Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Example: security-audit

Inputs

  • examples/inputs/security-audit-samples/aws_credentials.txt
  • examples/inputs/security-audit-samples/config_with_secrets.env
  • examples/inputs/security-audit-samples/private_keys.pem

Profile

# Security Audit Profile
# Comprehensive profile for security audits focusing on credentials and sensitive data

decode = ["base64", "hex", "percent-encoding", "html-entity"]

max-file-size = 52428800  # 50 MiB

include-path-globs = []
exclude-path-globs = ["**/node_modules/**", "**/vendor/**", "**/.git/**", "**/venv/**", "**/__pycache__/**"]

tag = "security-audit"

# AWS Credentials
[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?i)aws(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]"
  type = "regex"

# Private Keys
[[patterns]]
  name = "RSA Private Key"
  pattern = "-----BEGIN RSA PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "Generic Private Key"
  pattern = "-----BEGIN PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "Encrypted Private Key"
  pattern = "-----BEGIN ENCRYPTED PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "DSA Private Key"
  pattern = "-----BEGIN DSA PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "EC Private Key"
  pattern = "-----BEGIN EC PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "OpenSSH Private Key"
  pattern = "-----BEGIN OPENSSH PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "PGP Private Key"
  pattern = "-----BEGIN PGP PRIVATE KEY BLOCK-----"
  type = "string"

# SSH Keys
[[patterns]]
  name = "SSH Public Key"
  pattern = "ssh-rsa\\s+[A-Za-z0-9+/]+[=]{0,2}"
  type = "regex"

# Passwords
[[patterns]]
  name = "Password Assignment"
  pattern = "(password|passwd|pwd)\\s*[:=]\\s*['\"][^'\"]+['\"]"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Password in URL"
  pattern = "://[^:]+:[^@]+@"
  type = "regex"

# API Keys
[[patterns]]
  name = "Generic API Key"
  pattern = "api[_-]?key\\s*[:=]\\s*['\"][^'\"]+['\"]"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Authorization Header"
  pattern = "Authorization:\\s*(Bearer|Basic)\\s+\\S+"
  type = "regex"
  case-insensitive = true

# Database Connection Strings
[[patterns]]
  name = "JDBC Connection URL"
  pattern = "jdbc:[a-z]+://[^\\s'\"<>]+"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "MongoDB Connection"
  pattern = "mongodb(\\+srv)?://[^\\s'\"<>]+"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "PostgreSQL Connection"
  pattern = "postgres(ql)?://[^\\s'\"<>]+"
  type = "regex"
  case-insensitive = true

# Signatures for advanced detection
[[signatures]]
  name = "High Entropy Files"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.5"

[[signatures]]
  name = "Files with Credential Patterns"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('AWS Access Key', 'Password Assignment', 'Generic API Key', 'RSA Private Key')"

Report outputs

Triage report (converted from triage_report.json)

total_files3
critical_count0
high_count0
medium_count0
low_count0
minimal_count3
must_investigate_count0
all_scoresNone
generated_at2025-12-03T09:19:43.519723872+00:00

top_scores

characteristics_scorefile_typefile_type_scoremust_investigatepathpattern_count_scorepattern_matchespattern_severity_scorereasonsrisk_levelscoresha256
0Other0False/config_with_secrets.env151413["14 suspicious patterns detected"]Minimal28b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b
0Other0False/private_keys.pem535["3 suspicious patterns detected"]Minimal100091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de
0Other0False/aws_credentials.txt535["3 suspicious patterns detected"]Minimal105964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e

CSV outputs

errors.csv

Empty CSV

files.csv

pathfile_namesha256file_createdfile_modifiedfile_accessedmime_types_from_file_extensionis_symbolic_linkis_extracted_fileis_decoded_fileis_deobfuscated_filetag
/private_keys.pemprivate_keys.pem0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de2025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z["application/x-x509-ca-cert"]0000
/aws_credentials.txtaws_credentials.txt5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e2025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z["text/plain"]0000
/config_with_secrets.envconfig_with_secrets.envb56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b2025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z[]0000

pattern_matches.csv

idsha256pattern_namematch_typematchlocationlength
10091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8deRSA Private Keystring-----BEGIN RSA PRIVATE KEY-----0:031
20091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8deGeneric Private Keystring-----BEGIN PRIVATE KEY-----7:127
30091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8deOpenSSH Private Keystring-----BEGIN OPENSSH PRIVATE KEY-----12:135
45964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91eAWS Access KeyregexAKIAIOSFODNN7EXAMPLE4:1820
55964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91eAWS Access KeyregexAKIAI44QH8DHBEXAMPLE8:1420
65964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91eAWS Secret KeyregexAWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"5:064
7b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bSSH Public Keyregexssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFakeKeyForTestingPurposesOnlyDoNotUseInProduction1234567890abcdef19:0104
8b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bPassword Assignmentregexpassword = "MySecretPassword123!"14:033
9b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bPassword AssignmentregexPASSWORD: "AnotherTestPassword"15:031
10b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bPassword Assignmentregexpassword="admin123"16:619
11b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bPassword in URLregex://admin:SuperSecretPassword123@4:2332
12b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bPassword in URLregex://user:password123@5:2320
13b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bPassword in URLregex://localhost:3306/testdb?user=root&password=secret# API ConfigurationAPI_KEY = "sk-1234567890abcdefghijklmnopqrstuvwxyz"api_key: "test-api-key-12345678"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U# User credentials (DO NOT USE IN PRODUCTION)password = "MySecretPassword123!"PASSWORD: "AnotherTestPassword"admin_password="admin123"# SSH Keyssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFakeKeyForTestingPurposesOnlyDoNotUseInProduction1234567890abcdef test@6:19548
14b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bPassword in URLregex://user:password@22:317
15b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bGeneric API KeyregexAPI_KEY = "sk-1234567890abcdefghijklmnopqrstuvwxyz"9:051
16b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bGeneric API Keyregexapi_key: "test-api-key-12345678"10:032
17b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bAuthorization HeaderregexAuthorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U11:0130
18b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bJDBC Connection URLregexjdbc:mysql://localhost:3306/testdb?user=root&password=secret6:960
19b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bMongoDB Connectionregexmongodb+srv://user:password123@cluster.mongodb.net/database5:1259
20b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479bPostgreSQL Connectionregexpostgresql://admin:SuperSecretPassword123@db.example.com:5432/myapp4:1367

signature_matches.csv

idsignature_namesha256
1Files with Credential Patterns5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e
2Files with Credential Patternsb56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b
3Files with Credential Patterns0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de

unique_files.csv

sha256sha1md5file_sizemime_type_for_contentshannon_entropy
0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de4109a9c0dc6cdc2ea9dc6f37a0f2ad18e84a339491dbfca56498590a6d1b70c7beab2718681application/x-pem-file5.3871589121742
5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91ec8e4b788302bc5aa5e7e664fc330be3799c1c6f00293f7de0c62a5250d8f27edb2c76912314text/plain5.36704333995266
b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b6b7f51ab4e5ebe29cd1a07b3322dadffd6755685225ac88b0bc222303b86cfea552ce119880text/plain5.76111717536657