keyhog-core 0.5.4

# Docs: https://docs.cfengine.com/docs/
# Format: CFEngine uses SSL key pairs and host authentication, not traditional API tokens
# Verify: cf-key generates keys; authentication is certificate-based
# Prefix: none (requires context anchoring)

[detector]
id = "cfengine-credentials"
name = "CFEngine Credentials"
service = "cfengine"
severity = "high"
keywords = ["CFENGINE", "cfengine", "cf-key", "ppkeys", "cf_agent"]

[[detector.patterns]]
regex = "(?:CFENGINE[_-]KEY|CFENGINE[_-]SECRET)[=:\\s\"'']+([a-zA-Z0-9/+=]{20,})"
description = "CFEngine key or secret with context anchor"
group = 1

[[detector.patterns]]
regex = "/var/cfengine/ppkeys/[^\\s\"'']+"
description = "CFEngine private/public key file path"

[[detector.patterns]]
regex = "trustkey\\s*=>\\s*\"([^\"]+)\""
description = "CFEngine trust key in policy"
group = 1