From bf39d608490eee1d2f154c53c93861037e383146 Mon Sep 17 00:00:00 2001
From: aegilops <41705651+aegilops@users.noreply.github.com>
Date: Fri, 21 Nov 2025 13:32:52 +0000
Subject: [PATCH 1/8] New PII patterns
---
configs/patterns.yml | 2 +-
pii/patterns.yml | 60 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 61 insertions(+), 1 deletion(-)
diff --git a/configs/patterns.yml b/configs/patterns.yml
index 8e34745..7b73d4a 100644
--- a/configs/patterns.yml
+++ b/configs/patterns.yml
@@ -327,7 +327,7 @@ patterns:
# non-secret related content
- ^(?i)(true|false|y(es)?|no?|on|off|0|1|nill|null|none|(\\x[a-f0-9]{2})+)$
# a path
- - '^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}+(/[a-z._-]{1,}){2,}/?$'
+ - '^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}(/[a-z._-]{1,}){2,}/?$'
comments:
- "Looks for secrets in the format of `SECRET=secret` at the start of a line, possibly with an `ENV ` or `export ` prefix"
- "Allows no whitespace in the secret, to cut false positives"
diff --git a/pii/patterns.yml b/pii/patterns.yml
index f092404..61a4f2a 100644
--- a/pii/patterns.yml
+++ b/pii/patterns.yml
@@ -257,3 +257,63 @@ patterns:
- With no validation of the checksum this can cause a lot of false positives
- The example test data does not have a valid checksum - it is one of the examples used with one digit in the checksum changed
- You can test using the correct checksum, but it is used as a NOT match here to prevent false positives on other test data
+
+ - name: US Social Security number
+ type: us_ssn
+ regex:
+ pattern: |
+ (?P00[1-9]|0[1-9][0-9]|[1-8][0-9][0-9])-(?P0[1-9]|[1-9][0-9])-(?P[0-9]{4})
+ start: |
+ \A|[^0-9A-Za-z_-]
+ end: |
+ \z|[^0-9A-Za-z_-]
+ additional_not_match:
+ - ^666-.*$
+ - ^.*-0000$
+ - ^078-05-1120$
+ test:
+ data: |
+ 123-45-6789
+ start_offset: 0
+ end_offset: 11
+ comments:
+ - There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+ - This can produce false positives, since it doesn't check for all known-invalid numbers
+ - Examples include 123-45-6789 and 078-05-1120 - the latter is ignored already
+
+ - name: US Individual Taxpayer Identification Number (ITIN)
+ type: us_itin
+ regex:
+ pattern: |
+ 9[0-9][0-9]-(?:5[0-9]|6[0-5]|7[0-9]|8[0-8]|9[0-24-9])-[0-9]{4}
+ start: |
+ \A|[^0-9A-Za-z_-]
+ end: |
+ \z|[^0-9A-Za-z_-]
+ test:
+ data: |
+ 912-70-1234
+ start_offset: 0
+ end_offset: 11
+ comments:
+ - This can produce false positives, since it doesn't check for all known-invalid numbers
+ - There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+ - name: UK National Insurance Number
+ type: uk_national_insurance_number
+ regex:
+ pattern: |
+ [A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]
+ start: |
+ \A|[^0-9A-Za-z]
+ end: |
+ \z|[^0-9A-Za-z]
+ additional_not_match:
+ - ^QQ ?12 ?34 ?56 ?[A-D]$
+ test:
+ data: |
+ QQ012345C
+ start_offset: 0
+ end_offset: 9
+ comments:
+ - There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
From 227e642278e01d32f3d822b04ce9ea0df65ff76b Mon Sep 17 00:00:00 2001
From: aegilops <41705651+aegilops@users.noreply.github.com>
Date: Fri, 21 Nov 2025 13:47:55 +0000
Subject: [PATCH 2/8] Patterns for AWS and Azure services
---
vendors/patterns.yml | 90 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
diff --git a/vendors/patterns.yml b/vendors/patterns.yml
index a6bc114..7166b46 100644
--- a/vendors/patterns.yml
+++ b/vendors/patterns.yml
@@ -741,3 +741,93 @@ patterns:
circle_ci_api_token: "0123456789abcdef0123456789abcdef01234567"
start_offset: 22
end_offset: 62
+
+ - name: AWS Key ID (standalone)
+ type: aws_key_id_standalone
+ description: AWS Key ID not confirmed. to be paired with a secret key
+ regex:
+ pattern: |
+ (?:A3T[A-Z0-9]|A(?:[KBS]I|CC|GP|I[DP]|N[PV]|PK|RO|SC)A)[A-Z2-7]{16}
+ start: |
+ \A|[^0-9A-Za-z+/_-]
+ end: |
+ \z|[^0-9A-Za-z=%+/_-]
+ additional_not_match:
+ - ^.*EXAMPLE$
+ test:
+ data: |
+ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7AAAAAAA
+ start_offset: 22
+ comments:
+ - "This rule detects AWS Key IDs without any attempt to pair them with a secret key."
+ - "This adds to the risk of false positives, so we exclude any Key IDs that end with 'EXAMPLE' which are often used in documentation and sample code."
+ - "The built-in detection for AWS Key ID + Secret Key pairs should be preferred where possible, but this can provide push protection blocking in cases where only the Key ID is present."
+
+ - name: Azure generic key
+ type: azure_generic_key
+ description: Azure generic key - imprecise detection that does not tell you which service is affected
+ regex:
+ pattern: |
+ [A-Za-z0-9]{52}JQQJ99[AB][A-Za-z0-9]AC[A-Za-z0-9]{10}AAA[A-Za-z0-9]{9}
+ start: |
+ \A|[^A-Za-z0-9/+]
+ end: |
+ \z|[^A-Za-z0-9/+=]
+ comments:
+ - "This is an imprecise detection for Azure keys that does not identify which Azure service the key is for."
+ - "Prefer using built-in more-specific rules for Azure services where possible."
+ - "This is useful for older versions of Enterprise Server that do not already have this detection."
+
+ - name: Azure generic key (legacy)
+ type: azure_generic_key_legacy
+ description: Azure generic key - legacy format without internal identifiable features
+ regex:
+ pattern: |
+ [a-f0-9]{32}
+ start: |
+ (?i)(Ocp-Apim-Subscription-Key: |Ocp-Apim-Subscription-Key=|OcpApimSubscriptionKey=|Subscription-Key=)
+ end: |
+ \z|[^A-Za-z0-9/+=]
+ comments:
+ - "This is an imprecise detection for Azure keys that does not identify which Azure service the key is for."
+ - "The key lacks internal identifiable features, which are used in modern keys issued by these Azure services."
+
+ - name: AWS Bedrock API Key
+ type: aws_bedrock_api_key
+ description: AWS Bedrock API Key - automatic username
+ regex:
+ pattern: |
+ ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}([A-Za-z0-9+/]{4})+([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)
+ start: |
+ \A|[^A-Za-z0-9/+]
+ end: |
+ \z|[^A-Za-z0-9/+=]
+ test:
+ data: |
+ BedrockApiKey=ABSKQmVkcm9ja0FQSUtleSabcdEFGHijklMNOPqrstUVWXyz0123456789ABCD
+ start_offset: 14
+ end_offset: 76
+ comments:
+ - "AWS Bedrock API Keys start with the prefix 'ABSKQmVkcm9ja0FQSUtleS' followed by a base64-encoded string."
+ - "Matches AWS Bedrock keys that have an auto-generated 'BedrockAPIKey-' username."
+
+ - name: AWS Bedrock API Key (2)
+ type: aws_bedrock_api_key_2
+ description: AWS Bedrock API Key - manual username
+ regex:
+ pattern: |
+ ABSK([A-Za-z0-9+/]{4}){26,}([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)
+ start: |
+ \A|[^A-Za-z0-9/+]
+ end: |
+ \z|[^A-Za-z0-9/+=]
+ additional_not_match:
+ - ^ABSKQmVkcm9ja0FQSUtleS
+ test:
+ data: |
+ bedrock_api_key = "ABSKQmVkcm9ja0FQSUtleSabcdEFGHijklMNOPqrstUVWXyz0123456789ABCD"
+ start_offset: 19
+ end_offset: 81
+ comments:
+ - "AWS Bedrock API Keys start with the prefix 'ABSK' followed by a base64-encoded string."
+ - "This rule matches an alternative format of AWS Bedrock API Keys that do not have the auto-generated 'BedrockAPIKey-' username."
From 58f9111fb9641dd76d58db1841192d9e2d6e17ee Mon Sep 17 00:00:00 2001
From: aegilops <41705651+aegilops@users.noreply.github.com>
Date: Fri, 21 Nov 2025 13:48:21 +0000
Subject: [PATCH 3/8] Updated README.md
---
README.md | 16 ++++
configs/README.md | 2 +-
pii/README.md | 155 +++++++++++++++++++++++++++++++
vendors/README.md | 227 ++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 399 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 9f2acb0..16ad5f1 100644
--- a/README.md
+++ b/README.md
@@ -101,6 +101,12 @@ Custom Secret Scanning Patterns repository.
- IBAN
- Norwegian national identity number/D number
+
+- US Social Security number
+
+- US Individual Taxpayer Identification Number (ITIN)
+
+- UK National Insurance Number
### [RSA Keys](./rsa)
@@ -206,4 +212,14 @@ Custom Secret Scanning Patterns repository.
- Azure Shared Access Signature (SAS) Token
- CircleCI API token
+
+- AWS Key ID (standalone)
+
+- Azure generic key
+
+- Azure generic key (legacy)
+
+- AWS Bedrock API Key
+
+- AWS Bedrock API Key (2)
\ No newline at end of file
diff --git a/configs/README.md b/configs/README.md
index 5fbbc22..eb5c3ae 100644
--- a/configs/README.md
+++ b/configs/README.md
@@ -639,7 +639,7 @@ Add these additional matches to the [Secret Scanning Custom Pattern](https://doc
- Not Match:
```regex
- ^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}+(/[a-z._-]{1,}){2,}/?$
+ ^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}(/[a-z._-]{1,}){2,}/?$
```
diff --git a/pii/README.md b/pii/README.md
index ce0c639..37dd5ac 100644
--- a/pii/README.md
+++ b/pii/README.md
@@ -233,4 +233,159 @@ Add these additional matches to the [Secret Scanning Custom Pattern](https://doc
1111111111[123]|11112222333|01123456978|410185 ?123 ?45|220676 ?123 ?45|01010202010|01010101023
```
+
+
+## US Social Security number
+
+
+
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+- This can produce false positives, since it doesn't check for all known-invalid numbers
+
+- Examples include 123-45-6789 and 078-05-1120 - the latter is ignored already
+
+
+
+Pattern Format
+
+```regex
+(?P00[1-9]|0[1-9][0-9]|[1-8][0-9][0-9])-(?P0[1-9]|[1-9][0-9])-(?P[0-9]{4})
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^0-9A-Za-z_-]
+```
+
+
+End Pattern
+
+```regex
+\z|[^0-9A-Za-z_-]
+```
+
+
+
+
+Additional Matches
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+ ```regex
+ ^666-.*$
+ ```
+- Not Match:
+
+ ```regex
+ ^.*-0000$
+ ```
+- Not Match:
+
+ ```regex
+ ^078-05-1120$
+ ```
+
+
+
+## US Individual Taxpayer Identification Number (ITIN)
+
+
+
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- This can produce false positives, since it doesn't check for all known-invalid numbers
+
+- There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+
+
+Pattern Format
+
+```regex
+9[0-9][0-9]-(?:5[0-9]|6[0-5]|7[0-9]|8[0-8]|9[0-24-9])-[0-9]{4}
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^0-9A-Za-z_-]
+```
+
+
+End Pattern
+
+```regex
+\z|[^0-9A-Za-z_-]
+```
+
+
+
+## UK National Insurance Number
+
+
+
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+
+
+Pattern Format
+
+```regex
+[A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^0-9A-Za-z]
+```
+
+
+End Pattern
+
+```regex
+\z|[^0-9A-Za-z]
+```
+
+
+
+
+Additional Matches
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+ ```regex
+ ^QQ ?12 ?34 ?56 ?[A-D]$
+ ```
+
\ No newline at end of file
diff --git a/vendors/README.md b/vendors/README.md
index eed07b4..3e96958 100644
--- a/vendors/README.md
+++ b/vendors/README.md
@@ -1550,4 +1550,231 @@ _version: v0.1_
['"`\r\n,]|\z
```
+
+
+## AWS Key ID (standalone)
+
+
+AWS Key ID not confirmed. to be paired with a secret key
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- This rule detects AWS Key IDs without any attempt to pair them with a secret key.
+
+- This adds to the risk of false positives, so we exclude any Key IDs that end with 'EXAMPLE' which are often used in documentation and sample code.
+
+- The built-in detection for AWS Key ID + Secret Key pairs should be preferred where possible, but this can provide push protection blocking in cases where only the Key ID is present.
+
+
+
+Pattern Format
+
+```regex
+(?:A3T[A-Z0-9]|A(?:[KBS]I|CC|GP|I[DP]|N[PV]|PK|RO|SC)A)[A-Z2-7]{16}
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^0-9A-Za-z+/_-]
+```
+
+
+End Pattern
+
+```regex
+\z|[^0-9A-Za-z=%+/_-]
+```
+
+
+
+
+Additional Matches
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+ ```regex
+ ^.*EXAMPLE$
+ ```
+
+
+
+## Azure generic key
+
+
+Azure generic key - imprecise detection that does not tell you which service is affected
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- This is an imprecise detection for Azure keys that does not identify which Azure service the key is for.
+
+- Prefer using built-in more-specific rules for Azure services where possible.
+
+- This is useful for older versions of Enterprise Server that do not already have this detection.
+
+
+
+Pattern Format
+
+```regex
+[A-Za-z0-9]{52}JQQJ99[AB][A-Za-z0-9]AC[A-Za-z0-9]{10}AAA[A-Za-z0-9]{9}
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^A-Za-z0-9/+]
+```
+
+
+End Pattern
+
+```regex
+\z|[^A-Za-z0-9/+=]
+```
+
+
+
+## Azure generic key (legacy)
+
+
+Azure generic key - legacy format without internal identifiable features
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- This is an imprecise detection for Azure keys that does not identify which Azure service the key is for.
+
+- The key lacks internal identifiable features, which are used in modern keys issued by these Azure services.
+
+
+
+Pattern Format
+
+```regex
+[a-f0-9]{32}
+```
+
+
+
+
+Start Pattern
+
+```regex
+(?i)(Ocp-Apim-Subscription-Key: |Ocp-Apim-Subscription-Key=|OcpApimSubscriptionKey=|Subscription-Key=)
+```
+
+
+End Pattern
+
+```regex
+\z|[^A-Za-z0-9/+=]
+```
+
+
+
+## AWS Bedrock API Key
+
+
+AWS Bedrock API Key - automatic username
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- AWS Bedrock API Keys start with the prefix 'ABSKQmVkcm9ja0FQSUtleS' followed by a base64-encoded string.
+
+- Matches AWS Bedrock keys that have an auto-generated 'BedrockAPIKey-' username.
+
+
+
+Pattern Format
+
+```regex
+ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}([A-Za-z0-9+/]{4})+([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^A-Za-z0-9/+]
+```
+
+
+End Pattern
+
+```regex
+\z|[^A-Za-z0-9/+=]
+```
+
+
+
+## AWS Bedrock API Key (2)
+
+
+AWS Bedrock API Key - manual username
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- AWS Bedrock API Keys start with the prefix 'ABSK' followed by a base64-encoded string.
+
+- This rule matches an alternative format of AWS Bedrock API Keys that do not have the auto-generated 'BedrockAPIKey-' username.
+
+
+
+Pattern Format
+
+```regex
+ABSK([A-Za-z0-9+/]{4}){26,}([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^A-Za-z0-9/+]
+```
+
+
+End Pattern
+
+```regex
+\z|[^A-Za-z0-9/+=]
+```
+
+
+
+
+Additional Matches
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+ ```regex
+ ^ABSKQmVkcm9ja0FQSUtleS
+ ```
+
\ No newline at end of file
From 41cd15c6cb6d86ca7e08ba6e3a66e244a5c31124 Mon Sep 17 00:00:00 2001
From: aegilops <41705651+aegilops@users.noreply.github.com>
Date: Fri, 21 Nov 2025 14:08:51 +0000
Subject: [PATCH 4/8] Updated test cases for new vendor patterns
---
vendors/patterns.yml | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/vendors/patterns.yml b/vendors/patterns.yml
index 7166b46..7a45f73 100644
--- a/vendors/patterns.yml
+++ b/vendors/patterns.yml
@@ -788,6 +788,10 @@ patterns:
(?i)(Ocp-Apim-Subscription-Key: |Ocp-Apim-Subscription-Key=|OcpApimSubscriptionKey=|Subscription-Key=)
end: |
\z|[^A-Za-z0-9/+=]
+ test:
+ data: |
+ Ocp-Apim-Subscription-Key=0123456789abcdef0123456789abcdef
+ start_offset: 26
comments:
- "This is an imprecise detection for Azure keys that does not identify which Azure service the key is for."
- "The key lacks internal identifiable features, which are used in modern keys issued by these Azure services."
@@ -797,16 +801,15 @@ patterns:
description: AWS Bedrock API Key - automatic username
regex:
pattern: |
- ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}([A-Za-z0-9+/]{4})+([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)
+ ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}([A-Za-z0-9+/]{4})+([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
start: |
\A|[^A-Za-z0-9/+]
end: |
\z|[^A-Za-z0-9/+=]
test:
data: |
- BedrockApiKey=ABSKQmVkcm9ja0FQSUtleSabcdEFGHijklMNOPqrstUVWXyz0123456789ABCD
+ BedrockApiKey=ABSKQmVkcm9ja0FQSUtleSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
start_offset: 14
- end_offset: 76
comments:
- "AWS Bedrock API Keys start with the prefix 'ABSKQmVkcm9ja0FQSUtleS' followed by a base64-encoded string."
- "Matches AWS Bedrock keys that have an auto-generated 'BedrockAPIKey-' username."
@@ -816,7 +819,7 @@ patterns:
description: AWS Bedrock API Key - manual username
regex:
pattern: |
- ABSK([A-Za-z0-9+/]{4}){26,}([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)
+ ABSK([A-Za-z0-9+/]{4}){26,}([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
start: |
\A|[^A-Za-z0-9/+]
end: |
@@ -825,9 +828,8 @@ patterns:
- ^ABSKQmVkcm9ja0FQSUtleS
test:
data: |
- bedrock_api_key = "ABSKQmVkcm9ja0FQSUtleSabcdEFGHijklMNOPqrstUVWXyz0123456789ABCD"
- start_offset: 19
- end_offset: 81
+ bedrock_api_key: ABSKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ start_offset: 17
comments:
- "AWS Bedrock API Keys start with the prefix 'ABSK' followed by a base64-encoded string."
- "This rule matches an alternative format of AWS Bedrock API Keys that do not have the auto-generated 'BedrockAPIKey-' username."
From 3edd0fb3dfc91076cb7613fa0a74993de857944d Mon Sep 17 00:00:00 2001
From: aegilops <41705651+aegilops@users.noreply.github.com>
Date: Fri, 21 Nov 2025 14:08:59 +0000
Subject: [PATCH 5/8] Updated README.md
---
vendors/README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/vendors/README.md b/vendors/README.md
index 3e96958..08d1ab7 100644
--- a/vendors/README.md
+++ b/vendors/README.md
@@ -1705,7 +1705,7 @@ _version: v0.1_
Pattern Format
```regex
-ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}([A-Za-z0-9+/]{4})+([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)
+ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}([A-Za-z0-9+/]{4})+([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
```
@@ -1744,7 +1744,7 @@ _version: v0.1_
Pattern Format
```regex
-ABSK([A-Za-z0-9+/]{4}){26,}([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)
+ABSK([A-Za-z0-9+/]{4}){26,}([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
```
From 0619305ec32475d9ebbe3d5ba0c8513b158419a2 Mon Sep 17 00:00:00 2001
From: aegilops <41705651+aegilops@users.noreply.github.com>
Date: Fri, 21 Nov 2025 15:12:11 +0000
Subject: [PATCH 6/8] Added non-capturing braces
---
vendors/patterns.yml | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/vendors/patterns.yml b/vendors/patterns.yml
index 7a45f73..dfc338f 100644
--- a/vendors/patterns.yml
+++ b/vendors/patterns.yml
@@ -757,7 +757,7 @@ patterns:
test:
data: |
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7AAAAAAA
- start_offset: 22
+ start_offset: 18
comments:
- "This rule detects AWS Key IDs without any attempt to pair them with a secret key."
- "This adds to the risk of false positives, so we exclude any Key IDs that end with 'EXAMPLE' which are often used in documentation and sample code."
@@ -773,6 +773,9 @@ patterns:
\A|[^A-Za-z0-9/+]
end: |
\z|[^A-Za-z0-9/+=]
+ test:
+ data: |
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQQJ99AAAC0123456789AAA012345678
comments:
- "This is an imprecise detection for Azure keys that does not identify which Azure service the key is for."
- "Prefer using built-in more-specific rules for Azure services where possible."
@@ -785,7 +788,7 @@ patterns:
pattern: |
[a-f0-9]{32}
start: |
- (?i)(Ocp-Apim-Subscription-Key: |Ocp-Apim-Subscription-Key=|OcpApimSubscriptionKey=|Subscription-Key=)
+ (?i)(?:Ocp-Apim-Subscription-Key: |Ocp-Apim-Subscription-Key=|OcpApimSubscriptionKey=|Subscription-Key=)
end: |
\z|[^A-Za-z0-9/+=]
test:
@@ -801,7 +804,7 @@ patterns:
description: AWS Bedrock API Key - automatic username
regex:
pattern: |
- ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}([A-Za-z0-9+/]{4})+([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
+ ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
start: |
\A|[^A-Za-z0-9/+]
end: |
@@ -819,7 +822,7 @@ patterns:
description: AWS Bedrock API Key - manual username
regex:
pattern: |
- ABSK([A-Za-z0-9+/]{4}){26,}([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
+ ABSK(?:[A-Za-z0-9+/]{4}){26,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
start: |
\A|[^A-Za-z0-9/+]
end: |
From 8ef489071d90c814544ac685ee76f0a7384948bc Mon Sep 17 00:00:00 2001
From: aegilops <41705651+aegilops@users.noreply.github.com>
Date: Fri, 21 Nov 2025 15:21:23 +0000
Subject: [PATCH 7/8] Updated test data
---
vendors/patterns.yml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/vendors/patterns.yml b/vendors/patterns.yml
index dfc338f..b258ed1 100644
--- a/vendors/patterns.yml
+++ b/vendors/patterns.yml
@@ -758,6 +758,7 @@ patterns:
data: |
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7AAAAAAA
start_offset: 18
+ end_offset: 38
comments:
- "This rule detects AWS Key IDs without any attempt to pair them with a secret key."
- "This adds to the risk of false positives, so we exclude any Key IDs that end with 'EXAMPLE' which are often used in documentation and sample code."
@@ -776,6 +777,8 @@ patterns:
test:
data: |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQQJ99AAAC0123456789AAA012345678
+ start_offset: 0
+ end_offset: 84
comments:
- "This is an imprecise detection for Azure keys that does not identify which Azure service the key is for."
- "Prefer using built-in more-specific rules for Azure services where possible."
@@ -795,6 +798,7 @@ patterns:
data: |
Ocp-Apim-Subscription-Key=0123456789abcdef0123456789abcdef
start_offset: 26
+ end_offset: 58
comments:
- "This is an imprecise detection for Azure keys that does not identify which Azure service the key is for."
- "The key lacks internal identifiable features, which are used in modern keys issued by these Azure services."
@@ -813,6 +817,7 @@ patterns:
data: |
BedrockApiKey=ABSKQmVkcm9ja0FQSUtleSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
start_offset: 14
+ end_offset: 82
comments:
- "AWS Bedrock API Keys start with the prefix 'ABSKQmVkcm9ja0FQSUtleS' followed by a base64-encoded string."
- "Matches AWS Bedrock keys that have an auto-generated 'BedrockAPIKey-' username."
@@ -833,6 +838,7 @@ patterns:
data: |
bedrock_api_key: ABSKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
start_offset: 17
+ end_offset: 189
comments:
- "AWS Bedrock API Keys start with the prefix 'ABSK' followed by a base64-encoded string."
- "This rule matches an alternative format of AWS Bedrock API Keys that do not have the auto-generated 'BedrockAPIKey-' username."
From aef674107c4ac57c38b568ae3ca61c78a3d75e06 Mon Sep 17 00:00:00 2001
From: aegilops <41705651+aegilops@users.noreply.github.com>
Date: Fri, 21 Nov 2025 15:22:42 +0000
Subject: [PATCH 8/8] Updated README.md
---
vendors/README.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/vendors/README.md b/vendors/README.md
index 08d1ab7..3a3ea23 100644
--- a/vendors/README.md
+++ b/vendors/README.md
@@ -1675,7 +1675,7 @@ _version: v0.1_
Start Pattern
```regex
-(?i)(Ocp-Apim-Subscription-Key: |Ocp-Apim-Subscription-Key=|OcpApimSubscriptionKey=|Subscription-Key=)
+(?i)(?:Ocp-Apim-Subscription-Key: |Ocp-Apim-Subscription-Key=|OcpApimSubscriptionKey=|Subscription-Key=)
```
@@ -1705,7 +1705,7 @@ _version: v0.1_
Pattern Format
```regex
-ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}([A-Za-z0-9+/]{4})+([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
+ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
```
@@ -1744,7 +1744,7 @@ _version: v0.1_
Pattern Format
```regex
-ABSK([A-Za-z0-9+/]{4}){26,}([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
+ABSK(?:[A-Za-z0-9+/]{4}){26,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
```