Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time
github_access_tokens:
- ''
webhook: '' # URL to which the payload is POSTed
# This default payload will work for Slack and MatterMost.
# Consult your webhook API for additional configurations.
webhook_payload: |
{
"text": "%s"
}
blacklisted_strings: ["AKIAIOSFODNN7EXAMPLE", "username:password", "sshpass -p $SSH_PASS"] # skip matches containing any of these strings (case insensitive
blacklisted_extensions: [".exe", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz", ".ttf", ".lock"]
blacklisted_paths: ["node_modules{sep}", "vendor{sep}bundle", "vendor{sep}cache"] # use {sep} for the OS' path seperator (i.e. / or \)
blacklisted_entropy_extensions: [".pem", "id_rsa", ".asc", ".ovpn", ".sqlite", ".sqlite3", ".log"] # additional extensions to skip entropy checks
signatures:
- part: 'extension'
match: '.pem'
name: 'Potential cryptographic private key'
- part: 'extension'
match: '.log'
name: 'Log file'
- part: 'extension'
match: '.pkcs12'
name: 'Potential cryptographic key bundle'
- part: 'extension'
match: '.p12'
name: 'Potential cryptographic key bundle'
- part: 'extension'
match: '.pfx'
name: 'Potential cryptographic key bundle'
- part: 'extension'
match: '.asc'
name: 'Potential cryptographic key bundle'
- part: 'filename'
match: 'otr.private_key'
name: 'Pidgin OTR private key'
- part: 'extension'
match: '.ovpn'
name: 'OpenVPN client configuration file'
- part: 'extension'
match: '.cscfg'
name: 'Azure service configuration schema file'
- part: 'extension'
match: '.rdp'
name: 'Remote Desktop connection file'
- part: 'extension'
match: '.mdf'
name: 'Microsoft SQL database file'
- part: 'extension'
match: '.sdf'
name: 'Microsoft SQL server compact database file'
- part: 'extension'
match: '.sqlite'
name: 'SQLite database file'
- part: 'extension'
match: '.sqlite3'
name: 'SQLite3 database file'
- part: 'extension'
match: '.bek'
name: 'Microsoft BitLocker recovery key file'
- part: 'extension'
match: '.tpm'
name: 'Microsoft BitLocker Trusted Platform Module password file'
- part: 'extension'
match: '.fve'
name: 'Windows BitLocker full volume encrypted data file'
- part: 'extension'
match: '.jks'
name: 'Java keystore file'
- part: 'extension'
match: '.psafe3'
name: 'Password Safe database file'
- part: 'filename'
match: 'secret_token.rb'
name: 'Ruby On Rails secret token configuration file'
- part: 'filename'
match: 'carrierwave.rb'
name: 'Carrierwave configuration file'
- part: 'filename'
match: 'database.yml'
name: 'Potential Ruby On Rails database configuration file'
- part: 'filename'
match: 'omniauth.rb'
name: 'OmniAuth configuration file'
- part: 'filename'
match: 'settings.py'
name: 'Django configuration file'
- part: 'extension'
match: '.agilekeychain'
name: '1Password password manager database file'
- part: 'extension'
match: '.keychain'
name: 'Apple Keychain database file'
- part: 'extension'
match: '.pcap'
name: 'Network traffic capture file'
- part: 'extension'
match: '.gnucash'
name: 'GnuCash database file'
- part: 'filename'
match: 'jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml'
name: 'Jenkins publish over SSH plugin file'
- part: 'filename'
match: 'credentials.xml'
name: 'Potential Jenkins credentials file'
- part: 'extension'
match: '.kwallet'
name: 'KDE Wallet Manager database file'
- part: 'filename'
match: 'LocalSettings.php'
name: 'Potential MediaWiki configuration file'
- part: 'extension'
match: '.tblk'
name: 'Tunnelblick VPN configuration file'
- part: 'filename'
match: 'Favorites.plist'
name: 'Sequel Pro MySQL database manager bookmark file'
- part: 'filename'
match: 'configuration.user.xpl'
name: 'Little Snitch firewall configuration file'
- part: 'extension'
match: '.dayone'
name: 'Day One journal file'
- part: 'filename'
match: 'journal.txt'
name: 'Potential jrnl journal file'
- part: 'filename'
match: 'knife.rb'
name: 'Chef Knife configuration file'
- part: 'filename'
match: 'proftpdpasswd'
name: 'cPanel backup ProFTPd credentials file'
- part: 'filename'
match: 'robomongo.json'
name: 'Robomongo MongoDB manager configuration file'
- part: 'filename'
match: 'filezilla.xml'
name: 'FileZilla FTP configuration file'
- part: 'filename'
match: 'recentservers.xml'
name: 'FileZilla FTP recent servers file'
- part: 'filename'
match: 'ventrilo_srv.ini'
name: 'Ventrilo server configuration file'
- part: 'filename'
match: 'terraform.tfvars'
name: 'Terraform variable config file'
- part: 'filename'
match: '.exports'
name: 'Shell configuration file'
- part: 'filename'
match: '.functions'
name: 'Shell configuration file'
- part: 'filename'
match: '.extra'
name: 'Shell configuration file'
- part: 'filename'
regex: '^.*_rsa$'
name: 'Private SSH key'
- part: 'filename'
regex: '^.*_dsa$'
name: 'Private SSH key'
- part: 'filename'
regex: '^.*_ed25519$'
name: 'Private SSH key'
- part: 'filename'
regex: '^.*_ecdsa$'
name: 'Private SSH key'
- part: 'path'
regex: '\.?ssh/config$'
name: 'SSH configuration file'
- part: 'extension'
regex: '^key(pair)?$'
name: 'Potential cryptographic private key'
- part: 'filename'
regex: '^\.?(bash_|zsh_|sh_|z)?history$'
name: 'Shell command history file'
- part: 'filename'
regex: '^\.?mysql_history$'
name: 'MySQL client command history file'
- part: 'filename'
regex: '^\.?psql_history$'
name: 'PostgreSQL client command history file'
- part: 'filename'
regex: '^\.?pgpass$'
name: 'PostgreSQL password file'
- part: 'filename'
regex: '^\.?irb_history$'
name: 'Ruby IRB console history file'
- part: 'path'
regex: '\.?purple/accounts\.xml$'
name: 'Pidgin chat client account configuration file'
- part: 'path'
regex: '\.?xchat2?/servlist_?\.conf$'
name: 'Hexchat/XChat IRC client server list configuration file'
- part: 'path'
regex: '\.?irssi/config$'
name: 'Irssi IRC client configuration file'
- part: 'path'
regex: '\.?recon-ng/keys\.db$'
name: 'Recon-ng web reconnaissance framework API key database'
- part: 'filename'
regex: '^\.?dbeaver-data-sources.xml$'
name: 'DBeaver SQL database manager configuration file'
- part: 'filename'
regex: '^\.?muttrc$'
name: 'Mutt e-mail client configuration file'
- part: 'filename'
regex: '^\.?s3cfg$'
name: 'S3cmd configuration file'
- part: 'path'
regex: '\.?aws/credentials$'
name: 'AWS CLI credentials file'
- part: 'filename'
regex: '^sftp-config(\.json)?$'
name: 'SFTP connection configuration file'
- part: 'filename'
regex: '^\.?trc$'
name: 'T command-line Twitter client configuration file'
- part: 'filename'
regex: '^\.?(bash|zsh|csh)rc$'
name: 'Shell configuration file'
- part: 'filename'
regex: '^\.?(bash_|zsh_)?profile$'
name: 'Shell profile configuration file'
- part: 'filename'
regex: '^\.?(bash_|zsh_)?aliases$'
name: 'Shell command alias configuration file'
- part: 'filename'
regex: 'config(\.inc)?\.php$'
name: 'PHP configuration file'
- part: 'extension'
regex: '^key(store|ring)$'
name: 'GNOME Keyring database file'
- part: 'extension'
regex: '^kdbx?$'
name: 'KeePass password manager database file'
- part: 'extension'
regex: '^sql(dump)?$'
name: 'SQL dump file'
- part: 'filename'
regex: '^\.?htpasswd$'
name: 'Apache htpasswd file'
- part: 'filename'
regex: '^(\.|_)?netrc$'
name: 'Configuration file for auto-login process'
- part: 'path'
regex: '\.?gem/credentials$'
name: 'Rubygems credentials file'
- part: 'filename'
regex: '^\.?tugboat$'
name: 'Tugboat DigitalOcean management tool configuration'
- part: 'path'
regex: 'doctl/config.yaml$'
name: 'DigitalOcean doctl command-line client configuration file'
- part: 'filename'
regex: '^\.?git-credentials$'
name: 'git-credential-store helper credentials file'
- part: 'path'
regex: 'config/hub$'
name: 'GitHub Hub command-line client configuration file'
- part: 'filename'
regex: '^\.?gitconfig$'
name: 'Git configuration file'
- part: 'path'
regex: '\.?chef/(.*)\.pem$'
name: 'Chef private key'
- part: 'path'
regex: 'etc/shadow$'
name: 'Potential Linux shadow file'
- part: 'path'
regex: 'etc/passwd$'
name: 'Potential Linux passwd file'
comment: 'Contains system user information'
- part: 'filename'
regex: '^\.?dockercfg$'
name: 'Docker configuration file'
- part: 'filename'
regex: '^\.?npmrc$'
name: 'NPM configuration file'
- part: 'filename'
regex: '^\.?env$'
name: 'Environment configuration file'
- part: 'contents'
regex: '(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'
name: 'AWS Access Key ID Value'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)access)_?((?i)key)?_?((?i)id)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}(\\\"|'|`)?)"
name: 'AWS Access Key ID'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)account)_?((?i)id)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[0-9]{4}-?[0-9]{4}-?[0-9]{4}(\\\"|'|`)?)"
name: 'AWS Account ID'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)secret)_?((?i)access)?_?((?i)key)?_?((?i)id)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[A-Za-z0-9/+=]{40}(\\\"|'|`)?)"
name: 'AWS Secret Access Key'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)session)?_?((?i)token)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[A-Za-z0-9/+=]{16,}(\\\"|'|`)?)"
name: 'AWS Session Token'
- part: 'contents'
regex: "(?i)artifactory.{0,50}(\\\"|'|`)?[a-zA-Z0-9=]{112}(\\\"|'|`)?"
name: 'Artifactory'
- part: 'contents'
regex: "(?i)codeclima.{0,50}(\\\"|'|`)?[0-9a-f]{64}(\\\"|'|`)?"
name: 'CodeClimate'
- part: 'contents'
regex: 'EAACEdEose0cBA[0-9A-Za-z]+'
name: 'Facebook access token'
- part: 'contents'
regex: "((\\\"|'|`)?type(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?service_account(\\\"|'|`)?,?)"
name: 'Google (GCM) Service account'
- part: 'contents'
regex: '(?:r|s)k_[live|test]_[0-9a-zA-Z]{24}'
name: 'Stripe API key'
- part: 'contents'
regex: '[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com'
name: 'Google OAuth Key'
- part: 'contents'
regex: 'AIza[0-9A-Za-z\\-_]{35}'
name: 'Google Cloud API Key'
- part: 'contents'
regex: 'ya29\\.[0-9A-Za-z\\-_]+'
name: 'Google OAuth Access Token'
- part: 'contents'
regex: 'sk_[live|test]_[0-9a-z]{32}'
name: 'Picatic API key'
- part: 'contents'
regex: 'sq0atp-[0-9A-Za-z\-_]{22}'
name: 'Square Access Token'
- part: 'contents'
regex: 'sq0csp-[0-9A-Za-z\-_]{43}'
name: 'Square OAuth Secret'
- part: 'contents'
regex: 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'
name: 'PayPal/Braintree Access Token'
- part: 'contents'
regex: 'amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
name: 'Amazon MWS Auth Token'
- part: 'contents'
regex: 'SK[0-9a-fA-F]{32}'
name: 'Twilo API Key'
- part: 'contents'
regex: 'SG\.[0-9A-Za-z\-_]{22}\.[0-9A-Za-z\-_]{43}'
name: 'SendGrid API Key'
- part: 'contents'
regex: 'key-[0-9a-zA-Z]{32}'
name: 'MailGun API Key'
- part: 'contents'
regex: '[0-9a-f]{32}-us[0-9]{12}'
name: 'MailChimp API Key'
- part: 'contents'
regex: "sshpass -p.*['|\\\"]"
name: 'SSH Password'
- part: 'contents'
regex: '(https\\://outlook\\.office.com/webhook/[0-9a-f-]{36}\\@)'
name: 'Outlook team'
- part: 'contents'
regex: "(?i)sauce.{0,50}(\\\"|'|`)?[0-9a-f-]{36}(\\\"|'|`)?"
name: 'Sauce Token'
- part: 'contents'
regex: '(xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})'
name: 'Slack Token'
- part: 'contents'
regex: 'https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'
name: 'Slack Webhook'
- part: 'contents'
regex: "(?i)sonar.{0,50}(\\\"|'|`)?[0-9a-f]{40}(\\\"|'|`)?"
name: 'SonarQube Docs API Key'
- part: 'contents'
regex: "(?i)hockey.{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)?"
name: 'HockeyApp'
- part: 'contents'
regex: '([\w+]{1,24})(://)([^$<]{1})([^\s";]{1,}):([^$<]{1})([^\s";/]{1,})@[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,24}([^\s]+)'
name: 'Username and password in URI'
- part: 'contents'
regex: 'oy2[a-z0-9]{43}'
name: 'NuGet API Key'
- part: 'contents'
regex: 'hawk\.[0-9A-Za-z\-_]{20}\.[0-9A-Za-z\-_]{20}'
name: 'StackHawk API Key'
- part: 'extension'
match: '.ppk'
name: 'Potential PuTTYgen private key'
- part: 'filename'
match: 'heroku.json'
name: 'Heroku config file'
- part: 'extension'
match: '.sqldump'
name: 'SQL Data dump file'
- part: 'filename'
match: 'dump.sql'
name: 'MySQL dump w/ bcrypt hashes'
- part: 'filename'
match: 'id_rsa_pub'
name: 'Public ssh key'
- part: 'filename'
match: 'mongoid.yml'
name: 'Mongoid config file'
- part: 'filename'
match: 'salesforce.js'
name: 'Salesforce credentials in a nodejs project'
- part: 'extension'
match: '.netrc'
name: 'netrc with SMTP credentials'
- part: 'filename'
regex: '.remote-sync.json$'
name: 'Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials'
- part: 'filename'
regex: '.esmtprc$'
name: 'esmtp configuration'
- part: 'filename'
regex: '^deployment-config.json?$'
name: 'Created by sftp-deployment for Atom, contains server details and credentials'
- part: 'filename'
regex: '.ftpconfig$'
name: 'Created by sftp-deployment for Atom, contains server details and credentials'
- part: 'contents'
regex: '-----BEGIN (EC|RSA|DSA|OPENSSH|PGP) PRIVATE KEY'
name: 'Contains a private key'
- part: 'contents'
regex: 'define(.{0,20})?(DB_CHARSET|NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|NONCE_KEY|DB_HOST|DB_PASSWORD|AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|DB_NAME|DB_USER)(.{0,20})?[''|"].{10,120}[''|"]'
name: 'WP-Config'
- part: 'contents'
regex: '(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}'
name: 'AWS cred file info'
- part: 'contents'
regex: '(?i)(facebook|fb)(.{0,20})?(?-i)[''\"][0-9a-f]{32}[''\"]'
name: 'Facebook Secret Key'
- part: 'contents'
regex: '(?i)(facebook|fb)(.{0,20})?[''\"][0-9]{13,17}[''\"]'
name: 'Facebook Client ID'
- part: 'contents'
regex: '(?i)twitter(.{0,20})?[''\"][0-9a-z]{35,44}[''\"]'
name: 'Twitter Secret Key'
- part: 'contents'
regex: '(?i)twitter(.{0,20})?[''\"][0-9a-z]{18,25}[''\"]'
name: 'Twitter Client ID'
- part: 'contents'
regex: '(?i)github(.{0,20})?(?-i)[''\"][0-9a-zA-Z]{35,40}[''\"]'
name: 'Github Key'
- part: 'contents'
regex: '(?i)heroku(.{0,20})?[''"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}[''"]'
name: 'Heroku API key'
- part: 'contents'
regex: '(?i)linkedin(.{0,20})?(?-i)[''\"][0-9a-z]{12}[''\"]'
name: 'Linkedin Client ID'
- part: 'contents'
regex: '(?i)linkedin(.{0,20})?[''\"][0-9a-z]{16}[''\"]'
name: 'LinkedIn Secret Key'
- part: 'path'
regex: '\.?idea[\\\/]WebServers.xml$'
name: 'Created by Jetbrains IDEs, contains webserver credentials with encoded passwords (not encrypted!)'
- part: 'path'
regex: '\.?vscode[\\\/]sftp.json$'
name: 'Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentials'
- part: 'path'
regex: 'web[\\\/]ruby[\\\/]secrets.yml'
name: 'Ruby on rails secrets.yml file (contains passwords)'
- part: 'path'
regex: '\.?docker[\\\/]config.json$'
name: 'Docker registry authentication file'
- part: 'path'
regex: 'ruby[\\\/]config[\\\/]master.key$'
name: 'Rails master key (used for decrypting credentials.yml.enc for Rails 5.2+)'
- part: 'path'
regex: '\.?mozilla[\\\/]firefox[\\\/]logins.json$'
name: 'Firefox saved password collection (can be decrypted using keys4.db)'