramp_(?:id\|sec)_[A-Za-z0-9]{20,}\b` | | Hex API Token | Critical | `\bhxt[pw]_[0-9a-f]{96}\b` | | Prefect API Key | Critical | `\bpn[ub]_[A-Za-z0-9]{36}\b` | ### `saas_collab` Notion, Linear, Jira, Asana, Trello, Confluence integration tokens. | Name | Severity | Regex | |---|---|---| | ClickUp Personal Access Token | High | `\bpk_[0-9]{4,}_[A-Z0-9]{32,}\b` | | Airtable Personal Access Token | High | `\bpat[A-Za-z0-9]{14}\.[A-Za-z0-9]{64}\b` | | Airtable Legacy API Key | High | `\bkey[A-Za-z0-9]{14}\b` | | Contentful Content Management PAT | Critical | `\bCFPAT-[A-Za-z0-9_-]{40,}\b` | | Dropbox Short-Lived OAuth Token | Critical | `\bsl\.[A-Za-z0-9_-]{130,}\b` | | ServiceNow Instance URL | Medium | `https://[a-z0-9-]+\.service-now\.com` | | Zendesk API Token (email/token) | Critical | `[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+/token:[A-Za-z0-9]{40}\b` | | Notion Integration Token | Critical | `\b(?:secret_\|ntn_)[A-Za-z0-9]{40,}\b` | | Linear API Key | Critical | `\blin_api_[A-Za-z0-9]{40,}\b` | | Asana Personal Access Token | Critical | `\b[12]/[0-9]{16}:[A-Za-z0-9]{32}\b` | | Dropbox Refresh Token | Critical | `\b[a-z0-9]{11}AAAAAAAAAA[A-Za-z0-9=_-]{43}\b` | ### `saas_crm_marketing` HubSpot, Salesforce, Mailchimp, Intercom, Segment, Customer.io keys. | Name | Severity | Regex | |---|---|---| | HubSpot Private App Token | Critical | `\bpat-(?:na1\|na2\|na3\|eu1\|ap1)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | Salesforce Session ID Access Token | Critical | `\b00D[A-Za-z0-9]{12,15}![A-Za-z0-9._]{80,200}\b` | | Salesforce OAuth Refresh Token | Critical | `\b5Aep[A-Za-z0-9._=-]{40,}` | | Salesforce Connected App Consumer Key | High | `\b3MVG9[A-Za-z0-9._]{50,}` | | Pipedrive API Token | Critical | `(?i)pipedrive[^\n]{0,40}?api[_-]?token[\s:="']+[a-f0-9]{40}\b` | | Close CRM API Key | Critical | `\bapi_[A-Za-z0-9]{40,}\b` | | Zoho Self-Client API Key | Critical | `\b1000\.[a-f0-9]{32}\.[a-f0-9]{32}\b` | | Zoho OAuth Refresh Token | Critical | `\b1000\.[A-Za-z0-9]{40,}\.[A-Za-z0-9]{40,}\b` | | Marketo REST Endpoint URL | Medium | `https://[0-9]{3}-[A-Z]{3}-[0-9]{3}\.mktorest\.com/[^\s]*` | | Marketo Munchkin ID | Low | `(?i)munchkin[\s:="']+[0-9]{3}-[A-Z]{3}-[0-9]{3}\b` | | Mandrill API Key | Critical | `(?i)mandrill[^\n]{0,40}?api[_-]?key[\s:="']+[A-Za-z0-9_-]{22}\b` | | Klaviyo Private API Key | Critical | `\bpk_[A-Za-z0-9]{34}\b` | | Iterable API Key | Critical | `(?i)iterable[^\n]{0,40}?api[_-]?key[\s:="']+[a-f0-9]{32}\b` | | Braze REST API Key | Critical | `(?i)braze[^\n]{0,40}?api[_-]?key[\s:="']+[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | Webflow Site API Token | High | `(?i)webflow[^\n]{0,40}?(?:api[_-]?token\|token)[\s:="']+[a-f0-9]{64}\b` | | Customer.io Track API Credentials | Critical | `(?i)site_id[\s:="']+[A-Za-z0-9]{20}[\s,;]+[^\n]{0,30}?(?:api[_-]?key\|track[_-]?key)[\s:="']+[A-Za-z0-9]{20}\b` | | ActiveCampaign API Credentials | Critical | `https://[a-z0-9-]+\.api-us[0-9]\.com[^\s]*[?&]api_key=[a-f0-9]{40,}` | | ConvertKit API Secret | Critical | `(?i)convertkit[^\n]{0,40}?api[_-]?secret[\s:="']+[A-Za-z0-9_-]{20,}\b` | | Drip API Token | Critical | `(?i)getdrip[^\n]{0,40}?(?:api[_-]?token\|token)[\s:="']+[A-Za-z0-9]{20,}\b` | | Zapier Catch Webhook URL | High | `https://hooks\.zapier\.com/hooks/catch/[0-9]+/[A-Za-z0-9]+/?` | ### `saas_hr_finance` Workday, BambooHR, Gusto, ADP, NetSuite, QuickBooks API tokens. | Name | Severity | Regex | |---|---|---| | Workday Web Services Endpoint URL | Medium | `https://[a-z0-9-]+\.workday\.com/ccx/service/[a-z0-9_]+/[A-Za-z_]+/v[0-9]+(?:\.[0-9]+)?` | | ADP API Credentials | Critical | `(?i)[a-z0-9.-]*\.api\.adp\.com[^\n]{0,40}?client_secret[\s:="']+[A-Za-z0-9_-]{20,}\b` | | Gusto API Bearer Token | Critical | `(?i)api\.gusto(?:-demo)?\.com[^\n]{0,40}?bearer[\s:="']+[A-Za-z0-9_-]{20,}\b` | | Rippling API Bearer Token | Critical | `(?i)[a-z0-9.-]*rippling\.com[^\n]{0,40}?bearer[\s:="']+[A-Za-z0-9_-]{20,}\b` | | Deel API Bearer Token | Critical | `(?i)(?:api\.deel\.com\|[a-z0-9.-]*letsdeel\.com)[^\n]{0,40}?bearer[\s:="']+[A-Za-z0-9_-]{20,}\b` | | BambooHR API Key (Basic Auth) | Critical | `\bhttps://[A-Za-z0-9]{40}:x@[a-z0-9-]+\.bamboohr\.com\b` | | Greenhouse Harvest API Key | Critical | `(?i)harvest\.greenhouse\.io[^\n]{0,40}?(?:api[_-]?key\|token)[\s:="']+[a-z0-9]{40}\b` | | Lever API Key | Critical | `(?i)api(?:\.sandbox)?\.lever\.co[^\n]{0,40}?(?:api[_-]?key\|key)[\s:="']+[A-Za-z0-9_-]{20,}\b` | | Personio API Credentials | Critical | `(?i)api\.personio\.de[^\n]{0,40}?client_secret[\s:="']+[A-Za-z0-9_-]{20,}\b` | | Langfuse Public Key | High | `\bpk-lf-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | Langfuse Secret Key | Critical | `\bsk-lf-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | Weights & Biases API Key | Critical | `(?i)WANDB_API_KEY[\s:="']+[a-f0-9]{40}\b` | | Voyage AI API Key | Critical | `\bpa-[A-Za-z0-9_-]{40,}\b` | | Modal Token ID | High | `\bak-[A-Za-z0-9]{20,}\b` | | Modal Token Secret | Critical | `\bas-[A-Za-z0-9]{20,}\b` | | Comet ML API Key | Critical | `(?i)COMET_API_KEY[\s:="']+[A-Za-z0-9]{32,}\b` | | Looker API3 Credentials | Critical | `(?i)client_id[\s:="']+[A-Za-z0-9]{20}[\s,;]+[^\n]{0,30}?client_secret[\s:="']+[A-Za-z0-9]{24}\b` | | Tableau Personal Access Token | Critical | `(?i)tableau[^\n]{0,40}?(?:pat[_-]?secret\|personal[_-]?access[_-]?token)[\s:="']+[A-Za-z0-9=]{18,}\b` | | Metabase API Key | Critical | `(?i)X-API-KEY[\s:="']+mb_[A-Za-z0-9+/=_-]{20,}\b` | | Fivetran API Credentials | Critical | `(?i)api\.fivetran\.com[^\n]{0,40}?(?:api[_-]?secret\|secret)[\s:="']+[A-Za-z0-9]{20,}\b` | | dbt Cloud Service Token | Critical | `(?i)cloud\.getdbt\.com[^\n]{0,40}?(?:service[_-]?token\|token)[\s:="']+[a-zA-Z0-9]{36,}\b` | | Hightouch API Key | Critical | `(?i)api\.hightouch\.com[^\n]{0,40}?(?:api[_-]?key\|bearer)[\s:="']+[A-Za-z0-9_-]{20,}\b` | | Census API Key | Critical | `\bsecret-token:[A-Za-z0-9+/=_-]{20,}\b` | | Airbyte Cloud Workspace Token | Critical | `(?i)[a-z0-9.-]*airbyte\.com[^\n]{0,40}?(?:access[_-]?token\|bearer)[\s:="']+[A-Za-z0-9_.-]{20,}\b` | ### `ad_tech` Google Ads, Facebook Ads, AppNexus / Xandr, MoPub, Criteo API credentials. | Name | Severity | Regex | |---|---|---| | Meta Legacy Access Token | Critical | `\b\d{15,16}\\|[0-9a-zA-Z_-]{27,40}\b` | | Meta Ad Account ID | Low | `\bact_\d{6,16}\b` | | TikTok User Access Token | High | `\bact\.[A-Za-z0-9]{20,}\b` | | TikTok Client Access Token | High | `\bclt\.[A-Za-z0-9]{20,}\b` | | Twitter/X Bearer Token | Critical | `(?i)bearer\s+AAAA[A-Za-z0-9%+/=]{80,140}` | | Twitter/X OAuth 1 Access Token | High | `\b\d{15,25}-[A-Za-z0-9]{20,40}\b` | | LinkedIn URN | Low | `\burn:li:(?:person\|organization\|sponsoredAccount):[A-Za-z0-9_-]{1,}` | | Snapchat OAuth Access Token | Critical | `\b0\.MGQ[A-Za-z0-9_-]{15,}` | | Pinterest API Access Token | Critical | `\bpina_[A-Z0-9_-]{10,}\b` | | Google Ads Developer Token | Critical | `(?i)developer[_-]?token['\x22]?\s*[:=]\s*['\x22]?[A-Za-z0-9_-]{22}\b` | | Google Ads OAuth Refresh Token | Critical | `\b1//[A-Za-z0-9_-]{40,}` | | TikTok App Secret (labeled) | Critical | `(?i)tiktok[A-Za-z0-9_]*(?:client\|app)_secret['\x22]?\s*[:=]\s*['\x22]?[0-9a-f]{40}\b` | | Meta App Secret (labeled) | Critical | `(?i)(?:facebook\|meta\|fb)[A-Za-z0-9_]*app_secret['\x22]?\s*[:=]\s*['\x22]?[0-9a-f]{32}\b` | | The Trade Desk Auth Token | Critical | `(?i)TTD-Auth:\s*[A-Za-z0-9]{20,}` | | Beeswax Instance Host | Low | `\b[a-z0-9][a-z0-9-]{1,30}\.api\.beeswax\.com\b` | | AppLovin MAX SDK Key (labeled) | Low | `(?i)applovin[A-Za-z0-9_]*sdk_key['\x22]?\s*[:=]\s*['\x22]?[A-Za-z0-9_-]{86}\b` | | LiveRamp RampID (maintained individual) | Medium | `\bXY[A-Z0-9]{47}\b` | | LiveRamp RampID (maintained household) | Medium | `\bHY[A-Z0-9]{47}\b` | | UID2 Operator API Key | Critical | `\bUID2-O-L-\d{1,}-[A-Za-z0-9+/=_-]{16,}` | | UID2 Advertising-Token Header | High | `(?i)Advertising-Token:\s*[A-Za-z0-9+/=_-]{20,}` | | Treasure Data API Key | Critical | `\b\d{1,}/[a-f0-9]{40}\b` | ### `banking` Bank routing / SWIFT / IBAN composite shapes and banking-API client secrets. | Name | Severity | Regex | |---|---|---| | SWIFT MT Message Block Header | Medium | `\{1:F01[A-Z]{6}[A-Z0-9]{2}[A-Z0-9]{4}\d{4}\d{6}\}\{2:[IO]\d{3}` | | SWIFT Transaction Reference (:20: tag) | Medium | `(?m)^:20:[A-Z0-9/\-?:().,'+ ]{1,16}$` | | SWIFT Ordering Customer with IBAN (:50K:) | Critical | `(?m)^:50K:/[A-Z]{2}\d{2}[A-Z0-9]{10,30}$` | | SWIFT Beneficiary Customer with IBAN (:59:) | Critical | `(?m)^:59:/[A-Z]{2}\d{2}[A-Z0-9]{10,30}$` | | SWIFT Block-3 UETR Tag 121 | Medium | `\{121:[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\}` | | SWIFT GPI UETR (labeled) | Medium | `(?i)\buetr\b[:=\s]+[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b` | | ISO 20022 Message Identifier | Medium | `\b(?:pacs\|pain\|camt)\.\d{3}\.\d{3}\.\d{2}\b` | | Legal Entity Identifier (labeled) | Medium | `(?i)\blei\b[:=\s]+[A-Z0-9]{18}\d{2}\b` | | Fedwire IMAD (labeled) | Medium | `(?i)\bimad\b[:=\s]+\d{8}[A-Z0-9]{4}\d{2}\d{6}\b` | | Fedwire OMAD (labeled) | Medium | `(?i)\bomad\b[:=\s]+\d{8}[A-Z0-9]{4}\d{2}\d{6}\b` | | CHIPS UID (labeled) | Medium | `(?i)\bchips\s*(?:uid\|participant)\b[:=\s]+\d{6}\b` | | Russia Correspondent Account | Medium | `\b30101810\d{12}\b` | | India IFSC Code | Medium | `\b[A-Z]{4}0[A-Z0-9]{6}\b` | | India UPI VPA | Medium | `\b[A-Za-z0-9._-]{2,64}@(?:okhdfcbank\|oksbi\|okicici\|okaxis\|paytm\|ybl\|upi)\b` | | Brazil PIX Key (labeled) | Medium | `(?i)\bpix\b[:=\s]+\d{3}\.\d{3}\.\d{3}-\d{2}\b` | | Card Track 1 Magstripe | Critical | `%B\d{12,19}\^[^^]{2,26}\^\d{4}\d{3}\d*\?` | | Card Track 2 Magstripe | Critical | `;\d{12,19}=\d{4}\d{3}\d*\?` | | Card PAN with CVV (labeled) | Critical | `(?i)\b\d{13,19}\b[^\n]{0,40}\b(?:cvv2?\|cvc2?\|cid\|security[\s_-]?code)\b[:=\s]+\d{3,4}\b` | | FATCA GIIN | Medium | `\b[A-Z0-9]{6}\.[A-Z0-9]{5}\.(?:LE\|SL\|ME\|BR\|SP\|SF\|SD\|SS)\.\d{3}\b` | | Open Banking X-Request-ID (labeled) | Medium | `(?i)X-Request-ID[:=\s]+[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | New Zealand Bank Account Number | Medium | `\b\d{2}-\d{4}-\d{7}-\d{2,3}\b` | | Mexico CLABE (labeled) | Medium | `(?i)\bclabe\b[:#=\s]+\d{18}\b` | | Canada Bank Transit (labeled) | Medium | `(?i)\btransit(?:\s*(?:number\|no\.?))?[:#=\s]+\d{5}\b` | | Australia BSB (labeled) | Medium | `(?i)\bBSB\b[:#=\s]+\d{3}-?\d{3}\b` | ### `threat_intel` VirusTotal, AbuseIPDB, GreyNoise, MISP, AlienVault OTX API tokens. | Name | Severity | Regex | |---|---|---| | OpenCTI API Token (new format) | Critical | `\bflgrn_octi_tkn_[A-Za-z0-9]{60,}` | | GitGuardian API Key | Critical | `\bgg[a-z]{1,3}_[A-Za-z0-9]{25,}` | | Snyk Service Account Token | Critical | `\bsnyk_st_[A-Za-z0-9]{40,}` | | Snyk API Token | Critical | `(?i)Authorization:\s*token\s+[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}` | | Bugcrowd API Token | Critical | `(?i)Authorization:\s*Token\s+[A-Za-z0-9]+:[A-Za-z0-9_-]{40,}` | | HackerOne API Token | Critical | `(?i)X-H1-Token:\s*[A-Za-z0-9_]+:[A-Za-z0-9+/=]{20,}` | | MaxMind Account License Key | High | `\b\d{4,7}:[A-Za-z0-9_]{40}\b` | | AbuseIPDB API Key | High | `(?i)Key:\s*[a-f0-9]{80}\b` | | VirusTotal API Key | High | `(?i)x-apikey:\s*[a-f0-9]{64}\b` | | AlienVault OTX API Key | High | `(?i)X-OTX-API-KEY:\s*[a-f0-9]{64}\b` | | Shodan API Key | High | `(?i)SHODAN_API_KEY=[A-Za-z0-9]{32}\b` | | MISP Authkey | Critical | `(?i)Authorization:\s*[A-Za-z0-9]{40}\b` | | urlscan.io API Key | High | `(?i)API-Key:\s*[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b` | | SecurityTrails API Key | High | `(?i)APIKEY:\s*[A-Za-z0-9]{32}\b` | | Tenable.io API Keys Header | Critical | `(?i)X-ApiKeys:\s*accessKey=[a-f0-9]{64};secretKey=[a-f0-9]{64}` | | TheHive API Key | Critical | `\bthehive_[A-Za-z0-9]{32,}` | | SpyCloud API Key | Critical | `(?i)x-api-key:\s*sc_[A-Za-z0-9]{32,}` | | Lacework Underscore Secret | Critical | `"secret"\s*:\s*"_[A-Za-z0-9]{40,80}"` | ### `industry_other` Niche vertical APIs (logistics, hospitality, education) not covered by another bucket. | Name | Severity | Regex | |---|---|---| | Vehicle Identification Number (VIN) | Medium | `(?i)\bVIN:\s*[A-HJ-NPR-Z0-9]{17}\b` | | Vehicle Identification Number (NA check digit) | Medium | `\b[A-HJ-NPR-Z0-9]{8}[0-9X][A-HJ-NPR-Z0-9]{8}\b` | | IMO Ship Number | Medium | `(?i)\bIMO\s?\d{7}\b` | | USPS S10 Tracking | Low | `\b[A-Z]{2}\d{9}US\b` | | UPS Tracking Number | Low | `\b1Z[A-Z0-9]{16}\b` | | Amazon Order ID | Low | `\b\d{3}-\d{7}-\d{7}\b` | | Tesla Owner API Legacy Token | Critical | `(?i)owner-api\.teslamotors\.com[^\n]*?\b[a-f0-9]{64}\b` | | WooCommerce Consumer Key | Critical | `\bck_[a-f0-9]{40}\b` | | WooCommerce Consumer Secret | Critical | `\bcs_[a-f0-9]{40}\b` | | BigCommerce X-Auth-Token | Critical | `(?i)X-Auth-Token:\s*[a-z0-9]{31,64}\b` | | Algolia Admin API Key | Critical | `(?i)X-Algolia-API-Key:\s*[a-f0-9]{32}\b` | | Sabre OAuth2 Access Token | Critical | `\bT1RK[A-Za-z0-9+/=]{20,}` | | Travelport Universal API Credential | Critical | `Universal API/uAPI\d+-\d+` | | Airline PNR Record Locator | Medium | `(?i)(?:PNR\|record locator\|confirmation):\s*[A-Z0-9]{6}\b` | | ICAO 24-bit Aircraft Address | Medium | `(?i)(?:ICAO24\|Mode S\|hex):\s*[0-9A-F]{6}\b` | | ISO 6346 Container Number | Medium | `\b[A-Z]{3}[UJZ]\d{7}\b` | | Shippo Live API Token | Critical | `\bshippo_live_[a-fA-F0-9]{40}\b` | | Shippo Test API Token | High | `\bshippo_test_[a-fA-F0-9]{40}\b` | | FedEx OAuth Client ID | Critical | `(?i)apis\.fedex\.com[^\n]*?\bl[0-9a-z]{31}\b` | | DHL MyDHL REST API Key | Critical | `(?i)api-eu\.dhl\.com[^\n]*?\b[A-Za-z0-9]{40}\b` | | USPS Web Tools UserID | Medium | `\b\d{3}[A-Z]{4,6}\d{4}\b` | | Octopus Energy API Key | Critical | `\bsk_live_[A-Za-z0-9]{32,}` | | Enphase Enlighten API Key | High | `(?i)api\.enphaseenergy\.com[^\s]*[?&]key=[A-Za-z0-9]{32}\b` | | Canvas LMS Access Token | Critical | `\b\d{4,6}~[A-Za-z0-9]{40,}` | ### `extra_ids` Miscellaneous ID shapes, asset tags, and internal account formats. | Name | Severity | Regex | |---|---|---| | ORCID iD | Low | `\b\d{4}-\d{4}-\d{4}-\d{3}[\dX]\b` | | ISIN | Low | `\b[A-Z]{2}[A-Z0-9]{9}\d\b` | | otpauth TOTP/HOTP URI | Critical | `otpauth://[a-z]+/[^\s?]+\?[^\s]*secret=[A-Za-z2-7]{8,}` | | BitLocker Recovery Key | Critical | `\b\d{6}-\d{6}-\d{6}-\d{6}-\d{6}-\d{6}-\d{6}-\d{6}\b` | | EU Digital COVID Certificate | High | `\bHC1:[A-Z0-9$%*+./:\-]{40,}` | | Credential-bearing URL | Critical | `\b(?:https?\|ftps?\|sftp\|ssh\|postgres(?:ql)?\|mysql\|mariadb\|mongodb(?:\+srv)?\|redis\|rediss\|amqps?\|smtps?\|ldaps?)://[^\s/:@]+:[^\s/:@]+@[^\s/]+` | | Classification Banner | Medium | `(?i)(?:TOP SECRET//\|SECRET//[A-Z]\|TS//SCI\|//NOFORN\|\bCUI//\|UNCLASSIFIED//(?:FOUO\|CUI))` | ## Heuristic layer Two scanners run alongside the regex catalog and catch secrets the named patterns miss: - **Entropy scan** - a Shannon-entropy catch-all that flags long, random-looking strings even when no named pattern recognizes them. Runs on the whole clipboard text independently of which buckets are enabled, so disabling a category does not stop an entropy-looking value in that category from being redacted. Toggle off by setting `enable_entropy = false` in `config.toml` for strictly pattern-only behavior. - **Deep scan** - heuristic scanners for key=value pairs, dotenv blocks, base64-encoded blobs, JSON `password` / `secret` / `token` fields, SSH-key blobs, connection strings, BIP39 mnemonics, and vendor-host proximity. Recursive with `MAX_DEPTH = 3`. Toggle off by setting `enable_deep_scan = false` in `config.toml`. Both scanners are tuned by `Config.sensitivity` (1 = strict, 5 = loose). The dial maps to concrete entropy and length thresholds in `Detector::from_config`. ## Validators Several patterns are gated by a checksum validator on top of the regex match - the regex shape alone is not enough to trigger redaction: - **Luhn** - payment cards (Visa, Mastercard, Amex, Discover, JCB, Diners, UnionPay). - **IBAN mod-97** - international bank account numbers. - **Passport MRZ check digits** - ICAO 9303 machine-readable zone shapes. - **Mod-10 / mod-11** - select national ID and tax-number schemes (codice fiscale, CPF, EIN, SSN composite, NHS, NPI). `Medium`-severity patterns WITHOUT a validator are filtered out before redaction, which keeps the format-only PII layer from over-redacting on adjacent text (order numbers, tracking IDs, etc.).