Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

executable file 369 lines (368 sloc) 12.9 KB
github_access_tokens:
- ''
slack_webhook: ''
blacklisted_extensions: [".exe", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz", ".ttf", ".lock"]
blacklisted_paths: ["node_modules{sep}", "vendor{sep}bundle", "vendor{sep}cache"] # use {sep} for the OS' path seperator (i.e. / or \)
blacklisted_entropy_extensions: [".pem", "id_rsa", ".asc", ".ovpn", ".sqlite", ".sqlite3"] # additional extensions to skip entropy checks
signatures:
- part: 'extension'
match: '.pem'
name: 'Potential cryptographic private key'
- part: 'extension'
match: '.log'
name: 'Log file'
- part: 'extension'
match: '.pkcs12'
name: 'Potential cryptographic key bundle'
- part: 'extension'
match: '.p12'
name: 'Potential cryptographic key bundle'
- part: 'extension'
match: '.pfx'
name: 'Potential cryptographic key bundle'
- part: 'extension'
match: '.asc'
name: 'Potential cryptographic key bundle'
- part: 'filename'
match: 'otr.private_key'
name: 'Pidgin OTR private key'
- part: 'extension'
match: '.ovpn'
name: 'OpenVPN client configuration file'
- part: 'extension'
match: '.cscfg'
name: 'Azure service configuration schema file'
- part: 'extension'
match: '.rdp'
name: 'Remote Desktop connection file'
- part: 'extension'
match: '.mdf'
name: 'Microsoft SQL database file'
- part: 'extension'
match: '.sdf'
name: 'Microsoft SQL server compact database file'
- part: 'extension'
match: '.sqlite'
name: 'SQLite database file'
- part: 'extension'
match: '.sqlite3'
name: 'SQLite3 database file'
- part: 'extension'
match: '.bek'
name: 'Microsoft BitLocker recovery key file'
- part: 'extension'
match: '.tpm'
name: 'Microsoft BitLocker Trusted Platform Module password file'
- part: 'extension'
match: '.fve'
name: 'Windows BitLocker full volume encrypted data file'
- part: 'extension'
match: '.jks'
name: 'Java keystore file'
- part: 'extension'
match: '.psafe3'
name: 'Password Safe database file'
- part: 'filename'
match: 'secret_token.rb'
name: 'Ruby On Rails secret token configuration file'
- part: 'filename'
match: 'carrierwave.rb'
name: 'Carrierwave configuration file'
- part: 'filename'
match: 'database.yml'
name: 'Potential Ruby On Rails database configuration file'
- part: 'filename'
match: 'omniauth.rb'
name: 'OmniAuth configuration file'
- part: 'filename'
match: 'settings.py'
name: 'Django configuration file'
- part: 'extension'
match: '.agilekeychain'
name: '1Password password manager database file'
- part: 'extension'
match: '.keychain'
name: 'Apple Keychain database file'
- part: 'extension'
match: '.pcap'
name: 'Network traffic capture file'
- part: 'extension'
match: '.gnucash'
name: 'GnuCash database file'
- part: 'filename'
match: 'jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml'
name: 'Jenkins publish over SSH plugin file'
- part: 'filename'
match: 'credentials.xml'
name: 'Potential Jenkins credentials file'
- part: 'extension'
match: '.kwallet'
name: 'KDE Wallet Manager database file'
- part: 'filename'
match: 'LocalSettings.php'
name: 'Potential MediaWiki configuration file'
- part: 'extension'
match: '.tblk'
name: 'Tunnelblick VPN configuration file'
- part: 'filename'
match: 'Favorites.plist'
name: 'Sequel Pro MySQL database manager bookmark file'
- part: 'filename'
match: 'configuration.user.xpl'
name: 'Little Snitch firewall configuration file'
- part: 'extension'
match: '.dayone'
name: 'Day One journal file'
- part: 'filename'
match: 'journal.txt'
name: 'Potential jrnl journal file'
- part: 'filename'
match: 'knife.rb'
name: 'Chef Knife configuration file'
- part: 'filename'
match: 'proftpdpasswd'
name: 'cPanel backup ProFTPd credentials file'
- part: 'filename'
match: 'robomongo.json'
name: 'Robomongo MongoDB manager configuration file'
- part: 'filename'
match: 'filezilla.xml'
name: 'FileZilla FTP configuration file'
- part: 'filename'
match: 'recentservers.xml'
name: 'FileZilla FTP recent servers file'
- part: 'filename'
match: 'ventrilo_srv.ini'
name: 'Ventrilo server configuration file'
- part: 'filename'
match: 'terraform.tfvars'
name: 'Terraform variable config file'
- part: 'filename'
match: '.exports'
name: 'Shell configuration file'
- part: 'filename'
match: '.functions'
name: 'Shell configuration file'
- part: 'filename'
match: '.extra'
name: 'Shell configuration file'
- part: 'filename'
regex: '^.*_rsa$'
name: 'Private SSH key'
- part: 'filename'
regex: '^.*_dsa$'
name: 'Private SSH key'
- part: 'filename'
regex: '^.*_ed25519$'
name: 'Private SSH key'
- part: 'filename'
regex: '^.*_ecdsa$'
name: 'Private SSH key'
- part: 'path'
regex: '\.?ssh/config$'
name: 'SSH configuration file'
- part: 'extension'
regex: '^key(pair)?$'
name: 'Potential cryptographic private key'
- part: 'filename'
regex: '^\.?(bash_|zsh_|sh_|z)?history$'
name: 'Shell command history file'
- part: 'filename'
regex: '^\.?mysql_history$'
name: 'MySQL client command history file'
- part: 'filename'
regex: '^\.?psql_history$'
name: 'PostgreSQL client command history file'
- part: 'filename'
regex: '^\.?pgpass$'
name: 'PostgreSQL password file'
- part: 'filename'
regex: '^\.?irb_history$'
name: 'Ruby IRB console history file'
- part: 'path'
regex: '\.?purple/accounts\.xml$'
name: 'Pidgin chat client account configuration file'
- part: 'path'
regex: '\.?xchat2?/servlist_?\.conf$'
name: 'Hexchat/XChat IRC client server list configuration file'
- part: 'path'
regex: '\.?irssi/config$'
name: 'Irssi IRC client configuration file'
- part: 'path'
regex: '\.?recon-ng/keys\.db$'
name: 'Recon-ng web reconnaissance framework API key database'
- part: 'filename'
regex: '^\.?dbeaver-data-sources.xml$'
name: 'DBeaver SQL database manager configuration file'
- part: 'filename'
regex: '^\.?muttrc$'
name: 'Mutt e-mail client configuration file'
- part: 'filename'
regex: '^\.?s3cfg$'
name: 'S3cmd configuration file'
- part: 'path'
regex: '\.?aws/credentials$'
name: 'AWS CLI credentials file'
- part: 'filename'
regex: '^sftp-config(\.json)?$'
name: 'SFTP connection configuration file'
- part: 'filename'
regex: '^\.?trc$'
name: 'T command-line Twitter client configuration file'
- part: 'filename'
regex: '^\.?(bash|zsh|csh)rc$'
name: 'Shell configuration file'
- part: 'filename'
regex: '^\.?(bash_|zsh_)?profile$'
name: 'Shell profile configuration file'
- part: 'filename'
regex: '^\.?(bash_|zsh_)?aliases$'
name: 'Shell command alias configuration file'
- part: 'filename'
regex: 'config(\.inc)?\.php$'
name: 'PHP configuration file'
- part: 'extension'
regex: '^key(store|ring)$'
name: 'GNOME Keyring database file'
- part: 'extension'
regex: '^kdbx?$'
name: 'KeePass password manager database file'
- part: 'extension'
regex: '^sql(dump)?$'
name: 'SQL dump file'
- part: 'filename'
regex: '^\.?htpasswd$'
name: 'Apache htpasswd file'
- part: 'filename'
regex: '^(\.|_)?netrc$'
name: 'Configuration file for auto-login process'
- part: 'path'
regex: '\.?gem/credentials$'
name: 'Rubygems credentials file'
- part: 'filename'
regex: '^\.?tugboat$'
name: 'Tugboat DigitalOcean management tool configuration'
- part: 'path'
regex: 'doctl/config.yaml$'
name: 'DigitalOcean doctl command-line client configuration file'
- part: 'filename'
regex: '^\.?git-credentials$'
name: 'git-credential-store helper credentials file'
- part: 'path'
regex: 'config/hub$'
name: 'GitHub Hub command-line client configuration file'
- part: 'filename'
regex: '^\.?gitconfig$'
name: 'Git configuration file'
- part: 'path'
regex: '\.?chef/(.*)\.pem$'
name: 'Chef private key'
- part: 'path'
regex: 'etc/shadow$'
name: 'Potential Linux shadow file'
- part: 'path'
regex: 'etc/passwd$'
name: 'Potential Linux passwd file'
comment: 'Contains system user information'
- part: 'filename'
regex: '^\.?dockercfg$'
name: 'Docker configuration file'
- part: 'filename'
regex: '^\.?npmrc$'
name: 'NPM configuration file'
- part: 'filename'
regex: '^\.?env$'
name: 'Environment configuration file'
- part: 'contents'
regex: '-----BEGIN [EC|RSA|DSA|OPENSSH] PRIVATE KEY----'
name: 'Contains a private key'
- part: 'contents'
regex: '(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'
name: 'AWS Access Key ID Value'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)access)_?((?i)key)?_?((?i)id)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}(\\\"|'|`)?)"
name: 'AWS Access Key ID'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)account)_?((?i)id)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[0-9]{4}-?[0-9]{4}-?[0-9]{4}(\\\"|'|`)?)"
name: 'AWS Account ID'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)secret)_?((?i)access)?_?((?i)key)?_?((?i)id)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[A-Za-z0-9/+=]{40}(\\\"|'|`)?)"
name: 'AWS Secret Access Key'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)session)?_?((?i)token)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[A-Za-z0-9/+=]{16,}(\\\"|'|`)?)"
name: 'AWS Session Token'
- part: 'contents'
regex: "(?i)artifactory.{0,50}(\\\"|'|`)?[a-zA-Z0-9=]{112}(\\\"|'|`)?"
name: 'Artifactory'
- part: 'contents'
regex: "(?i)codeclima.{0,50}(\\\"|'|`)?[0-9a-f]{64}(\\\"|'|`)?"
name: 'CodeClimate'
- part: 'contents'
regex: 'EAACEdEose0cBA[0-9A-Za-z]+'
name: 'Facebook access token'
- part: 'contents'
regex: "((\\\"|'|`)?type(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?service_account(\\\"|'|`)?,?)"
name: 'Google (GCM) Service account'
- part: 'contents'
regex: '(?:r|s)k_[live|test]_[0-9a-zA-Z]{24}'
name: 'Stripe API key'
- part: 'contents'
regex: '[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com'
name: 'Google OAuth Key'
- part: 'contents'
regex: 'AIza[0-9A-Za-z\\-_]{35}'
name: 'Google Cloud API Key'
- part: 'contents'
regex: 'ya29\\.[0-9A-Za-z\\-_]+'
name: 'Google OAuth Access Token'
- part: 'contents'
regex: 'sk_[live|test]_[0-9a-z]{32}'
name: 'Picatic API key'
- part: 'contents'
regex: 'sq0atp-[0-9A-Za-z\-_]{22}'
name: 'Square Access Token'
- part: 'contents'
regex: 'sq0csp-[0-9A-Za-z\-_]{43}'
name: 'Square OAuth Secret'
- part: 'contents'
regex: 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'
name: 'PayPal/Braintree Access Token'
- part: 'contents'
regex: 'amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
name: 'Amazon MWS Auth Token'
- part: 'contents'
regex: 'SK[0-9a-fA-F]{32}'
name: 'Twilo API Key'
- part: 'contents'
regex: 'key-[0-9a-zA-Z]{32}'
name: 'MailGun API Key'
- part: 'contents'
regex: '[0-9a-f]{32}-us[0-9]{12}'
name: 'MailChimp API Key'
- part: 'contents'
regex: "sshpass -p.*['|\\\"]"
name: 'SSH Password'
- part: 'contents'
regex: '(https\\://outlook\\.office.com/webhook/[0-9a-f-]{36}\\@)'
name: 'Outlook team'
- part: 'contents'
regex: "(?i)sauce.{0,50}(\\\"|'|`)?[0-9a-f-]{36}(\\\"|'|`)?"
name: 'Sauce Token'
- part: 'contents'
regex: '(xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})'
name: 'Slack Token'
- part: 'contents'
regex: 'https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'
name: 'Slack Webhook'
- part: 'contents'
regex: "(?i)sonar.{0,50}(\\\"|'|`)?[0-9a-f]{40}(\\\"|'|`)?"
name: 'SonarQube Docs API Key'
- part: 'contents'
regex: "(?i)hockey.{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)?"
name: 'HockeyApp'
- part: 'contents'
regex: '([\w+]{1,24})(://)([^$<]{1})([^\s";]{1,}):([^$<]{1})([^\s";]{1,})@[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,24}([^\s]+)'
name: 'Username and password in URI'
- part: 'contents'
regex: 'oy2[a-z0-9]{43}'
name: 'NuGet API Key'
You can’t perform that action at this time.