keyhog-core 0.5.4

keyhog-core — shared data model and detector specifications for the KeyHog secret scanner
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# Docs: https://docs.saltproject.io/en/latest/topics/netapi/index.html
# Format: Salt API uses username/password with eauth, returns X-Auth-Token
# Verify: POST /login with credentials returns token if valid
# Prefix: none (requires context anchoring)

[detector]
id = "saltstack-credentials"
name = "SaltStack API Credentials"
service = "saltstack"
severity = "critical"
keywords = ["salt-api", "saltapi", "external_auth", "eauth", "SALT"]

[[detector.patterns]]
regex = "(?:SALT[_-]API[_-]USERNAME|SALT[_-]USERNAME)[=:\\s\"'']+([a-zA-Z0-9_-]+)"
description = "SaltStack API username"
group = 1

[[detector.patterns]]
regex = "(?:SALT[_-]API[_-]PASSWORD|SALT[_-]PASSWORD)[=:\\s\"'']+([a-zA-Z0-9!@#$%^&*._-]+)"
description = "SaltStack API password"
group = 1

[[detector.patterns]]
regex = "external_auth:\\s*\\n\\s*[a-z]+:\\s*\\n\\s*([a-zA-Z0-9_-]+):\\s*\\n\\s*-"
description = "SaltStack external_auth username in config"
group = 1

[[detector.patterns]]
regex = "X-Auth-Token[=:\\s\"'']+([a-f0-9]{40,})"
description = "SaltStack X-Auth-Token session token"
group = 1

[[detector.patterns]]
regex = "\"token\"[=:\\s\"'']+([a-f0-9]{40,})"
description = "SaltStack API token in JSON response"
group = 1