Add Certificate Signing Request (CSR) pattern with support for flattened keys

[Copilot]

Adds a new pattern to detect Certificate Signing Requests (CSRs) in the RSA Keys section, with full support for both standard PEM format and flattened keys commonly found in CI/CD environments.

Changes Summary

New Files:

• rsa/csr_test.csr - Real certificate signing request sample from the issue (1151 bytes)
• rsa/csr_flattened.txt - CSR with literal \n characters (simulates .env/CI format)

Modified Files:

• rsa/patterns.yml - Added new CSR pattern entry

Pattern Details

• Name: Certificate Signing Request (CSR)
• Type: csr
• Status: Experimental (marked similar to SSH Public Key)
• Regex: --BEGIN CERTIFICATE REQUEST--+(\\[nr]|[\r\n])+([a-zA-Z0-9+/=\s]|\\[rn])+(\\[rn]|[\r\n])+--+END CERTIFICATE REQUEST--
• Comments:
  • "Certificate signing request - not inherently secret but may expose metadata"
  • "Handles both actual newlines and literal \n or \r (flattened keys in .env files, CI secrets, JSON)"

Key Features

The pattern properly handles both use cases:

1. Actual newlines - Standard CSR files with real line breaks (\r\n or \n)
2. Literal escaped sequences - Flattened keys with two-character sequences \n or \r found in:
   • .env files
   • CI/CD secrets
   • JSON strings
   • Shell scripts

The pattern uses (\\[nr]|[\r\n])+ which matches:

• \\[nr] - literal backslash followed by n or r (matching the two-character sequences \n or \r in raw text)
• [\r\n] - actual carriage return or line feed characters

Pattern Validation

✓ Matches real CSR file at offsets 3-1147 (actual newlines)
✓ Matches flattened CSR at offsets 18-1180 (literal \n characters)
✓ Matches inline test data at offsets 0-64
✓ Handles JSON format (CI/CD use case)
✓ Handles .env format (environment variables)
✓ Matches standard 5-dash format (-----BEGIN...-----)
✓ Matches minimum 2-dash format (--BEGIN...--)
✓ No security vulnerabilities (CodeQL scan passed)

Notes

• Pattern follows the same structure and conventions as other RSA patterns (Generic RSA keys, SSH Private Keys, GPG Private Key)
• The -- prefix with + quantifier matches 2+ dashes, correctly handling the standard 5-dash PEM format
• Positioned between GPG Private Key and SSH Public Key in the patterns list
• README.md will be auto-generated by the repository's workflow on PR

Fixes #101

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Pattern Request - csr</issue_title>
<issue_description>### Name / Description

A certificate signing request. These are not inherently secret leaks, but they might expose some metadata that is either sensitive or non-public.

Sample Snippets

True Positives

-----BEGIN CERTIFICATE REQUEST-----
MIIDGDCCAgACAQAwgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYDVQQKEw1Hb29nbGUsIEluYy4g
MRcwFQYDVQQLEw5JVCBEZXB0YXJ0bWVudDEXMBUGA1UEAxMOd3d3Lmdvb2dsZS5j
b20xIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBnb29nbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3NT5DBBDql5gTB4/6Zsq/C1iwO4yBD2
nThaNfO1qHKUjnFz0oua+54x97TjmHItRH5H+jPJvmzzb4TUJ274CRFhquOOMZVM
dVIG9FUjogJstMqv4GtBC4C/ype0ilAcPEBjRi9bFiR/g43qPCnlRAJNo4cJko7n
W7erAJsRPNiQMr5UJN9h3GuQMPw6uaI/0OWuWjSTLzEBMujHhPySgZIv1SurVXDz
iFC6S6qvc9XQ1z6tkmrttdoOfDI+eT75QxysHmctgAvkZaFEoRASqcqf3iYyl9Qw
mh0xuLSoR9HTvaD9DhxAIa4/1+l6D9MGb/01+lip7AjqdnTTzSBfcQIDAQABoCkw
JwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG
9w0BAQsFAAOCAQEAZyMkFtElkS3vQoCPVHevrFcPgrx/Fqx0UdQdnf2RyoJ3jqiU
yPo5+5BHA9kY0TuJLhgMIq0QWAbzZYNL0+J8UUcx8EvMK6DqPpKteyYFCMw6GEzu
diq4RE/8Ea9UpGbw8GH1oEsUksBTwrs06OSOVgDXkJ1XY4VaRkMPflgQWGULgKYO
2P/zcFowENruGLJO7ynyUkm5idKdYzDqk7c7bqyLywOEPxSRKVyblmzqiFCOlCqp
HozZ9+5TmrMPD/hO1uHVECcL08RMGXoGMajojI8CE+cmkaWLq3PZt08Sv0F/Itop
O8XAZ2bYTK4HQfPm+Fud22SD+DkSwt8vN8Lu2g==
-----END CERTIFICATE REQUEST-----

False Positives

[snippet]

[optional] Propose Solution

See RSA key samples for similar pattern, add CSR pattern to that section.
</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #101

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[felickz]

@copilot try again... make sure you consider the use case with inline .env style \r\n 's - “Flattened” keys where someone replaced newlines with the literal characters \n (common in CI secrets, .env files, JSON, or shell scripts).

Ex: \[nr]: a literal backslash followed by n or r (matching the two‑character sequences \n or \r in the raw text) OR
[\r\n]: actual carriage return or line feed characters.

[Copilot]

@copilot try again... make sure you consider the use case with inline .env style \r\n 's - “Flattened” keys where someone replaced newlines with the literal characters \n (common in CI secrets, ....

Done! The CSR pattern now properly handles both use cases:

1. Actual newlines - Standard CSR files with real line breaks (\r\n or \n)
2. Literal escaped sequences - Flattened keys with the two-character sequences \n or \r (common in .env files, CI secrets, JSON, shell scripts)

The pattern uses (\\[nr]|[\r\n])+ which matches:

• \\[nr] - literal backslash followed by n or r
• [\r\n] - actual carriage return or line feed characters

Verified with comprehensive tests including real CSR files, flattened format, JSON format, and .env format. All tests pass.

Commit: 2f84a3a