schema_version = 1
detector_id = "postgresql-connection-string"
service = "postgresql"
severity = "critical"
[[positive]]
text = "postgresql://neondb:w0kVdGwi5GpLapAX@ep-cool-name-123456.us-east-2.aws.neon.tech/neondb"
credential = "postgresql://neondb:w0kVdGwi5GpLapAX@ep-cool-name-123456.us-east-2.aws.neon.tech"
reason = "Hand-tuned positive matching detector regex (R2-F adversarial batch)."
[[positive]]
text = "DATABASE_URL=\"postgresql://neondb:w0kVdGwi5GpLapAX@ep-cool-name-123456.us-east-2.aws.neon.tech/neondb\""
credential = "postgresql://neondb:w0kVdGwi5GpLapAX@ep-cool-name-123456.us-east-2.aws.neon.tech"
reason = "Quoted-value variant of the canonical positive."
[[positive]]
text = "pg-url: postgres://tkoyplem:leFamejio5QaxS6lotTs9Li9@qlohkubwfkqj.example.org:5432/ukfergbb"
credential = "postgres://tkoyplem:leFamejio5QaxS6lotTs9Li9@qlohkubwfkqj.example.org"
reason = "Plain postgres:// branch must self-activate without a DATABASE_URL keyword, as decoded Kubernetes Secret data surfaces only the field key plus URL."
[[negative]]
text = "YOUR_API_KEY_HERE_PLACEHOLDER_VALUE"
reason = "Placeholder-keyword body — suppression gate matches PLACEHOLDER prefix."
[[negative]]
text = "postgEXAMPLEEXAMPLEeondb"
reason = "EXAMPLE token marker inside the body — suppression gate strips it."
[[evasion]]
text = '''payload: |
postgresql://neondb:w0kVdGwi5GpLapAX@ep-cool-name-123456.us-east-2.aws.neon.tech/neondb'''
credential = "postgresql://neondb:w0kVdGwi5GpLapAX@ep-cool-name-123456.us-east-2.aws.neon.tech"
reason = "Adversarial envelope — credential must still surface under this detector."
[perf]
fixture_bytes = 4096
max_microseconds = 25000
note = "Standard single-file budget."
[scale]
fixture_bytes = 1048576
min_findings = 1
max_seconds = 2.0
note = "1 MiB filler + planted credential."
readme_claim = "900 service-specific detectors"