# forbidden-strings built-in baseline deny-list.
#
# THIS FILE IS GENERATED. Do not edit by hand. Source of truth is
# package/cli/forbidden-strings/src/mise.port-betterleaks.ts
# plus the upstream TOML at
# package/cli/forbidden-strings/data/betterleaks-default-config.toml.
# Re-generate via:
# mise run //package/cli/forbidden-strings:generate:rules
#
# Composition:
# - This file ports the betterleaks default ruleset into
# forbidden-strings format. It is a sane baseline of common
# credential shapes (PEM, AWS, Slack, GitHub PAT, etc.) plus
# resharp set-algebra demonstrations.
# - The build embeds it into the forbidden-strings binary via
# `include_str!`; the `--builtin-rules` flag appends it to
# whatever rules file resolves at scan time (and scans with it
# alone when the implicit default rules file is absent). Without
# the flag the scanner never reads these rules.
#
# Attribution:
# Rules are ported from betterleaks' default configuration
# (https://github.com/betterleaks/betterleaks, MIT-licensed). The port
# is mechanical and lossy -- entropy filters, CEL validate steps,
# keyword prefilters, and allowlists are dropped because the
# forbidden-strings engine has no equivalent. Expect more false
# positives than betterleaks would produce; consult the converter
# source for the full list of conversions and intentional omissions.
#
# Format reminder:
# - Bare line = case-sensitive literal substring
# - /PATTERN/FLAGS = regex (resharp; supports A&B, ~(A))
# - Lines starting with `#` = comment
# - Empty lines = ignored
#
# A literal that itself looks like /.../flags must be expressed as a regex
# (escape the slashes), e.g. ban literal `/etc/passwd` as `/\/etc\/passwd/`.
# === 1password-secret-key ===
# Uncovered a possible 1Password secret key, potentially compromising access to secrets in vaults.
/\bA3-[A-Z0-9]{6}-(?:(?:[A-Z0-9]{11})|(?:[A-Z0-9]{6}-[A-Z0-9]{5}))-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}\b/
# === 1password-service-account-token ===
# Uncovered a possible 1Password service account token, potentially compromising access to secrets in vaults.
/ops_eyJ[a-zA-Z0-9+/]{250,512}={0,3}/
# === adafruit-api-key ===
# Identified a potential Adafruit API Key, which could lead to unauthorized access to Adafruit services and sensitive data exposure.
/(?:(?:(?:adafruit)|(?:Adafruit)|(?:ADAFRUIT)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9_-]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === adobe-client-id ===
# Detected a pattern that resembles an Adobe OAuth Web Client ID, posing a risk of compromised Adobe integrations and data breaches.
/(?:(?:(?:adobe)|(?:Adobe)|(?:ADOBE)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === adobe-client-secret ===
# Discovered a potential Adobe Client Secret, which, if exposed, could allow unauthorized Adobe service access and data manipulation.
/\b(?:p8e-[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === age-secret-key ===
# Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.
/AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}/
# === airtable-api-key ===
# Uncovered a possible Airtable API Key, potentially compromising database access and leading to data leakage or alteration.
/(?:(?:(?:airtable)|(?:Airtable)|(?:AIRTABLE)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{17})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === airtable-personnal-access-token ===
# Uncovered a possible Airtable Personal AccessToken, potentially compromising database access and leading to data leakage or alteration.
/\b(?:pat[A-Za-z0-9]{14}\.[a-f0-9]{64})\b/
# === algolia-api-key ===
# Identified an Algolia API Key, which could result in unauthorized search operations and data exposure on Algolia-managed platforms.
/(?:(?:(?:algolia)|(?:Algolia)|(?:ALGOLIA)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === alibaba-access-key-id ===
# Detected an Alibaba Cloud AccessKey ID, posing a risk of unauthorized cloud resource access and potential data compromise.
/\b(?:LTAI[a-zA-Z0-9]{20})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === alibaba-secret-key ===
# Discovered a potential Alibaba Cloud Secret Key, potentially allowing unauthorized operations and data access within Alibaba Cloud.
/(?:(?:(?:alibaba)|(?:Alibaba)|(?:ALIBABA)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{30})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === anthropic-admin-api-key ===
# Detected an Anthropic Admin API Key, risking unauthorized access to administrative functions and sensitive AI model configurations.
/\b(?:sk-ant-admin01-[a-zA-Z0-9_\-]{93}AA)(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === anthropic-api-key ===
# Identified an Anthropic API Key, which may compromise AI assistant integrations and expose sensitive data to unauthorized access.
/\b(?:sk-ant-api03-[a-zA-Z0-9_\-]{93}AA)(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === artifactory-api-key ===
# Detected an Artifactory api key, posing a risk unauthorized access to the central repository.
/\bAKCp[A-Za-z0-9]{69}\b/
# === artifactory-reference-token ===
# Detected an Artifactory reference token, posing a risk of impersonation and unauthorized access to the central repository.
/\bcmVmd[A-Za-z0-9]{59}\b/
# === asana-client-id ===
# Discovered a potential Asana Client ID, risking unauthorized access to Asana projects and sensitive task information.
/(?:(?:(?:asana)|(?:Asana)|(?:ASANA)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9]{16})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === asana-client-secret ===
# Identified an Asana Client Secret, which could lead to compromised project management integrity and unauthorized access.
/(?:(?:(?:asana)|(?:Asana)|(?:ASANA)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === assemblyai-api-key ===
# Detected an AssemblyAI API Key, which may expose speech-to-text services and associated audio data to unauthorized access.
/(?:(?:(?:assemblyai)|(?:Assemblyai)|(?:ASSEMBLYAI)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === atlassian-api-token ===
# Detected an Atlassian API token, posing a threat to project management and collaboration tool security and data confidentiality.
# RELAXATION: kept only the `ATATT3...` prefix arm; the label-based ([Aa]tlassian / [Jj]ira / [Cc]onfluence + 24-char body) arm is dropped.
/\b(?:ATATT3[A-Za-z0-9_\-=]{186})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === authress-service-client-access-key ===
# Uncovered a possible Authress Service Client Access Key, which may compromise access control services and sensitive data.
/\b(?:(?:(?:sc)|(?:ext)|(?:scauth)|(?:authress))_[a-zA-Z0-9]{5,30}\.[a-zA-Z0-9]{4,6}\.(?:acc)[_-][a-zA-Z0-9-]{10,32}\.[a-zA-Z0-9+/_=-]{30,120})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === aws-access-token ===
# Identified an AWS access key ID paired with a secret access key, which together can provide full access to AWS services.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
# RELAXATION: excluded documented placeholder `AKIA2222222222222222` via resharp intersection/complement.
/(?:\b(?:(?:(?:A3T[A-Z0-9])|(?:AKIA)|(?:ASIA)|(?:ABIA)|(?:ACCA))[A-Z2-7]{16})\b)&~(AKIA2{16})/
# === aws-amazon-bedrock-api-key-long-lived ===
# Identified a pattern that may indicate long-lived Amazon Bedrock API keys, risking unauthorized Amazon Bedrock usage
/\b(?:ABSK[A-Za-z0-9+/]{109,269}={0,2})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === aws-amazon-bedrock-api-key-short-lived ===
# Identified a pattern that may indicate short-lived Amazon Bedrock API keys, risking unauthorized Amazon Bedrock usage
/bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t/
# === azure-ad-client-secret ===
# Azure AD Client Secret
# RELAXATION: dropped `^|` start-anchor arm; rule no longer fires when the secret starts at byte 0 of a file.
/(?:[\\'"`\s>=:(,)])(?:[a-zA-Z0-9_~.]{3}\dQ\~[a-zA-Z0-9_~.-]{31,34})(?:$|[\\'"`\s<),])/
# === beamer-api-token ===
# Detected a Beamer API token, potentially compromising content management and exposing sensitive notifications and updates.
/(?:(?:(?:beamer)|(?:Beamer)|(?:BEAMER)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:b_)|(?:B_))[a-zA-Z0-9=_\-]{44})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === bitbucket-client-id ===
# Discovered a potential Bitbucket Client ID, risking unauthorized repository access and potential codebase exposure.
/(?:(?:(?:bitbucket)|(?:Bitbucket)|(?:BITBUCKET)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === bitbucket-client-secret ===
# Discovered a potential Bitbucket Client Secret, posing a risk of compromised code repositories and unauthorized access.
/(?:(?:(?:bitbucket)|(?:Bitbucket)|(?:BITBUCKET)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9=_\-]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === bittrex-access-key ===
# Identified a Bittrex Access Key, which could lead to unauthorized access to cryptocurrency trading accounts and financial loss.
/(?:(?:(?:bittrex)|(?:Bittrex)|(?:BITTREX)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === bittrex-secret-key ===
# Detected a Bittrex Secret Key, potentially compromising cryptocurrency transactions and financial security.
/(?:(?:(?:bittrex)|(?:Bittrex)|(?:BITTREX)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === cerebras-api-key ===
# Identified a Cerebras AI API Key, which may expose AI inference services to unauthorized access.
/\b(?:(?:(?:csk-)|(?:Csk-)|(?:CSK-))[a-zA-Z0-9]{48})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === cisco-meraki-api-key ===
# Cisco Meraki is a cloud-managed IT solution that provides networking, security, and device management through an easy-to-use interface.
/(?:(?:(?:(?:[Mm]eraki)|(?:MERAKI)))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9a-f]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === clickhouse-cloud-api-secret-key ===
# Identified a pattern that may indicate clickhouse cloud API secret key, risking unauthorized clickhouse cloud api access and data breaches on ClickHouse Cloud platforms.
/\b(?:4b1d[A-Za-z0-9]{38})\b/
# === clojars-api-token ===
# Uncovered a possible Clojars API token, risking unauthorized access to Clojure libraries and potential code manipulation.
/(?:(?:clojars_)|(?:Clojars_)|(?:CLOJARS_))[a-zA-Z0-9]{60}/
# === cloudflare-api-key ===
# Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security.
/(?:(?:(?:cloudflare)|(?:Cloudflare)|(?:CLOUDFLARE)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9_-]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === cloudflare-global-api-key ===
# Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security.
/(?:(?:(?:cloudflare)|(?:Cloudflare)|(?:CLOUDFLARE)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{37})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === cloudflare-origin-ca-key ===
# Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security.
/\b(?:v1\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === codecov-access-token ===
# Found a pattern resembling a Codecov Access Token, posing a risk of unauthorized access to code coverage reports and sensitive data.
/(?:(?:(?:codecov)|(?:Codecov)|(?:CODECOV)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === cohere-api-token ===
# Identified a Cohere Token, posing a risk of unauthorized access to AI services and data manipulation.
/(?:(?:(?:(?:cohere)|(?:Cohere)|(?:COHERE))|(?:(?:co_api_key)|(?:Co_Api_Key)|(?:CO_API_KEY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === coinbase-access-token ===
# Detected a Coinbase Access Token, posing a risk of unauthorized access to cryptocurrency accounts and financial transactions.
/(?:(?:(?:coinbase)|(?:Coinbase)|(?:COINBASE)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9_-]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === confluent-access-token ===
# Identified a Confluent Access Token, which could compromise access to streaming data platforms and sensitive data flow.
/(?:(?:(?:confluent)|(?:Confluent)|(?:CONFLUENT)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{16})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === confluent-secret-key ===
# Found a Confluent Secret Key, potentially risking unauthorized operations and data access within Confluent services.
/(?:(?:(?:confluent)|(?:Confluent)|(?:CONFLUENT)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === contentful-delivery-api-token ===
# Discovered a Contentful delivery API token, posing a risk to content management systems and data integrity.
/(?:(?:(?:contentful)|(?:Contentful)|(?:CONTENTFUL)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9=_\-]{43})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === curl-auth-user ===
# Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource.
/(?:(?:-u)|(?:--user))(?:=|[ \t]{0,5})(?:(?:"(?:(?::[^"]{3,512})|(?:[^:"]{3,512}:)|(?:[^:"]{3,512}:[^"]{3,512}))")|(?:'(?:[^:']{3,512}:[^']{3,512})')|(?:(?:(?:"[^"]{3,512}")|(?:'[^']{3,512}')|[\w$@.-]{1,512}):(?:(?:"[^"]{3,512}")|(?:'[^']{3,512}')|[\w${}@.-]{1,512})))(?:\s|$)/
# === cursor-api-key ===
# Detected a Cursor Integrations API Key, which may expose AI-assisted development services to unauthorized access.
/(?:(?:(?:cursor)|(?:Cursor)|(?:CURSOR)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:key_)|(?:Key_)|(?:KEY_))[0-9a-fA-F]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === databricks-api-token ===
# Uncovered a Databricks API token, which may compromise big data analytics platforms and sensitive data processing.
/\b(?:dapi[a-f0-9]{32}(?:-\d)?)(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === datadog-access-token ===
# Detected a Datadog Access Token, potentially risking monitoring and analytics data exposure and manipulation.
/(?:(?:(?:datadog)|(?:Datadog)|(?:DATADOG)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === deepgram-api-key ===
# Detected a Deepgram API Key, which may expose speech recognition services and audio data to unauthorized access.
/(?:(?:(?:deepgram)|(?:Deepgram)|(?:DEEPGRAM)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === deepseek-api-key ===
# Detected a DeepSeek API Key, which may expose AI model access and associated usage to unauthorized parties.
/(?:(?:(?:deepseek)|(?:Deepseek)|(?:DEEPSEEK)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:sk-)|(?:Sk-)|(?:SK-))[a-fA-F0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === defined-networking-api-token ===
# Identified a Defined Networking API token, which could lead to unauthorized network operations and data breaches.
/(?:(?:(?:dnkey)|(?:Dnkey)|(?:DNKEY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:dnkey-)|(?:Dnkey-)|(?:DNKEY-))[a-zA-Z0-9=_\-]{26}-[a-zA-Z0-9=_\-]{52})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === digitalocean-access-token ===
# Found a DigitalOcean OAuth Access Token, risking unauthorized cloud resource access and data compromise.
/\b(?:doo_v1_[a-f0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === digitalocean-pat ===
# Discovered a DigitalOcean Personal Access Token, posing a threat to cloud infrastructure security and data privacy.
/\b(?:dop_v1_[a-f0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === digitalocean-refresh-token ===
# Uncovered a DigitalOcean OAuth Refresh Token, which could allow prolonged unauthorized access and resource manipulation.
/\b(?:(?:(?:dor_v1_)|(?:Dor_V1_)|(?:DOR_V1_))[a-fA-F0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === discord-api-token ===
# Detected a Discord API key, potentially compromising communication channels and user data privacy on Discord.
/(?:(?:(?:discord)|(?:Discord)|(?:DISCORD)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === discord-client-id ===
# Identified a Discord client ID, which may lead to unauthorized integrations and data exposure in Discord applications.
/(?:(?:(?:discord)|(?:Discord)|(?:DISCORD)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9]{18})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === discord-client-secret ===
# Discovered a potential Discord client secret, risking compromised Discord bot integrations and data leaks.
/(?:(?:(?:discord)|(?:Discord)|(?:DISCORD)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9=_\-]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === doppler-api-token ===
# Discovered a Doppler API token, posing a risk to environment and secrets management security.
/dp\.pt\.[a-zA-Z0-9]{43}/
# === droneci-access-token ===
# Detected a Droneci Access Token, potentially compromising continuous integration and deployment workflows.
/(?:(?:(?:droneci)|(?:Droneci)|(?:DRONECI)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === dropbox-api-token ===
# Identified a Dropbox API secret, which could lead to unauthorized file access and data breaches in Dropbox storage.
/(?:(?:(?:dropbox)|(?:Dropbox)|(?:DROPBOX)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{15})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === dropbox-long-lived-api-token ===
# Found a Dropbox long-lived API token, risking prolonged unauthorized access to cloud storage and sensitive data.
/(?:(?:(?:dropbox)|(?:Dropbox)|(?:DROPBOX)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{11}(?:(?:(?:aaaaaaaaaa)|(?:Aaaaaaaaaa)|(?:AAAAAAAAAA)))[a-zA-Z0-9\-_=]{43})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === dropbox-short-lived-api-token ===
# Discovered a Dropbox short-lived API token, posing a risk of temporary but potentially harmful data access and manipulation.
/(?:(?:(?:dropbox)|(?:Dropbox)|(?:DROPBOX)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:sl\.)|(?:Sl\.)|(?:SL\.))[a-zA-Z0-9\-=_]{135})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === duffel-api-token ===
# Uncovered a Duffel API token, which may compromise travel platform integrations and sensitive customer data.
/duffel_(?:(?:test)|(?:live))_[a-zA-Z0-9_\-=]{43}/
# === dynatrace-api-token ===
# Detected a Dynatrace API token, potentially risking application performance monitoring and data exposure.
/dt0c01\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{64}/
# === easypost-api-token ===
# Identified an EasyPost API token, which could lead to unauthorized postal and shipment service access and data exposure.
# RELAXATION: hoisted `(?i)` to the front and dropped trailing `\b` (resharp rejects `\b` immediately after a case-folded class).
/\b(?:(?:ezak)|(?:Ezak)|(?:EZAK))[a-zA-Z0-9]{54}/
# === easypost-test-api-token ===
# Detected an EasyPost test API token, risking exposure of test environments and potentially sensitive shipment data.
# RELAXATION: hoisted `(?i)` to the front and dropped trailing `\b` (resharp rejects `\b` immediately after a case-folded class).
/\b(?:(?:eztk)|(?:Eztk)|(?:EZTK))[a-zA-Z0-9]{54}/
# === elevenlabs-api-key ===
# Detected an ElevenLabs API Key, which may expose AI voice synthesis services to unauthorized access.
/(?:(?:(?:elevenlabs)|(?:Elevenlabs)|(?:ELEVENLABS)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:sk_)|(?:Sk_)|(?:SK_))[0-9a-fA-F]{48})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === endorlabs-api-key ===
# Detected an Endor Labs API Key, which may compromise supply chain security scanning and software composition analysis.
/(?:(?:(?:(?:endor)|(?:Endor)|(?:ENDOR))(?:(?:(?:labs)|(?:Labs)|(?:LABS)))?)|(?:(?:key)|(?:Key)|(?:KEY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:endr\+)|(?:Endr\+)|(?:ENDR\+))[A-Za-z0-9-]{16})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === endorlabs-api-secret ===
# Detected an Endor Labs API Secret, which together with an API key grants full access to Endor Labs supply chain security services.
/(?:(?:(?:(?:endor)|(?:Endor)|(?:ENDOR))(?:(?:(?:labs)|(?:Labs)|(?:LABS)))?)|(?:(?:secret)|(?:Secret)|(?:SECRET)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:endr\+)|(?:Endr\+)|(?:ENDR\+))[A-Za-z0-9-]{16})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === etsy-access-token ===
# Found an Etsy Access Token, potentially compromising Etsy shop management and customer data.
/(?:(?:(?:ETSY)|(?:[Ee]tsy)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{24})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === facebook-access-token ===
# Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.
/\b(?:\d{15,16}(?:\||%)[0-9a-zA-Z\-_]{27,40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === facebook-page-access-token ===
# Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.
/\b(?:EAA[MC][a-zA-Z0-9]{100,512})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === facebook-secret ===
# Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure.
/(?:(?:(?:facebook)|(?:Facebook)|(?:FACEBOOK)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === fastly-api-token ===
# Uncovered a Fastly API key, which may compromise CDN and edge cloud services, leading to content delivery and security issues.
/(?:(?:(?:fastly)|(?:Fastly)|(?:FASTLY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9_-]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === figma-personal-access-header-token ===
# Uncovered a Figma Personal Access Token in a header, which may compromise design assets and team collaboration.
/(?:(?:(?:x-figma-token)|(?:X-Figma-Token)|(?:X-FIGMA-TOKEN))|(?:(?:xfigmatoken)|(?:Xfigmatoken)|(?:XFIGMATOKEN))|(?:(?:x_figma_token)|(?:X_Figma_Token)|(?:X_FIGMA_TOKEN)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9A-Fa-f]{4}-[0-9A-Fa-f]{8}(?:-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === figma-personal-access-token ===
# Uncovered a Figma Personal Access Token, which may compromise design assets and team collaboration.
/\b(?:(?:(?:figd_)|(?:Figd_)|(?:FIGD_))[A-Za-z0-9_-]{38,42})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === finicity-api-token ===
# Detected a Finicity API token, potentially risking financial data access and unauthorized financial operations.
/(?:(?:(?:finicity)|(?:Finicity)|(?:FINICITY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === finicity-client-secret ===
# Identified a Finicity Client Secret, which could lead to compromised financial service integrations and data breaches.
/(?:(?:(?:finicity)|(?:Finicity)|(?:FINICITY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{20})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === finnhub-access-token ===
# Found a Finnhub Access Token, risking unauthorized access to financial market data and analytics.
/(?:(?:(?:finnhub)|(?:Finnhub)|(?:FINNHUB)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{20})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === flickr-access-token ===
# Discovered a Flickr Access Token, posing a risk of unauthorized photo management and potential data leakage.
/(?:(?:(?:flickr)|(?:Flickr)|(?:FLICKR)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === flutterwave-encryption-key ===
# Uncovered a Flutterwave Encryption Key, which may compromise payment processing and sensitive financial information.
/FLWSECK_TEST-[a-hA-H0-9]{12}/
# === flutterwave-public-key ===
# Detected a Finicity Public Key, potentially exposing public cryptographic operations and integrations.
/FLWPUBK_TEST-[a-hA-H0-9]{32}(?:(?:-x)|(?:-X))/
# === flutterwave-secret-key ===
# Identified a Flutterwave Secret Key, risking unauthorized financial transactions and data breaches.
/FLWSECK_TEST-[a-hA-H0-9]{32}(?:(?:-x)|(?:-X))/
# === flyio-access-token ===
# Uncovered a Fly.io API key
/\b(?:FlyV1\s[A-Za-z0-9=_\-,/+]{100,512})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === frameio-api-token ===
# Found a Frame.io API token, potentially compromising video collaboration and project management.
/fio-u-[a-zA-Z0-9\-_=]{64}/
# === freemius-secret-key ===
# Detected a Freemius secret key, potentially exposing sensitive information.
# NOTE: upstream restricts this rule to files matching: (?i)\.php$
# Forbidden-strings has no per-rule path scoping; the rule fires on every scanned file.
/["'](?:(?:secret_key)|(?:Secret_Key)|(?:SECRET_KEY))["']\s{0,512}=>\s{0,512}["'](?:(?:(?:sk_)|(?:Sk_)|(?:SK_))[\S]{29})["']/
# === freshbooks-access-token ===
# Discovered a Freshbooks Access Token, posing a risk to accounting software access and sensitive financial data exposure.
/(?:(?:(?:freshbooks)|(?:Freshbooks)|(?:FRESHBOOKS)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === gcp-api-key ===
# Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.
/\b(?:AIza[\w-]{35})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === gitea-access-token ===
# Detected a Gitea Access Token, which may expose self-hosted Git repositories and associated code to unauthorized access.
/(?:(?:(?:gitea)|(?:Gitea)|(?:GITEA))[_.-]?(?:(?:(?:token)|(?:Token)|(?:TOKEN))|(?:(?:key)|(?:Key)|(?:KEY))|(?:(?:secret)|(?:Secret)|(?:SECRET))|(?:(?:access)|(?:Access)|(?:ACCESS))))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === github-app-token ===
# Identified a GitHub App Token, which may compromise GitHub application integrations and source code security.
/(?:(?:ghu)|(?:ghs))_[0-9a-zA-Z]{36}/
# === github-fine-grained-pat ===
# Found a GitHub Fine-Grained Personal Access Token, risking unauthorized repository access and code manipulation.
/github_pat_\w{82}/
# === github-oauth ===
# Discovered a GitHub OAuth Access Token, posing a risk of compromised GitHub account integrations and data leaks.
/gho_[0-9a-zA-Z]{36}/
# === github-pat ===
# Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.
# RELAXATION: excluded documented placeholder `ghp_000000000000000000000000000000000000` via resharp intersection/complement.
/(?:ghp_[0-9a-zA-Z]{36})&~(ghp_0{36})/
# === github-refresh-token ===
# Detected a GitHub Refresh Token, which could allow prolonged unauthorized access to GitHub services.
/ghr_[0-9a-zA-Z]{36}/
# === gitlab-cicd-job-token ===
# Identified a GitLab CI/CD Job Token, potential access to projects and some APIs on behalf of a user while the CI job is running.
/glcbt-[0-9a-zA-Z]{1,5}_[0-9a-zA-Z_-]{20}/
# === gitlab-deploy-token ===
# Identified a GitLab Deploy Token, risking access to repositories, packages and containers with write access.
/gldt-[0-9a-zA-Z_\-]{20}/
# === gitlab-feature-flag-client-token ===
# Identified a GitLab feature flag client token, risks exposing user lists and features flags used by an application.
/glffct-[0-9a-zA-Z_\-]{20}/
# === gitlab-feed-token ===
# Identified a GitLab feed token, risking exposure of user data.
/glft-[0-9a-zA-Z_\-]{20}/
# === gitlab-incoming-mail-token ===
# Identified a GitLab incoming mail token, risking manipulation of data sent by mail.
/glimt-[0-9a-zA-Z_\-]{25}/
# === gitlab-kubernetes-agent-token ===
# Identified a GitLab Kubernetes Agent token, risking access to repos and registry of projects connected via agent.
/glagent-[0-9a-zA-Z_\-]{50}/
# === gitlab-oauth-app-secret ===
# Identified a GitLab OIDC Application Secret, risking access to apps using GitLab as authentication provider.
/gloas-[0-9a-zA-Z_\-]{64}/
# === gitlab-pat ===
# Identified a GitLab Personal Access Token, risking unauthorized access to GitLab repositories and codebase exposure.
/glpat-[\w-]{20}/
# === gitlab-pat-routable ===
# Identified a GitLab Personal Access Token (routable), risking unauthorized access to GitLab repositories and codebase exposure.
/\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b/
# === gitlab-pat-routable-versioned ===
# Identified a GitLab Personal Access Token (routable, versioned), risking unauthorized access to GitLab repositories and codebase exposure.
/\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}\.[0-9a-z]{9}\b/
# === gitlab-ptt ===
# Found a GitLab Pipeline Trigger Token, potentially compromising continuous integration workflows and project security.
/glptt-[0-9a-f]{40}/
# === gitlab-rrt ===
# Discovered a GitLab Runner Registration Token, posing a risk to CI/CD pipeline integrity and unauthorized access.
/GR1348941[\w-]{20}/
# === gitlab-runner-authentication-token ===
# Discovered a GitLab Runner Authentication Token, posing a risk to CI/CD pipeline integrity and unauthorized access.
/glrt-[0-9a-zA-Z_\-]{20}/
# === gitlab-runner-authentication-token-routable ===
# Discovered a GitLab Runner Authentication Token (Routable), posing a risk to CI/CD pipeline integrity and unauthorized access.
/\bglrt-t\d_[0-9a-zA-Z_\-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b/
# === gitlab-scim-token ===
# Discovered a GitLab SCIM Token, posing a risk to unauthorized access for a organization or instance.
/glsoat-[0-9a-zA-Z_\-]{20}/
# === gitlab-session-cookie ===
# Discovered a GitLab Session Cookie, posing a risk to unauthorized access to a user account.
/_gitlab_session=[0-9a-z]{32}/
# === gitter-access-token ===
# Uncovered a Gitter Access Token, which may lead to unauthorized access to chat and communication services.
/(?:(?:(?:gitter)|(?:Gitter)|(?:GITTER)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9_-]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === gocardless-api-token ===
# Detected a GoCardless API token, potentially risking unauthorized direct debit payment operations and financial data exposure.
/(?:(?:(?:gocardless)|(?:Gocardless)|(?:GOCARDLESS)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:live_)|(?:Live_)|(?:LIVE_))[a-zA-Z0-9\-_=]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === grafana-api-key ===
# Identified a Grafana API key, which could compromise monitoring dashboards and sensitive data analytics.
/\b(?:(?:(?:eyjrijoi)|(?:Eyjrijoi)|(?:EYJRIJOI))[A-Za-z0-9]{70,400}={0,3})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === grafana-cloud-api-token ===
# Found a Grafana cloud API token, risking unauthorized access to cloud-based monitoring services and data exposure.
/\b(?:(?:(?:glc_)|(?:Glc_)|(?:GLC_))[A-Za-z0-9+/]{32,400}={0,3})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === grafana-service-account-token ===
# Discovered a Grafana service account token, posing a risk of compromised monitoring services and data integrity.
/\b(?:(?:(?:glsa_)|(?:Glsa_)|(?:GLSA_))[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === greptile-api-key ===
# Detected a Greptile API Key, which may expose AI-powered code search and analysis services to unauthorized access.
/(?:(?:(?:greptile)|(?:Greptile)|(?:GREPTILE)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9+/]{48})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === groq-api-key ===
# Identified a Groq API Key, which may expose high-speed AI inference services to unauthorized access.
/\b(?:(?:(?:gsk_)|(?:Gsk_)|(?:GSK_))[A-Za-z0-9]{52})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === harness-api-key ===
# Identified a Harness Access Token (PAT or SAT), risking unauthorized access to a Harness account.
/(?:(?:pat)|(?:sat))\.[a-zA-Z0-9_-]{22}\.[0-9a-f]{24}\.[a-zA-Z0-9]{20}/
# === hashicorp-tf-api-token ===
# Uncovered a HashiCorp Terraform user/org API token, which may lead to unauthorized infrastructure management and security breaches.
/[a-zA-Z0-9]{14}\.(?:atlasv1)\.[a-zA-Z0-9\-_=]{60,70}/
# === hashicorp-tf-password ===
# Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches.
# NOTE: upstream restricts this rule to files matching: (?i)\.(?:tf|hcl)$
# Forbidden-strings has no per-rule path scoping; the rule fires on every scanned file.
/(?:(?:(?:administrator_login_password)|(?:Administrator_Login_Password)|(?:ADMINISTRATOR_LOGIN_PASSWORD))|(?:(?:password)|(?:Password)|(?:PASSWORD)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:"[a-zA-Z0-9=_\-]{8,20}")(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === heroku-api-key ===
# Detected a Heroku API Key, potentially compromising cloud application deployments and operational security.
/(?:(?:(?:heroku)|(?:Heroku)|(?:HEROKU)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === heroku-api-key-v2 ===
# Detected a Heroku API Key, potentially compromising cloud application deployments and operational security.
/\b(?:(?:HRKU-AA[0-9a-zA-Z_-]{58}))(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === hubspot-api-key ===
# Found a HubSpot API Token, posing a risk to CRM data integrity and unauthorized marketing operations.
/(?:(?:(?:hubspot)|(?:Hubspot)|(?:HUBSPOT)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === huggingface-access-token ===
# Discovered a Hugging Face Access token, which could lead to unauthorized access to AI models and sensitive data.
/\b(?:hf_(?:[a-zA-Z]{34}))(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === huggingface-organization-api-token ===
# Uncovered a Hugging Face Organization API token, potentially compromising AI organization accounts and associated data.
/\b(?:api_org_(?:[a-zA-Z]{34}))(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === infracost-api-token ===
# Detected an Infracost API Token, risking unauthorized access to cloud cost estimation tools and financial data.
/\b(?:ico-[a-zA-Z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === intercom-api-key ===
# Identified an Intercom API Token, which could compromise customer communication channels and data privacy.
/(?:(?:(?:intercom)|(?:Intercom)|(?:INTERCOM)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9=_\-]{60})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === intra42-client-secret ===
# Found a Intra42 client secret, which could lead to unauthorized access to the 42School API and sensitive data.
/\b(?:s-s4t2(?:(?:ud)|(?:af))-[aAbBcCdDeEfF0123456789]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === jfrog-api-key ===
# Found a JFrog API Key, posing a risk of unauthorized access to software artifact repositories and build pipelines.
/(?:(?:(?:jfrog)|(?:Jfrog)|(?:JFROG))|(?:(?:artifactory)|(?:Artifactory)|(?:ARTIFACTORY))|(?:(?:bintray)|(?:Bintray)|(?:BINTRAY))|(?:(?:xray)|(?:Xray)|(?:XRAY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{73})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === jfrog-identity-token ===
# Discovered a JFrog Identity Token, potentially compromising access to JFrog services and sensitive software artifacts.
/(?:(?:(?:jfrog)|(?:Jfrog)|(?:JFROG))|(?:(?:artifactory)|(?:Artifactory)|(?:ARTIFACTORY))|(?:(?:bintray)|(?:Bintray)|(?:BINTRAY))|(?:(?:xray)|(?:Xray)|(?:XRAY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === jwt ===
# Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
/\b(?:ey[a-zA-Z0-9]{17,512}\.ey[a-zA-Z0-9\/\\_-]{17,512}\.(?:[a-zA-Z0-9\/\\_-]{10,512}={0,2})?)(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === jwt-base64 ===
# Detected a Base64-encoded JSON Web Token, posing a risk of exposing encoded authentication and data exchange information.
/\bZXlK(?:(?:aGJHY2lPaU)|(?:aGNIVWlPaU)|(?:aGNIWWlPaU)|(?:aGRXUWlPaU)|(?:aU5qUWlP)|(?:amNtbDBJanBi)|(?:amRIa2lPaU)|(?:bGNHc2lPbn)|(?:bGJtTWlPaU)|(?:cWEzVWlPaU)|(?:cWQyc2lPb)|(?:cGMzTWlPaU)|(?:cGRpSTZJ)|(?:cmFXUWlP)|(?:clpYbGZiM0J6SWpwY)|(?:cmRIa2lPaUp)|(?:dWIyNWpaU0k2)|(?:d01tTWlP)|(?:d01uTWlPaU)|(?:d2NIUWlPaU)|(?:emRXSWlPaU)|(?:emRuUWlP)|(?:MFlXY2lPaU)|(?:MGVYQWlPaUp)|(?:MWNtd2l)|(?:MWMyVWlPaUp)|(?:MlpYSWlPaU)|(?:MlpYSnphVzl1SWpv)|(?:NElqb2)|(?:NE5XTWlP)|(?:NE5YUWlPaU)|(?:NE5YUWpVekkxTmlJNkl)|(?:NE5YVWlPaU)|(?:NmFYQWlPaU))[a-zA-Z0-9\/\\_+\-]{40,512}={0,2}/
# === kraken-access-token ===
# Identified a Kraken Access Token, potentially compromising cryptocurrency trading accounts and financial security.
/(?:(?:(?:kraken)|(?:Kraken)|(?:KRAKEN)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9\/=_\+\-]{80,90})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === kucoin-access-token ===
# Found a Kucoin Access Token, risking unauthorized access to cryptocurrency exchange services and transactions.
/(?:(?:(?:kucoin)|(?:Kucoin)|(?:KUCOIN)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{24})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === kucoin-secret-key ===
# Discovered a Kucoin Secret Key, which could lead to compromised cryptocurrency operations and financial data breaches.
/(?:(?:(?:kucoin)|(?:Kucoin)|(?:KUCOIN)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === launchdarkly-access-token ===
# Uncovered a Launchdarkly Access Token, potentially compromising feature flag management and application functionality.
/(?:(?:(?:launchdarkly)|(?:Launchdarkly)|(?:LAUNCHDARKLY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9=_\-]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === linear-api-key ===
# Detected a Linear API Token, posing a risk to project management tools and sensitive task data.
/lin_api_[a-zA-Z0-9]{40}/
# === linear-client-secret ===
# Identified a Linear Client Secret, which may compromise secure integrations and sensitive project management data.
/(?:(?:(?:linear)|(?:Linear)|(?:LINEAR)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === linkedin-client-id ===
# Found a LinkedIn Client ID, risking unauthorized access to LinkedIn integrations and professional data exposure.
/(?:(?:(?:linked)|(?:Linked)|(?:LINKED))[_-]?(?:(?:in)|(?:In)|(?:IN)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{14})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === linkedin-client-secret ===
# Discovered a LinkedIn Client secret, potentially compromising LinkedIn application integrations and user data.
/(?:(?:(?:linked)|(?:Linked)|(?:LINKED))[_-]?(?:(?:in)|(?:In)|(?:IN)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{16})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === lob-api-key ===
# Uncovered a Lob API Key, which could lead to unauthorized access to mailing and address verification services.
/(?:(?:(?:lob)|(?:Lob)|(?:LOB)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:(?:live)|(?:Live)|(?:LIVE))|(?:(?:test)|(?:Test)|(?:TEST)))_[a-fA-F0-9]{35})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === lob-pub-api-key ===
# Detected a Lob Publishable API Key, posing a risk of exposing mail and print service integrations.
/(?:(?:(?:lob)|(?:Lob)|(?:LOB)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:(?:test)|(?:Test)|(?:TEST))|(?:(?:live)|(?:Live)|(?:LIVE)))(?:(?:_pub_)|(?:_Pub_)|(?:_PUB_))[a-fA-F0-9]{31})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === looker-client-id ===
# Found a Looker Client ID, risking unauthorized access to a Looker account and exposing sensitive data.
/(?:(?:(?:looker)|(?:Looker)|(?:LOOKER)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{20})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === looker-client-secret ===
# Found a Looker Client Secret, risking unauthorized access to a Looker account and exposing sensitive data.
/(?:(?:(?:looker)|(?:Looker)|(?:LOOKER)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{24})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === mailchimp-api-key ===
# Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data.
/(?:(?:(?:(?:mailchimpsdk)|(?:Mailchimpsdk)|(?:MAILCHIMPSDK)).(?:(?:initialize)|(?:Initialize)|(?:INITIALIZE)))|(?:(?:mailchimp)|(?:Mailchimp)|(?:MAILCHIMP)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{32}(?:(?:-us)|(?:-Us)|(?:-US))\d\d)(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === mailgun-private-api-token ===
# Found a Mailgun private API token, risking unauthorized email service operations and data breaches.
/(?:(?:(?:mailgun)|(?:Mailgun)|(?:MAILGUN)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:key-)|(?:Key-)|(?:KEY-))[a-fA-F0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === mailgun-pub-key ===
# Discovered a Mailgun public validation key, which could expose email verification processes and associated data.
/(?:(?:(?:mailgun)|(?:Mailgun)|(?:MAILGUN)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:pubkey-)|(?:Pubkey-)|(?:PUBKEY-))[a-fA-F0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === mailgun-signing-key ===
# Uncovered a Mailgun webhook signing key, potentially compromising email automation and data integrity.
/(?:(?:(?:mailgun)|(?:Mailgun)|(?:MAILGUN)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-hA-H0-9]{32}-[a-hA-H0-9]{8}-[a-hA-H0-9]{8})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === mapbox-api-token ===
# Detected a MapBox API token, posing a risk to geospatial services and sensitive location data exposure.
/(?:(?:(?:mapbox)|(?:Mapbox)|(?:MAPBOX)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:pk\.)|(?:Pk\.)|(?:PK\.))[a-zA-Z0-9]{60}\.[a-zA-Z0-9]{22})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === mattermost-access-token ===
# Identified a Mattermost Access Token, which may compromise team communication channels and data privacy.
/(?:(?:(?:mattermost)|(?:Mattermost)|(?:MATTERMOST)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{26})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === maxmind-license-key ===
# Discovered a potential MaxMind license key.
/\b(?:[A-Za-z0-9]{6}_[A-Za-z0-9]{29}_mmk)(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === messagebird-api-token ===
# Found a MessageBird API token, risking unauthorized access to communication platforms and message data.
/(?:(?:(?:message)|(?:Message)|(?:MESSAGE))[_-]?(?:(?:bird)|(?:Bird)|(?:BIRD)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{25})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === messagebird-client-id ===
# Discovered a MessageBird client ID, potentially compromising API integrations and sensitive communication data.
/(?:(?:(?:message)|(?:Message)|(?:MESSAGE))[_-]?(?:(?:bird)|(?:Bird)|(?:BIRD)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === microsoft-teams-webhook ===
# Uncovered a Microsoft Teams Webhook, which could lead to unauthorized access to team collaboration tools and data leaks.
/https://[a-z0-9]{1,512}\.webhook\.office\.com/webhookb2/[a-z0-9]{8}-(?:[a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-(?:[a-z0-9]{4}-){3}[a-z0-9]{12}/IncomingWebhook/[a-z0-9]{32}/[a-z0-9]{8}-(?:[a-z0-9]{4}-){3}[a-z0-9]{12}/
# === mistral-api-key ===
# Detected a Mistral AI API Key, which may expose AI language model services to unauthorized access.
/(?:(?:(?:mistral)|(?:Mistral)|(?:MISTRAL)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[A-Za-z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === mongodb-atlas-service-account-secret ===
# Detected a MongoDB Atlas service account client secret, which could allow unauthorized Atlas administration API access when paired with a service account client ID.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
/\b(?:mdb_sa_sk_[A-Za-z0-9_-]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === mongodb-connection-string ===
# Detected a MongoDB connection string with embedded credentials, potentially exposing direct database access and sensitive application data.
# RELAXATION: dropped optional query-string tail (everything after `[/authdb]?`) and the trailing `\b` alternation arm.
/\bmongodb(?:\+srv)?://[!-9;-~]{3,50}:[!-?A-~]{3,88}@/
# === netlify-access-token ===
# Detected a Netlify Access Token, potentially compromising web hosting services and site management.
/(?:(?:(?:netlify)|(?:Netlify)|(?:NETLIFY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9=_\-]{40,46})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === new-relic-browser-api-token ===
# Identified a New Relic ingest browser API token, risking unauthorized access to application performance data and analytics.
/(?:(?:(?:new-relic)|(?:New-Relic)|(?:NEW-RELIC))|(?:(?:newrelic)|(?:Newrelic)|(?:NEWRELIC))|(?:(?:new_relic)|(?:New_Relic)|(?:NEW_RELIC)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:nrjs-)|(?:Nrjs-)|(?:NRJS-))[a-fA-F0-9]{19})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === new-relic-insert-key ===
# Discovered a New Relic insight insert key, compromising data injection into the platform.
/(?:(?:(?:new-relic)|(?:New-Relic)|(?:NEW-RELIC))|(?:(?:newrelic)|(?:Newrelic)|(?:NEWRELIC))|(?:(?:new_relic)|(?:New_Relic)|(?:NEW_RELIC)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:nrii-)|(?:Nrii-)|(?:NRII-))[a-zA-Z0-9-]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === new-relic-user-api-id ===
# Found a New Relic user API ID, posing a risk to application monitoring services and data integrity.
/(?:(?:(?:new-relic)|(?:New-Relic)|(?:NEW-RELIC))|(?:(?:newrelic)|(?:Newrelic)|(?:NEWRELIC))|(?:(?:new_relic)|(?:New_Relic)|(?:NEW_RELIC)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === new-relic-user-api-key ===
# Discovered a New Relic user API Key, which could lead to compromised application insights and performance monitoring.
/(?:(?:(?:new-relic)|(?:New-Relic)|(?:NEW-RELIC))|(?:(?:newrelic)|(?:Newrelic)|(?:NEWRELIC))|(?:(?:new_relic)|(?:New_Relic)|(?:NEW_RELIC)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:nrak-)|(?:Nrak-)|(?:NRAK-))[a-zA-Z0-9]{27})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === notion-api-token ===
# Notion API token
/\b(?:ntn_[0-9]{11}[A-Za-z0-9]{32}[A-Za-z0-9]{3})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === npm-access-token ===
# Uncovered an npm access token, potentially compromising package management and code repository access.
/\b(?:(?:(?:npm_)|(?:Npm_)|(?:NPM_))[a-zA-Z0-9]{36})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === nuget-config-password ===
# Identified a password within a Nuget config file, potentially compromising package management access.
# NOTE: upstream restricts this rule to files matching: (?i)nuget\.config$
# Forbidden-strings has no per-rule path scoping; the rule fires on every scanned file.
/(?:(?:<add\ key=")|(?:<Add\ Key=")|(?:<ADD\ KEY="))(?:(?:(?:(?:cleartext)|(?:Cleartext)|(?:CLEARTEXT)))?(?:(?:password)|(?:Password)|(?:PASSWORD)))"\s{0,512}(?:(?:value=")|(?:Value=")|(?:VALUE="))(?:.{8,512})"\s{0,512}/>/
# === nvidia-api-key ===
# Detected an NVIDIA NIM API Key, which may expose AI inference and GPU cloud services to unauthorized access.
/\b(?:(?:(?:nvapi-)|(?:Nvapi-)|(?:NVAPI-))[A-Za-z0-9_-]{60,70})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === nytimes-access-token ===
# Detected a Nytimes Access Token, risking unauthorized access to New York Times APIs and content services.
/(?:(?:(?:nytimes)|(?:Nytimes)|(?:NYTIMES))|(?:(?:new-york-times,)|(?:New-York-Times,)|(?:NEW-YORK-TIMES,))|(?:(?:newyorktimes)|(?:Newyorktimes)|(?:NEWYORKTIMES)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9=_\-]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === octopus-deploy-api-key ===
# Discovered a potential Octopus Deploy API key, risking application deployments and operational security.
/\b(?:API-[A-Z0-9]{26})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === okta-access-token ===
# Identified an Okta Access Token, which may compromise identity management services and user authentication data.
/(?:(?:(?:(?:[Oo]kta)|(?:OKTA)))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:00[\w=\-]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === ollama-api-key ===
# Detected an Ollama API Key, which may expose local and hosted AI model serving to unauthorized access.
/(?:(?:(?:ollama)|(?:Ollama)|(?:OLLAMA)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{32}\.[a-zA-Z0-9_-]{24})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === openai-api-key ===
# Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
# RELAXATION: collapsed length cohort {20,58,74} to {20,74}, removed inner `\b`, dropped trailing `\b` (resharp rejects `\b` after a class containing both word and non-word chars), dropped trailing punctuation requirement.
/\bsk-(?:[a-zA-Z0-9]{20}|(?:(?:(?:proj)|(?:svcacct)|(?:admin))-[A-Za-z0-9_-]{20,74}))T3BlbkFJ[A-Za-z0-9_-]{20,74}/
# === openrouter-api-key ===
# Detected an OpenRouter API Key, which may expose access to multiple AI models through the OpenRouter gateway.
/\b(?:(?:(?:sk-or-v1-)|(?:Sk-Or-V1-)|(?:SK-OR-V1-))[0-9a-fA-F]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === openshift-user-token ===
# Found an OpenShift user token, potentially compromising an OpenShift/Kubernetes cluster.
/\b(?:sha256\~[\w-]{43})(?:[^\w-]|$)/
# === ovh-application-secret ===
# OVHcloud Application Secret - component of authenticated OVH API requests, which could allow unauthorized access to OVHcloud infrastructure when combined with Application and Consumer keys.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
/(?:(?:(?:app)|(?:App)|(?:APP))(?:(?:(?:lication)|(?:Lication)|(?:LICATION)))?[_.-]{0,1}(?:(?:secret)|(?:Secret)|(?:SECRET)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[A-Za-z0-9-]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === perplexity-api-key ===
# Detected a Perplexity API key, which could lead to unauthorized access to Perplexity AI services and data exposure.
# RELAXATION: dropped trailing `\b` alternation arm.
/\b(?:pplx-[a-zA-Z0-9]{48})(?:[`'"\s;]|(?:\\[nr])|$)/
# === plaid-api-token ===
# Discovered a Plaid API Token, potentially compromising financial data aggregation and banking services.
/(?:(?:(?:plaid)|(?:Plaid)|(?:PLAID)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:access-)|(?:Access-)|(?:ACCESS-))(?:(?:(?:sandbox)|(?:Sandbox)|(?:SANDBOX))|(?:(?:development)|(?:Development)|(?:DEVELOPMENT))|(?:(?:production)|(?:Production)|(?:PRODUCTION)))-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === plaid-client-id ===
# Uncovered a Plaid Client ID, which could lead to unauthorized financial service integrations and data breaches.
/(?:(?:(?:plaid)|(?:Plaid)|(?:PLAID)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{24})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === plaid-secret-key ===
# Detected a Plaid Secret key, risking unauthorized access to financial accounts and sensitive transaction data.
/(?:(?:(?:plaid)|(?:Plaid)|(?:PLAID)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{30})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === planetscale-api-token ===
# Identified a PlanetScale API token, potentially compromising database management and operations.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
/\b(?:pscale_tkn_[\w=\.-]{32,64})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === planetscale-oauth-token ===
# Found a PlanetScale OAuth token, posing a risk to database access control and sensitive data integrity.
/\b(?:pscale_oauth_[\w=\.-]{32,64})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === planetscale-password ===
# Discovered a PlanetScale password, which could lead to unauthorized database operations and data breaches.
/\b(?:(?:(?:pscale_pw_)|(?:Pscale_Pw_)|(?:PSCALE_PW_))[\w=\.-]{32,64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === polymarket-api-key ===
# Identified a Polymarket API key, potentially compromising access to the Polymarket trading platform.
# NOTE: upstream requires another rule's match nearby ([[rules.required]]).
# Forbidden-strings cannot enforce composite proximity rules; the regex fires standalone.
/(?:(?:(?:(?:poly)|(?:Poly)|(?:POLY)).{0,20}(?:(?:key)|(?:Key)|(?:KEY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === polymarket-private-key ===
# Discovered a Polymarket private key, which could allow unauthorized trading and fund transfers.
/(?:(?:(?:(?:poly)|(?:Poly)|(?:POLY)).{0,20}(?:(?:private)|(?:Private)|(?:PRIVATE)).{0,20}(?:(?:key)|(?:Key)|(?:KEY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:0x[a-fA-F0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === posthog-personal-api-key ===
# Detected a PostHog Personal API Key, which may expose administrative access to PostHog analytics projects.
/\b(?:(?:(?:phx_)|(?:Phx_)|(?:PHX_))[a-zA-Z0-9_\-]{47})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === posthog-project-api-key ===
# Detected a PostHog Project API Key, which may expose product analytics data and event tracking to unauthorized access.
/\b(?:(?:(?:phc_)|(?:Phc_)|(?:PHC_))[a-zA-Z0-9_\-]{43})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === postman-api-token ===
# Uncovered a Postman API token, potentially compromising API testing and development workflows.
/\b(?:PMAK-[a-fA-F0-9]{24}\-[a-fA-F0-9]{34})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === prefect-api-token ===
# Detected a Prefect API token, risking unauthorized access to workflow management and automation services.
/\b(?:pnu_[a-zA-Z0-9]{36})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === private-key ===
# Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
/(?:(?:-----begin)|(?:-----Begin)|(?:-----BEGIN))[ A-Za-z0-9_-]{0,100}(?:(?:private\ key)|(?:Private\ Key)|(?:PRIVATE\ KEY))(?:(?:(?:\ block)|(?:\ Block)|(?:\ BLOCK)))?-----[\s\S-]{64,512}(?:(?:key)|(?:Key)|(?:KEY))(?:(?:(?:\ block)|(?:\ Block)|(?:\ BLOCK)))?-----/
# === privateai-api-token ===
# Identified a PrivateAI Token, posing a risk of unauthorized access to AI services and data manipulation.
/(?:(?:(?:(?:private)|(?:Private)|(?:PRIVATE))[_-]?(?:(?:ai)|(?:Ai)|(?:AI)))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-z0-9]{32})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === pulumi-api-token ===
# Found a Pulumi API token, posing a risk to infrastructure as code services and cloud resource management.
/\b(?:pul-[a-f0-9]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === pypi-upload-token ===
# Discovered a PyPI upload token, potentially compromising Python package distribution and repository integrity.
/pypi-AgEIcHlwaS5vcmc[\w-]{50,1000}/
# === rapidapi-access-token ===
# Uncovered a RapidAPI Access Token, which could lead to unauthorized access to various APIs and data services.
/(?:(?:(?:rapidapi)|(?:Rapidapi)|(?:RAPIDAPI)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9_-]{50})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === readme-api-token ===
# Detected a Readme API token, risking unauthorized documentation management and content exposure.
/\b(?:rdme_[a-z0-9]{70})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === replicate-api-token ===
# Detected a Replicate API Token, which may expose AI model hosting and inference services to unauthorized access.
/\b(?:(?:(?:r8_)|(?:R8_))[A-Za-z0-9]{37})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === rubygems-api-token ===
# Identified a Rubygem API token, potentially compromising Ruby library distribution and package management.
/\b(?:rubygems_[a-f0-9]{48})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === scalingo-api-token ===
# Found a Scalingo API token, posing a risk to cloud platform services and application deployment security.
/\b(?:tk-us-[\w-]{48})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === sendbird-access-id ===
# Discovered a Sendbird Access ID, which could compromise chat and messaging platform integrations.
/(?:(?:(?:sendbird)|(?:Sendbird)|(?:SENDBIRD)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === sendbird-access-token ===
# Uncovered a Sendbird Access Token, potentially risking unauthorized access to communication services and user data.
/(?:(?:(?:sendbird)|(?:Sendbird)|(?:SENDBIRD)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === sendgrid-api-token ===
# Detected a SendGrid API token, posing a risk of unauthorized email service operations and data exposure.
/\b(?:SG\.[a-zA-Z0-9=_\-\.]{66})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === sendinblue-api-token ===
# Identified a Sendinblue API token, which may compromise email marketing services and subscriber data privacy.
/\b(?:xkeysib-[a-f0-9]{64}\-[a-zA-Z0-9]{16})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === sentry-access-token ===
# Found a Sentry.io Access Token (old format), risking unauthorized access to error tracking services and sensitive application data.
/(?:(?:(?:sentry)|(?:Sentry)|(?:SENTRY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === sentry-org-token ===
# Found a Sentry.io Organization Token, risking unauthorized access to error tracking services and sensitive application data.
/\bsntrys_eyJpYXQiO[a-zA-Z0-9+/]{10,200}(?:(?:LCJyZWdpb25fdXJs)|(?:InJlZ2lvbl91cmwi)|(?:cmVnaW9uX3VybCI6))[a-zA-Z0-9+/]{10,200}={0,2}_[a-zA-Z0-9+/]{43}(?:[^a-zA-Z0-9+/]|$)/
# === sentry-user-token ===
# Found a Sentry.io User Token, risking unauthorized access to error tracking services and sensitive application data.
/\b(?:sntryu_[a-f0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === settlemint-application-access-token ===
# Found a Settlemint Application Access Token.
/\b(?:sm_aat_[a-zA-Z0-9]{16})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === settlemint-personal-access-token ===
# Found a Settlemint Personal Access Token.
/\b(?:sm_pat_[a-zA-Z0-9]{16})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === settlemint-service-access-token ===
# Found a Settlemint Service Access Token.
/\b(?:sm_sat_[a-zA-Z0-9]{16})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === shippo-api-token ===
# Discovered a Shippo API token, potentially compromising shipping services and customer order data.
/\b(?:shippo_(?:(?:live)|(?:test))_[a-fA-F0-9]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === shopify-access-token ===
# Uncovered a Shopify access token, which could lead to unauthorized e-commerce platform access and data breaches.
/shpat_[a-fA-F0-9]{32}/
# === shopify-custom-access-token ===
# Detected a Shopify custom access token, potentially compromising custom app integrations and e-commerce data security.
/shpca_[a-fA-F0-9]{32}/
# === shopify-private-app-access-token ===
# Identified a Shopify private app access token, risking unauthorized access to private app data and store operations.
/shppa_[a-fA-F0-9]{32}/
# === shopify-shared-secret ===
# Found a Shopify shared secret, posing a risk to application authentication and e-commerce platform security.
/shpss_[a-fA-F0-9]{32}/
# === sidekiq-secret ===
# Discovered a Sidekiq Secret, which could lead to compromised background job processing and application data breaches.
/(?:(?:(?:bundle_enterprise__contribsys__com)|(?:Bundle_Enterprise__Contribsys__Com)|(?:BUNDLE_ENTERPRISE__CONTRIBSYS__COM))|(?:(?:bundle_gems__contribsys__com)|(?:Bundle_Gems__Contribsys__Com)|(?:BUNDLE_GEMS__CONTRIBSYS__COM)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{8}:[a-fA-F0-9]{8})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === sidekiq-sensitive-url ===
# Uncovered a Sidekiq Sensitive URL, potentially exposing internal job queues and sensitive operation details.
/\b(?:(?:http)|(?:Http)|(?:HTTP))[sS]?://(?:[a-fA-F0-9]{8}:[a-fA-F0-9]{8})@(?:(?:(?:(?:gems)|(?:Gems)|(?:GEMS)).(?:(?:contribsys)|(?:Contribsys)|(?:CONTRIBSYS)).(?:(?:com)|(?:Com)|(?:COM)))|(?:(?:(?:enterprise)|(?:Enterprise)|(?:ENTERPRISE)).(?:(?:contribsys)|(?:Contribsys)|(?:CONTRIBSYS)).(?:(?:com)|(?:Com)|(?:COM))))(?:[\/|\#|\?|:]|$)/
# === slack-app-token ===
# Detected a Slack App-level token, risking unauthorized access to Slack applications and workspace data.
/(?:(?:xapp-)|(?:Xapp-)|(?:XAPP-))\d-[A-Za-z0-9]{1,512}-\d{1,512}-[a-zA-Z0-9]{1,512}/
# === slack-bot-token ===
# Identified a Slack Bot token, which may compromise bot integrations and communication channel security.
/xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]{0,512}/
# === slack-config-access-token ===
# Found a Slack Configuration access token, posing a risk to workspace configuration and sensitive data access.
/(?:(?:xoxe)|(?:Xoxe)|(?:XOXE)).(?:(?:xox)|(?:Xox)|(?:XOX))[bBpP]-\d-[A-Za-z0-9]{163,166}/
# === slack-config-refresh-token ===
# Discovered a Slack Configuration refresh token, potentially allowing prolonged unauthorized access to configuration settings.
/(?:(?:xoxe-)|(?:Xoxe-)|(?:XOXE-))\d-[A-Za-z0-9]{146}/
# === slack-legacy-bot-token ===
# Uncovered a Slack Legacy bot token, which could lead to compromised legacy bot operations and data exposure.
/xoxb-[0-9]{8,14}-[a-zA-Z0-9]{18,26}/
# === slack-legacy-token ===
# Detected a Slack Legacy token, risking unauthorized access to older Slack integrations and user data.
/xox[os]-\d{1,512}-\d{1,512}-\d{1,512}-[a-fA-F\d]{1,512}/
# === slack-legacy-workspace-token ===
# Identified a Slack Legacy Workspace token, potentially compromising access to workspace data and legacy features.
/xox[ar]-(?:\d-)?[0-9a-zA-Z]{8,48}/
# === slack-session-cookie ===
# Detected a Slack session cookie (xoxd-), which authenticates browser and desktop sessions across all of a user's workspaces.
/(?:xoxd-[\w\/\\+-]{100,512}={0,2})(?:[^\w\/+=-]|$)/
# === slack-session-token ===
# Detected a Slack client session token (xoxc-), which provides full user-level API access when paired with a session cookie.
/xoxc-\d{9,15}-\d{9,15}-\d{9,15}-[a-f0-9]{64}\b/
# === slack-user-token ===
# Found a Slack User token, posing a risk of unauthorized user impersonation and data access within Slack workspaces.
/xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34}/
# === slack-webhook-url ===
# Discovered a Slack Webhook, which could lead to unauthorized message posting and data leakage in Slack channels.
/(?:https?://)?hooks.slack.com/(?:(?:services)|(?:workflows)|(?:triggers))/[A-Za-z0-9+/]{43,56}/
# === snyk-api-token ===
# Uncovered a Snyk API token, potentially compromising software vulnerability scanning and code security.
/(?:(?:(?:snyk)|(?:Snyk)|(?:SNYK))[_.-]?(?:(?:(?:(?:api)|(?:Api)|(?:API))|(?:(?:oauth)|(?:Oauth)|(?:OAUTH)))[_.-]?)?(?:(?:(?:key)|(?:Key)|(?:KEY))|(?:(?:token)|(?:Token)|(?:TOKEN))))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === sonar-api-token ===
# Uncovered a Sonar API token, potentially compromising software vulnerability scanning and code security.
# NOTE: upstream extracts capture group 2 as the secret for redaction.
# Forbidden-strings reports the full match span; the narrowing is lost.
/(?:(?:(?:sonar)|(?:Sonar)|(?:SONAR))[_.-]?(?:(?:(?:login)|(?:Login)|(?:LOGIN))|(?:(?:token)|(?:Token)|(?:TOKEN))))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:(?:squ_)|(?:Squ_)|(?:SQU_))|(?:(?:sqp_)|(?:Sqp_)|(?:SQP_))|(?:(?:sqa_)|(?:Sqa_)|(?:SQA_)))?[a-zA-Z0-9=_\-]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === sourcegraph-access-token ===
# Sourcegraph is a code search and navigation engine.
# RELAXATION: removed redundant outer `\b(\b...\b)` wrapping AND dropped the bare `[a-fA-F0-9]{40}` arm. The bare-hex arm fires on any 40-char hex string -- e.g. GitHub Actions SHA pins (`uses: x/y@<sha>`) -- which is unacceptable false-positive density. Only `sgp_`-prefixed forms remain.
/\b(?:(?:(?:(?:sgp_)|(?:Sgp_)|(?:SGP_))(?:[a-fA-F0-9]{16}|(?:(?:local)|(?:Local)|(?:LOCAL)))_[a-fA-F0-9]{40})|(?:(?:(?:sgp_)|(?:Sgp_)|(?:SGP_))[a-fA-F0-9]{40}))\b(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === square-access-token ===
# Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.
/\b(?:(?:(?:EAAA)|(?:sq0atp-))[\w-]{22,60})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === squarespace-access-token ===
# Identified a Squarespace Access Token, which may compromise website management and content control on Squarespace.
/(?:(?:(?:squarespace)|(?:Squarespace)|(?:SQUARESPACE)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === stability-ai-api-key ===
# Detected a Stability AI API Key, which may expose AI image generation services to unauthorized access.
/(?:(?:(?:stability)|(?:Stability)|(?:STABILITY)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:sk-)|(?:Sk-)|(?:SK-))[A-Za-z0-9]{48})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === stripe-access-token ===
# Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
/\b(?:(?:(?:sk)|(?:rk))_(?:(?:test)|(?:live)|(?:prod))_[a-zA-Z0-9]{10,99})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === sumologic-access-id ===
# Discovered a SumoLogic Access ID, potentially compromising log management services and data analytics integrity.
/(?:(?:(?:(?:[Ss]umo)|(?:SUMO)))(?:[ \t\w.-]{0,20})[\s'"]{0,3})(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:su[a-zA-Z0-9]{12})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === sumologic-access-token ===
# Uncovered a SumoLogic Access Token, which could lead to unauthorized access to log data and analytics insights.
/(?:(?:(?:[Ss]umo)|(?:SUMO)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{64})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === telegram-bot-api-token ===
# Detected a Telegram Bot API Token, risking unauthorized bot operations and message interception on Telegram.
/(?:(?:(?:telegr)|(?:Telegr)|(?:TELEGR)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9]{5,16}:(?:A)[a-zA-Z0-9_\-]{34})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === togetherai-api-key ===
# Detected a Together.ai API Key, which may expose access to open-source AI models and inference services.
/\b(?:(?:(?:tgp_v1_)|(?:Tgp_V1_)|(?:TGP_V1_))[A-Za-z0-9_-]{43})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === travisci-access-token ===
# Identified a Travis CI Access Token, potentially compromising continuous integration services and codebase security.
/(?:(?:(?:travis)|(?:Travis)|(?:TRAVIS)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{22})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === twilio-api-key ===
# Found a Twilio API Key, posing a risk to communication services and sensitive customer interaction data.
/SK[0-9a-fA-F]{32}/
# === twitch-api-token ===
# Discovered a Twitch API token, which could compromise streaming services and account integrations.
/(?:(?:(?:twitch)|(?:Twitch)|(?:TWITCH)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{30})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === twitter-access-secret ===
# Uncovered a Twitter Access Secret, potentially risking unauthorized Twitter integrations and data breaches.
/(?:(?:(?:twitter)|(?:Twitter)|(?:TWITTER)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{45})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === twitter-access-token ===
# Detected a Twitter Access Token, posing a risk of unauthorized account operations and social media data exposure.
/(?:(?:(?:twitter)|(?:Twitter)|(?:TWITTER)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[0-9]{15,25}-[a-zA-Z0-9]{20,40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === twitter-api-key ===
# Identified a Twitter API Key, which may compromise Twitter application integrations and user data security.
/(?:(?:(?:twitter)|(?:Twitter)|(?:TWITTER)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{25})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === twitter-api-secret ===
# Found a Twitter API Secret, risking the security of Twitter app integrations and sensitive data access.
/(?:(?:(?:twitter)|(?:Twitter)|(?:TWITTER)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{50})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === twitter-bearer-token ===
# Discovered a Twitter Bearer Token, potentially compromising API access and data retrieval from Twitter.
/(?:(?:(?:twitter)|(?:Twitter)|(?:TWITTER)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[aA]{22}[a-zA-Z0-9%]{80,100})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === typeform-api-token ===
# Uncovered a Typeform API token, which could lead to unauthorized survey management and data collection.
/(?:(?:(?:typeform)|(?:Typeform)|(?:TYPEFORM)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:tfp_)|(?:Tfp_)|(?:TFP_))[a-zA-Z0-9\-_\.=]{59})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === vault-batch-token ===
# Detected a Vault Batch Token, risking unauthorized access to secret management services and sensitive data.
/\b(?:hvb\.[\w-]{138,300})(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === vault-service-token ===
# Identified a Vault Service Token, potentially compromising infrastructure security and access to sensitive credentials.
/\b(?:(?:(?:hvs\.[\w-]{90,120})|(?:s\.(?:[a-zA-Z0-9]{24}))))(?:(?:\\?['"`])|[\s;]|(?:\\[nr])|$)/
# === vercel-ai-gateway-key ===
# Detected a Vercel AI Gateway API Key (vck_), which may expose AI model routing and gateway access to unauthorized parties.
/\b(?:(?:(?:vck_)|(?:Vck_)|(?:VCK_))[A-Za-z0-9_-]{56})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === vercel-api-token ===
# Detected a Vercel API Token, which may expose deployment and serverless infrastructure to unauthorized access.
/(?:(?:(?:vercel)|(?:Vercel)|(?:VERCEL)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[A-Za-z0-9]{24})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === vercel-app-access-token ===
# Detected a Vercel App Access Token (vca_), which may allow Sign in with Vercel apps to access user resources.
/\b(?:(?:(?:vca_)|(?:Vca_)|(?:VCA_))[A-Za-z0-9_-]{56})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === vercel-app-refresh-token ===
# Detected a Vercel App Refresh Token (vcr_), which may allow persistent unauthorized access through token refresh flows.
/\b(?:(?:(?:vcr_)|(?:Vcr_)|(?:VCR_))[A-Za-z0-9_-]{56})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === vercel-integration-token ===
# Detected a Vercel Integration Token (vci_), which may allow third-party service integrations to act on behalf of users.
/\b(?:(?:(?:vci_)|(?:Vci_)|(?:VCI_))[A-Za-z0-9_-]{56})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === vercel-personal-access-token ===
# Detected a Vercel Personal Access Token (vcp_), which may expose full account and deployment management capabilities.
/\b(?:(?:(?:vcp_)|(?:Vcp_)|(?:VCP_))[A-Za-z0-9_-]{56})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === weights-and-biases-api-key ===
# Detected a Weights & Biases API Key, which may expose ML experiment tracking and model registry access to unauthorized parties.
/(?:(?:(?:wandb)|(?:Wandb)|(?:WANDB))|(?:(?:weightsandbiases)|(?:Weightsandbiases)|(?:WEIGHTSANDBIASES)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-fA-F0-9]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === weights-and-biases-api-key-v1 ===
# Detected a Weights & Biases v1 API Key (wandb_v1_), which may expose ML experiment tracking and artifact storage to unauthorized access.
/\b(?:(?:(?:wandb_v1_)|(?:Wandb_V1_)|(?:WANDB_V1_))[A-Za-z0-9_]{77})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === xai-api-key ===
# Detected an xAI (Grok) API Key, which may expose Grok AI model access to unauthorized parties.
/\b(?:(?:(?:xai-)|(?:Xai-)|(?:XAI-))[A-Za-z0-9_-]{70,120})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === yandex-access-token ===
# Found a Yandex Access Token, posing a risk to Yandex service integrations and user data privacy.
/(?:(?:(?:yandex)|(?:Yandex)|(?:YANDEX)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:t1\.)|(?:T1\.))[A-Z0-9a-z_-]{1,512}[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === yandex-api-key ===
# Discovered a Yandex API Key, which could lead to unauthorized access to Yandex services and data manipulation.
/(?:(?:(?:yandex)|(?:Yandex)|(?:YANDEX)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:aqvn)|(?:Aqvn)|(?:AQVN))[A-Za-z0-9_\-]{35,38})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === yandex-aws-access-token ===
# Uncovered a Yandex AWS Access Token, potentially compromising cloud resource access and data security on Yandex Cloud.
/(?:(?:(?:yandex)|(?:Yandex)|(?:YANDEX)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:(?:(?:yc)|(?:Yc)|(?:YC))[a-zA-Z0-9_\-]{38})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === zendesk-secret-key ===
# Detected a Zendesk Secret Key, risking unauthorized access to customer support services and sensitive ticketing data.
/(?:(?:(?:zendesk)|(?:Zendesk)|(?:ZENDESK)))(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|(?::{1,3}=)|(?:\|\|)|:|(?:=>)|(?:\?=)|,)[`'"\s=]{0,5}(?:[a-zA-Z0-9]{40})(?:(?:\\?['"`])|[\s;]|(?:\\[nNrR])|$)/
# === resharp set-algebra demonstrations (engine-specific) ===
#
# Resharp extends standard regex with two top-level set operators that
# pure-PCRE engines lack:
# - A&B intersection: matches strings matched by both A and B
# - ~(A) complement: matches strings that do NOT match A
# Combined, these express "match X but not Y" without lookaround. PCRE
# engines (gitleaks, trufflehog, secretlint, plain RE2) cannot do this;
# the workaround is per-rule allowlists, which scale badly.
# Reads as: "match any 6-digit BUILD_ tag, EXCEPT the all-zeros placeholder."
/(?:BUILD_[0-9]{6})&~(BUILD_000000)/
# Intersection composed with two complements: ban any 32-char hex hash
# under `RELEASE_TAG_`, except the documented placeholders.
# The complements inline their quantifier bodies: `0{32}` is a
# quantified literal (not a quantified group), and the deadbeef
# placeholder is written as 16 concatenated unquantified
# `(de|ad|be|ef)` groups (32 chars total). Either form avoids
# resharp Bug E (intersection co-occurring with a `)`-quantifier
# hangs `calc_prefix_sets_inner`; see doc/troubleshooting/resharp.md
# Bug E) and is enforced by the
# `complement_intersection_quantified_group` pre-validator.
/(?:RELEASE_TAG_[a-f0-9]{32})&~(RELEASE_TAG_0{32})&~(RELEASE_TAG_(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef))(?:(?:de)|(?:ad)|(?:be)|(?:ef)))/