[[rules]]
id = "aws-account-id"
description = "Detects AWS account IDs in various formats including standalone numbers and ARNs"
regex = '''(?i)(?:(?:aws[_-]?account[_-]?id|account[_\.]?id|accountid|aws[_\.]?account|"?account(?:id)?"?)\s*[=:]\s*["']?|arn:aws:[^:]*::)(\d{12})'''
keywords = ["aws", "account", "arn"]
[[rules]]
id = "public-ipv4"
description = "Detects public IPv4 addresses (excluding private/local ranges)"
regex = '''\b((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\b'''
[[rules.allowlists]]
description = "Exclude private IP ranges"
regexes = [
"^10\\.",
"^172\\.(1[6-9]|2[0-9]|3[01])\\.",
"^192\\.168\\.",
"^127\\.",
"^169\\.254\\.",
"^0\\.0\\.0\\.0$",
"^255\\.255\\.255\\.255$",
]
[[rules]]
id = "public-ipv6"
description = "Detects public IPv6 addresses (excluding private/local ranges)"
regex = '''(?i)(?:^|\s|=|:)((?:[0-9a-f]{1,4}:){7}[0-9a-f]{1,4}|(?:[0-9a-f]{1,4}:){1,7}:|(?:[0-9a-f]{1,4}:){1,6}:[0-9a-f]{1,4}|(?:[0-9a-f]{1,4}:){1,5}(?::[0-9a-f]{1,4}){1,2}|(?:[0-9a-f]{1,4}:){1,4}(?::[0-9a-f]{1,4}){1,3}|(?:[0-9a-f]{1,4}:){1,3}(?::[0-9a-f]{1,4}){1,4}|(?:[0-9a-f]{1,4}:){1,2}(?::[0-9a-f]{1,4}){1,5}|[0-9a-f]{1,4}:(?::[0-9a-f]{1,4}){1,6}|:(?::[0-9a-f]{1,4}){1,7}|::|(?:[0-9a-f]{1,4}:){6}(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?:\s|$|[^\w:\.])'''
[[rules.allowlists]]
description = "Exclude private IPv6 ranges"
regexes = ["^fe80:", "^::1$", "^fc00:", "^fd00:"]
[allowlist]
description = "Privacy rules allowlist to prevent false positives"
regexes = [
"123456789012",
"000000000000",
"123456123456",
"192\\.168\\.\\d+\\.\\d+",
"10\\.\\d+\\.\\d+\\.\\d+",
"127\\.0\\.0\\.1",
"0\\.0\\.0\\.0",
"255\\.255\\.255\\.255",
]
stopwords = [
"example",
"test",
"demo",
"sample",
"placeholder",
"localhost",
"127.0.0.1",
"0.0.0.0",
]