s2-simple-secrets 1.2.0

Simple Secrets — inject secrets into subprocesses without ambient environment exposure
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

# ============================================================
# SYNTHETIC SECRETS BENCHMARK — s2 scan vs alternatives
# All values are FAKE. Do NOT use as real credentials.
# ============================================================

# --- Category 1: Mutual Detection (both tools should catch) ---

# 1. AWS Access Key ID — AKIA prefix + 16 chars [A-Z2-7]
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE

# 2. GitHub PAT — ghp_ + 36 alphanumeric
GITHUB_TOKEN=ghp_ABCDeFgHiJkLmN0PqRsTuVwXyZ0123456789

# 3. GitHub Fine-Grained PAT — github_pat_ + 82 word chars
GITHUB_FINE_PAT=github_pat_11AABCDEF0a1B2c3D4e5F6g7H8i9J0k1L2m3N4o5P6q7R8s9T0u1V2w3X4y5Z6a7B8c9D0e1F2g3H4i5J6

# 4. Stripe Secret Key — REMOVED (GitHub caught: Stripe API Key)

# 5. Stripe Restricted Key — REMOVED (GitHub caught: Stripe Live API Restricted Key)

# 6. Stripe Test Key — REMOVED (GitHub caught: Stripe Test API Secret Key)

# 7. Google API Key — AIza + 35 mixed chars
GOOGLE_MAPS_KEY=AIzaSyA1b2C3d4E5f6G7h8I9j0K1L2M3n4O5p6Q

# 8. Twilio API Key — REMOVED (GitHub caught: Twilio API Key)

# 9. SendGrid API Key — REMOVED (GitHub caught: SendGrid API Key)

# 10. Slack Bot Token — REMOVED (GitHub caught: Slack API Token)


# --- Category 2a: GitHub-Only (s2 has no pattern, entropy too low) ---
# Key names deliberately avoid s2's sensitive words (secret, password, token, key, auth, credential, private, cert)

# 11. Shopify Admin PAT — REMOVED (GitHub caught: Shopify Access Token)

# 12. Shopify Shared Secret — REMOVED (GitHub caught: Shopify App Shared Secret)

# 13. GitLab PAT — glpat- prefix ("PAT" not in s2's sensitive words)
GITLAB_PAT=glpat-a1b2c3d4e5f6a7b8c9d0

# 14. DigitalOcean token — dop_v1_ prefix, hex
DO_SPACES_ID=dop_v1_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6a1b2c3d4e5f6a7b8c9d0e1f2a3b4

# 15. Supabase token — sbp_ prefix
SUPABASE_DB_REF=sbp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0

# 16. Datadog API — pure 32 hex, no prefix
DD_SITE_MONITOR=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6

# 17. Heroku — UUID format
HEROKU_DEPLOY_ID=01234567-89ab-cdef-0123-456789abcdef

# 18. Azure — UUID format
AZURE_TENANT=a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6


# --- Category 2b: Both detect, but different quality ---
# GitHub labels by provider; s2 catches via generic entropy (medium confidence)

# 19. Anthropic API Key — sk-ant-api03- prefix
ANTHROPIC_BATCH_RUNNER=sk-ant-api03-ZTuILlyrPeiioAqBznqJNysxkb3OCbBYDrRz1rWELo-JeZXsGadlfhlM1sr7FGWRRez24mfeqrEtnzkvRb4SQ-a4QM4gAA

# 20. OpenAI API Key — sk-proj- prefix
OPENAI_BATCH_RUNNER=sk-proj-abc123DEF456ghi789JKL012mno345PQR678stu901VWX234yz

# 21. npm token — npm_ prefix, base64 body (entropy boundary case ~4.7)
NPM_PUBLISH_HANDLE=npm_MjQ0NjcxOTkzNDEyOmRhNjkwNWZkLWNlZDItNDQ4MC1hMjZjLTk1NDg3OTNlZjE5Mg

# 22. PyPI token — pypi- prefix, long base64
PYPI_PUBLISH_HANDLE=pypi-AgEIcHlwaS5vcmcCJGY3ZjBlNzQ5LWRkZWYtNGI1YS04MjEzLTQzZGRlNDU5NDYyOAACJXsicGVybWlzc2lvbnMiOiAidXNlciIsICJ2ZXJzaW9uIjogMX0AAAYgHMbZRgz


# --- Category 3: s2-Only Detection (GitHub likely misses) ---

# 23. Short password — 14 chars, "password" in key drops entropy threshold to 2.5
DB_PASSWORD=xK9mL2nP4qR7tY

# 24. API secret — "secret" triggers sensitive key detection
API_SECRET=Tr0ub4dor&3xYzW

# 25. Redis auth — both "auth" and "credential" trigger
REDIS_AUTH_CREDENTIAL=aB3kL9mN2pQ5xR7tY

# 26. JWT — s2 has jwt pattern, GitHub has no generic JWT detection
SESSION_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

# 27. RSA Private Key PEM header
TLS_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----

# 28. EC Private Key PEM header
EC_PRIVATE_KEY=-----BEGIN EC PRIVATE KEY-----

# 29. Slack Webhook URL — hooks.slack.com pattern
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/T0FAKE0ID/B0FAKE0ID/W3bh00kT0k3nV4lu3Th4t1sF4k3Bu7V4l1d

# 30. Generic high-entropy string (no provider prefix, 64 chars)
HASURA_ADMIN=msOH9FWGis6E77eu5bUl3P9C07XNelEg31BRsKIDKkrudXoIuob5dorUVRkbybuq

# 31. Another high-entropy string (different non-sensitive key name)
FRONTEND_GRAPH=RnaVWYz76nXs4IvIsFtepIm08CQC8rOTCdJFwiBrWK7tFvMrbix7ksr0bsKeVkqS

# 32. Database URL with embedded credentials
DATABASE_URL=postgresql://admin:xK9mL2nP4q@db.example.com:5432/mydb


# --- Category 4: Edge Cases ---

# 33. Base64-encoded secret, non-sensitive key name — should MISS
ENCODED_SECRET=c2stYW50LWFwaTAzLXh5ejEyMw==

# 34. Same base64 blob, sensitive key name ("key") — should CATCH
ENCODED_KEY=c2stYW50LWFwaTAzLXh5ejEyMw==

# 35. MongoDB connection string
MONGO_URI=mongodb+srv://admin:Sup3rS3cr3tP4ssw0rd@cluster0.ab12cd.mongodb.net/mydb?retryWrites=true

# 36. Compound value — REMOVED (GitHub caught: Stripe Test API Secret Key in compound value)

# 37. Commented-out AWS key — should be SKIPPED
# OLD_AWS_KEY=AKIAIOSFODNN7EXAMPLE

# 38. PEM key with escaped newlines
PRIVATE_KEY_PEM=-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA0Z3VS5JJcds3xfn/ygWyF8PbnGy0AHB7MhgHcTz6sE2I

# 39. Slack webhook embedded in curl command
WEBHOOK_INLINE=curl -X POST https://hooks.slack.com/services/T0FAKE0ID/B0FAKE0ID/W3bh00kT0k3nV4lu3Th4t1sF4k3Bu7V4l1d

# 40. Empty value — should be SKIPPED
EMPTY_SECRET=

# 41. Quoted AWS key — tests parser quote stripping
QUOTED_AWS="AKIAIOSFODNN7EXAMPLE"


# --- Category 5a: True Negatives (neither should flag) ---

# 42. UUID
TRACE_ID=550e8400-e29b-41d4-a716-446655440000

# 43. SHA-256 hash (64 hex chars, low entropy ~3.7)
COMMIT_HASH=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

# 44. MD5 hash (32 hex chars)
BUILD_HASH=d41d8cd98f00b204e9800998ecf8427e

# 45. Semver
APP_VERSION=2.14.3-beta.1+build.7891

# 46. CSV feature flags
FEATURE_FLAGS=enable_dark_mode,enable_beta,show_banner

# 47. AWS region
REGION=us-east-1

# 48. Log level
LOG_LEVEL=debug

# 49. Number
MAX_RETRIES=5

# 50. Boolean
ENABLED=true

# 51. URL without credentials
APP_URL=https://myapp.example.com/api/v2

# 52. Placeholder text (non-sensitive key name)
PLACEHOLDER_VALUE=REPLACE_ME_WITH_REAL_TOKEN

# 53. Docs URL
DOCS_ENDPOINT=https://docs.example.com

# 54. Repeated chars (entropy = 0)
REPEATED_CHARS=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

# 55. Sequential hex (entropy ~4.0 but predictable)
SEQUENTIAL_HEX=0123456789abcdef0123456789abcdef


# --- Category 5b: False Positive Traps (s2 flags, arguably shouldn't) ---

# 56. Placeholder with "key" in key name
EXAMPLE_KEY=your-api-key-here

# 57. Placeholder with "token" in key name
SAMPLE_TOKEN=REPLACE_ME_WITH_REAL_TOKEN

# 58. Default password with "password" in key name
TEST_PASSWORD=changeme12345