schema_version = 1
detector_id = "cfengine-credentials"
service = "cfengine"
severity = "high"
[[positive]]
text = "CFENGINE_KEY=Kp4Qx7Rm2Sn5Tb8Vw3Yz+"
credential = "Kp4Qx7Rm2Sn5Tb8Vw3Yz+"
reason = "CFENGINE_KEY prefix with 21 valid base64 chars."
[[positive]]
text = "trustkey => \"Vk9Bn3Lp7Qm2Rs5Tw8Vk9\""
credential = "Vk9Bn3Lp7Qm2Rs5Tw8Vk9"
reason = "CFEngine trustkey policy syntax with quoted value."
[[negative]]
text = "CFENGINE_KEY=short"
reason = "Body too short (only 5 base64 chars)."
[[evasion]]
text = "\"CFENGINE_KEY\":\"Kp4Qx7Rm2Sn5Tb8Vw3Yz+\""
credential = "Kp4Qx7Rm2Sn5Tb8Vw3Yz+"
reason = "JSON-quoted key-value pair still matches."
[perf]
fixture_bytes = 4096
max_microseconds = 25000
note = "Standard single-file budget."
[scale]
fixture_bytes = 1048576
min_findings = 1
max_seconds = 2.0
note = "1 MiB filler + planted cfengine credential."
readme_claim = "900 service-specific detectors"