Skip to main content

aaai_core/masking/
patterns.rs

1//! Built-in secret detection patterns.
2//!
3//! These patterns are intentionally conservative (few false positives) rather
4//! than exhaustive.  Users can add custom patterns via the project config.
5
6/// A named secret pattern.
7pub struct SecretPattern {
8    pub name: &'static str,
9    /// The regex pattern string.  The matching portion is replaced with the mask.
10    pub pattern: &'static str,
11    /// Optional capture group index that contains the secret value.
12    /// If None, the entire match is masked.
13    pub value_group: Option<usize>,
14}
15
16/// Built-in patterns for common secret formats.
17pub static BUILTIN_PATTERNS: &[SecretPattern] = &[
18    SecretPattern {
19        name: "Generic API key assignment",
20        pattern: r#"(?i)(api[_\-]?key|api[_\-]?secret|auth[_\-]?token)\s*[:=]\s*["']?([A-Za-z0-9\-_/+]{16,})"#,
21        value_group: Some(2),
22    },
23    SecretPattern {
24        name: "Password assignment",
25        pattern: r#"(?i)(password|passwd|pwd|secret)\s*[:=]\s*["']?([^\s"']{8,})"#,
26        value_group: Some(2),
27    },
28    SecretPattern {
29        name: "AWS access key",
30        pattern: r"(AKIA[0-9A-Z]{16})",
31        value_group: Some(1),
32    },
33    SecretPattern {
34        name: "AWS secret key assignment",
35        pattern: r#"(?i)aws[_\-]?secret[_\-]?access[_\-]?key\s*[:=]\s*["']?([A-Za-z0-9/+=]{40})"#,
36        value_group: Some(1),
37    },
38    SecretPattern {
39        name: "Generic Bearer token",
40        pattern: r"(?i)Bearer\s+([A-Za-z0-9\-._~+/]+=*)",
41        value_group: Some(1),
42    },
43    SecretPattern {
44        name: "Private key header",
45        pattern: r"-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----",
46        value_group: None,
47    },
48    SecretPattern {
49        name: "Connection string with password",
50        pattern: r"://([^:@\s]+):([^@\s]+)@",
51        value_group: Some(2),
52    },
53    SecretPattern {
54        name: "GitHub token",
55        pattern: r"(gh[pousr]_[A-Za-z0-9]{36,})",
56        value_group: Some(1),
57    },
58    SecretPattern {
59        name: "Slack token",
60        pattern: r"(xox[baprs]-[0-9A-Za-z\-]{10,})",
61        value_group: Some(1),
62    },
63];