Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: base/credentials.toml

Source

  • Original path: profiles/base/credentials.toml

Profile (TOML)

# Credentials Detection Profile
# Detects common credential patterns including API keys, passwords, tokens, etc.

decode = ["base64", "hex", "percent-encoding"]

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?:aws_secret_access_key|aws.secret.key)\\s*[:=]\\s*[\"']?([A-Za-z0-9/+=]{40})[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Generic API Key"
  pattern = "(?:api[_-]?key|apikey)\\s*[:=]\\s*[\"']?([A-Za-z0-9_\\-]{20,})[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Generic Secret"
  pattern = "(?:secret|token)\\s*[:=]\\s*[\"']?([A-Za-z0-9_\\-]{20,})[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Password Assignment"
  pattern = "(?:password|passwd|pwd)\\s*[:=]\\s*[\"']?([^\\s\"']{3,})[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Private Key Header"
  pattern = "-----BEGIN (?:RSA |DSA |EC |OPENSSH |ENCRYPTED )?PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN OPENSSH PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "PGP Private Key"
  pattern = "-----BEGIN PGP PRIVATE KEY BLOCK-----"
  type = "string"

[[patterns]]
  name = "GitHub Token"
  pattern = "ghp_[A-Za-z0-9_]{36}"
  type = "regex"

[[patterns]]
  name = "GitHub OAuth Token"
  pattern = "gho_[A-Za-z0-9_]{36}"
  type = "regex"

[[patterns]]
  name = "GitHub App Token"
  pattern = "(?:ghu|ghs)_[A-Za-z0-9_]{36}"
  type = "regex"

[[patterns]]
  name = "Slack Token"
  pattern = "xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[A-Za-z0-9]{24,32}"
  type = "regex"

[[patterns]]
  name = "Slack Webhook"
  pattern = "https://hooks\\.slack\\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+"
  type = "regex"

[[patterns]]
  name = "Google API Key"
  pattern = "AIza[0-9A-Za-z_\\-]{35}"
  type = "regex"

[[patterns]]
  name = "Google OAuth"
  pattern = "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com"
  type = "regex"

[[patterns]]
  name = "Heroku API Key"
  pattern = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"
  type = "regex"

[[patterns]]
  name = "MailChimp API Key"
  pattern = "[0-9a-f]{32}-us[0-9]{1,2}"
  type = "regex"

[[patterns]]
  name = "Stripe API Key"
  pattern = "(?:r|s)k_(?:live|test)_[0-9a-zA-Z]{24,}"
  type = "regex"

[[patterns]]
  name = "SSH Public Key"
  pattern = "ssh-(?:rsa|dss|ed25519|ecdsa)\\s+[A-Za-z0-9+/=]+"
  type = "regex"

[[patterns]]
  name = "Bearer Token"
  pattern = "Bearer\\s+[A-Za-z0-9_\\-\\.=]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Basic Auth"
  pattern = "Basic\\s+[A-Za-z0-9+/=]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Connection String"
  pattern = "(?:Server|Data Source|Host)\\s*=\\s*[^;]+;.*(?:Password|Pwd)\\s*=\\s*[^;]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "JWT Token"
  pattern = "eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}"
  type = "regex"

[[signatures]]
  name = "Files with Multiple Credentials"
  query = "SELECT sha256, COUNT(*) as credential_count FROM pattern_matches WHERE pattern_name LIKE '%Key%' OR pattern_name LIKE '%Token%' OR pattern_name LIKE '%Password%' GROUP BY sha256 HAVING credential_count > 2"