-
Notifications
You must be signed in to change notification settings - Fork 6
Patterns
HoraDomu edited this page Jun 19, 2026
·
1 revision
Each pattern is a YAML file in the community/<category>/ directory. At build time the bundler compiles them into a compressed bundle (core/patterns.bundle) embedded in the binary.
A pattern file looks like:
name: my-api-key
match: 'MY_[A-Z0-9]{32}'
enabled: true # optional, defaults to true| Field | Required | Description |
|---|---|---|
name |
yes | Unique identifier shown in findings |
match |
yes | RE2-compatible regular expression |
enabled |
no | Set to false to ship a pattern but disable it by default |
community/
secrets/ # API keys, tokens, credentials
tokens/ # Bearer tokens, JWTs, session tokens
...
- Create a
.yamlfile undercommunity/<category>/ - Rebuild the bundle:
go run ./bundler - Test:
go test ./... - Verify against a real sample:
echo "MY_ABC123..." | atheon scan /dev/stdin
-
Anchor with context —
sk-[a-z0-9]{48}is better than[a-z0-9]{48}alone -
Use word boundaries —
\breduces false positives -
Test entropy — high-entropy strings mixed with a vendor prefix (e.g.
ghp_,sk-,xoxb-) have very low false-positive rates - Keep RE2 compatible — no lookaheads, no backreferences
# List disabled patterns
atheon list patterns --disabled
# Patterns can be toggled in the YAML source via enabled: falseTo suppress a finding on a specific line:
const testKey = "sk-abc123..." // atheon:ignore