ghostsecurity · joshlarsen · Mar 28, 2026 · Mar 27, 2026 · Mar 28, 2026 · Mar 28, 2026
diff --git a/docs/rules.md b/docs/rules.md
@@ -2,12 +2,13 @@
 
 Auto-generated by `make docs`
 
-Total rules: 142
+Total rules: 150
 
 | Name | ID | Description | Tags | Entropy |
 |------|----|-----------|----|---------|
 | [Airtable PAT](#ghost.airtable.1) | ghost.airtable.1 | Airtable PAT | api, airtable, pat | 4.1 |
 | [Algolia API Key](#ghost.algolia.1) | ghost.algolia.1 | Algolia API key variable declaration. | api, algolia | 3.6 |
+| [Alibaba API Key](#ghost.alibaba.1) | ghost.alibaba.1 | Alibaba API Key | api, alibaba | 3.5 |
 | [Amplemarket API Key](#ghost.amplemarket.1) | ghost.amplemarket.1 | Amplemarket API Key | api, amplemarket | 3.5 |
 | [Anthropic API Key](#ghost.anthropic.1) | ghost.anthropic.1 | Anthropic API key. | api, anthropic | 5.1 |
 | [Anthropic Admin API Key](#ghost.anthropic.2) | ghost.anthropic.2 | Anthropic admin API key. | api, anthropic, admin | 5.1 |
@@ -78,6 +79,7 @@ Total rules: 142
 | [Harness SDK API Key](#ghost.harness.3) | ghost.harness.3 | Harness SDK API Key | api, harness, sdk | 3.5 |
 | [HubSpot API Key](#ghost.hubspot.1) | ghost.hubspot.1 | HubSpot API key. | api, hubspot | 3.5 |
 | [Hugging Face API Key](#ghost.huggingface.1) | ghost.huggingface.1 | Hugging Face API key. | api, huggingface | 4.2 |
+| [InfluxDB API Token](#ghost.influxdb.1) | ghost.influxdb.1 | InfluxDB API token variable declaration. | api, influxdb | 5.1 |
 | [Intercom API Key](#ghost.intercom.1) | ghost.intercom.1 | Intercom API key. | api, intercom | 4.2 |
 | [JumpCloud API Key](#ghost.jumpcloud.1) | ghost.jumpcloud.1 | JumpCloud API key. | api, jumpcloud | 4.2 |
 | [LangSmith Personal Access Token](#ghost.langsmith.1) | ghost.langsmith.1 | LangSmith personal access token. | api, langsmith, pat | 3.1 |
@@ -97,6 +99,7 @@ Total rules: 142
 | [NPM Legacy Token](#ghost.npm.1) | ghost.npm.1 | NPM legacy token. | api, npm, legacy | 4.1 |
 | [NPM Access Token](#ghost.npm.2) | ghost.npm.2 | NPM access token. | api, npm, token | 4.1 |
 | [NuGet API Key](#ghost.nuget.1) | ghost.nuget.1 | NuGet API key. | api, nuget | 4.1 |
+| [NVIDIA API Key](#ghost.nvidia.1) | ghost.nvidia.1 | Nvidia API key. | api, nvidai | 4.8 |
 | [OpenAI API Key](#ghost.openai.1) | ghost.openai.1 | Matches an OpenAI API key. | api, openai | 5.1 |
 | [OpenAI Admin API Key](#ghost.openai.2) | ghost.openai.2 | Matches an OpenAI admin API key. | api, openai, admin | 5.1 |
 | [OpenAI Legacy API Key](#ghost.openai.3) | ghost.openai.3 | Matches an OpenAI legacy API key. | api, openai, legacy | 5.1 |
@@ -113,12 +116,15 @@ Total rules: 142
 | [PostHog OAuth Access Token](#ghost.posthog.5) | ghost.posthog.5 | PostHog OAuth Refresh Token | api, posthog, oauth | 4.5 |
 | [Pulumi Access Token](#ghost.pulumi.1) | ghost.pulumi.1 | Pulumi access token. | api, pulumi | 3.3 |
 | [PyPI API Key](#ghost.pypi.1) | ghost.pypi.1 | PyPI API key. | api, pypi | 4.5 |
+| [Raindrop AI API Key](#ghost.raindrop.1) | ghost.raindrop.1 | Raindrop AI API key variable declaration. | api, raindrop | 3.5 |
 | [RapiAPI API Key](#ghost.rapidapi.1) | ghost.rapidapi.1 | RapidAPI API Key | api, rapidapi | 3.5 |
+| [Readme.io API Key](#ghost.readmeio.1) | ghost.readmeio.1 | ReadMe.io API key | api, readmeio | 3.5 |
 | [ReCaptcha API Key](#ghost.recaptcha.1) | ghost.recaptcha.1 | ReCaptcha API key variable declaration. | api, recaptcha | 3.5 |
 | [Resend API Key](#ghost.resend.1) | ghost.resend.1 | Resend API key. | api, resend | 4.2 |
 | [Salesforce App Consumer Secret](#ghost.salesforce.1) | ghost.salesforce.1 | Salesforce App Consumer Secret. | api, salesforce | 4.1 |
 | [Salesforce App Consumer Key](#ghost.salesforce.2) | ghost.salesforce.2 | Salesforce App Consumer Key. | api, salesforce | 5.1 |
 | [Salesforce Security Token](#ghost.salesforce.3) | ghost.salesforce.3 | Salesforce Security Token. | api, salesforce, token | 4.1 |
+| [Sendbird API Key](#ghost.sendbird.1) | ghost.sendbird.1 | Sendbird API key variable declaration. | api, sendbird | 3.5 |
 | [Sendgrid API Key](#ghost.sendgrid.1) | ghost.sendgrid.1 | Sendgrid API key. | api, sendgrid | 4.8 |
 | [Sentry Token](#ghost.sentry.1) | ghost.sentry.1 | Sentry Token | api, sentry | 3.5 |
 | [Shodan API Key](#ghost.shodan.1) | ghost.shodan.1 | Shodan API key. | api, shodan | 3.1 |
@@ -129,6 +135,8 @@ Total rules: 142
 | [Slack Refresh Token](#ghost.slack.5) | ghost.slack.5 | Slack refresh token. | api, slack | 4.1 |
 | [Slack Service Webhook Secret](#ghost.slack.6) | ghost.slack.6 | Slack service webhook secret. | api, slack | 4.1 |
 | [Slack Workflow Webhook Secret](#ghost.slack.7) | ghost.slack.7 | Slack workflow webhook secret. | api, slack | 4.1 |
+| [SonarQube PAT](#ghost.sonarqube.1) | ghost.sonarqube.1 | SonarQube Personal Access Token variable declaration. | api, sonarqube, pat | 4.1 |
+| [SonarQube Scoped Access Token](#ghost.sonarqube.2) | ghost.sonarqube.2 | SonarQube Scoped Access Token | api, sonarqube, token | 4.5 |
 | [Sourcegraph Legacy Token](#ghost.sourcegraph.1) | ghost.sourcegraph.1 | Sourcegraph legacy token. | api, sourcegraph | 4.1 |
 | [Sourcegraph Workspace Token](#ghost.sourcegraph.2) | ghost.sourcegraph.2 | Sourcegraph workspace token. | api, sourcegraph | 3.5 |
 | [Spotify Access Token](#ghost.spotify.1) | ghost.spotify.1 | Spotify Access Token variable declaration. | api, spotify, token | 4.1 |
@@ -205,6 +213,31 @@ Total rules: 142
 - assert_not: 3 cases
 
 
+<a id="ghost.alibaba.1"></a>
+### Alibaba API Key
+
+**ID:** `ghost.alibaba.1`
+
+**Description:** Alibaba API Key
+
+**Tags:** api, alibaba
+
+**Pattern:**
+```
+(?x)
+  \b
+    (sk-(?i)[a-f0-9]{32})
+  \b
+
+```
+
+**Min entropy:** 3.5
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
 <a id="ghost.amplemarket.1"></a>
 ### Amplemarket API Key
 
@@ -2023,6 +2056,35 @@ Total rules: 142
 - assert_not: 3 cases
 
 
+<a id="ghost.influxdb.1"></a>
+### InfluxDB API Token
+
+**ID:** `ghost.influxdb.1`
+
+**Description:** InfluxDB API token variable declaration.
+
+**Tags:** api, influxdb
+
+**Pattern:**
+```
+(?x)
+  \b
+    (
+      (?i)(?:influx)\w*
+      [\W]{0,40}?
+      [A-Z0-9_-]{86,}
+    )
+  \b
+
+```
+
+**Min entropy:** 5.1
+
+**Tests:**
+- assert: 4 cases
+- assert_not: 4 cases
+
+
 <a id="ghost.intercom.1"></a>
 ### Intercom API Key
 
@@ -2530,6 +2592,31 @@ Total rules: 142
 - assert_not: 4 cases
 
 
+<a id="ghost.nvidia.1"></a>
+### NVIDIA API Key
+
+**ID:** `ghost.nvidia.1`
+
+**Description:** Nvidia API key.
+
+**Tags:** api, nvidai
+
+**Pattern:**
+```
+(?x)
+  \b
+    (nvapi-(?i)[A-Z0-9_-]{64})
+  \b
+
+```
+
+**Min entropy:** 4.8
+
+**Tests:**
+- assert: 2 cases
+- assert_not: 3 cases
+
+
 <a id="ghost.openai.1"></a>
 ### OpenAI API Key
 
@@ -2940,6 +3027,35 @@ Total rules: 142
 - assert_not: 2 cases
 
 
+<a id="ghost.raindrop.1"></a>
+### Raindrop AI API Key
+
+**ID:** `ghost.raindrop.1`
+
+**Description:** Raindrop AI API key variable declaration.
+
+**Tags:** api, raindrop
+
+**Pattern:**
+```
+(?x)
+  \b
+    (
+      (?i)(?:raindrop)\w*
+      [\W]{0,40}?
+      [A-F0-9]{96}
+    )
+  \b
+
+```
+
+**Min entropy:** 3.5
+
+**Tests:**
+- assert: 8 cases
+- assert_not: 4 cases
+
+
 <a id="ghost.rapidapi.1"></a>
 ### RapiAPI API Key
 
@@ -2969,6 +3085,31 @@ Total rules: 142
 - assert_not: 3 cases
 
 
+<a id="ghost.readmeio.1"></a>
+### Readme.io API Key
+
+**ID:** `ghost.readmeio.1`
+
+**Description:** ReadMe.io API key
+
+**Tags:** api, readmeio
+
+**Pattern:**
+```
+(?x)
+  \b
+    (rdme_(?i)[A-Z0-9]{70})
+  \b
+
+```
+
+**Min entropy:** 3.5
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
 <a id="ghost.recaptcha.1"></a>
 ### ReCaptcha API Key
 
@@ -3110,6 +3251,35 @@ Total rules: 142
 - assert_not: 2 cases
 
 
+<a id="ghost.sendbird.1"></a>
+### Sendbird API Key
+
+**ID:** `ghost.sendbird.1`
+
+**Description:** Sendbird API key variable declaration.
+
+**Tags:** api, sendbird
+
+**Pattern:**
+```
+(?x)
+  \b
+    (
+      (?i)sendbird\w*(?:token|key|secret)\w*
+      [\W]{0,40}?
+      [a-f0-9]{40}
+    )
+  \b
+
+```
+
+**Min entropy:** 3.5
+
+**Tests:**
+- assert: 4 cases
+- assert_not: 4 cases
+
+
 <a id="ghost.sendgrid.1"></a>
 ### Sendgrid API Key
 
@@ -3380,6 +3550,62 @@ Total rules: 142
 - assert_not: 3 cases
 
 
+<a id="ghost.sonarqube.1"></a>
+### SonarQube PAT
+
+**ID:** `ghost.sonarqube.1`
+
+**Description:** SonarQube Personal Access Token variable declaration.
+
+**Tags:** api, sonarqube, pat
+
+**Pattern:**
+```
+(?x)
+  \b
+    (
+      (?i)sonar\w*(?:token|key|secret)\w*
+      [\W]{0,40}?
+      [a-f0-9]{40}
+    )
+  \b
+
+```
+
+**Min entropy:** 4.1
+
+**Tests:**
+- assert: 4 cases
+- assert_not: 3 cases
+
+
+<a id="ghost.sonarqube.2"></a>
+### SonarQube Scoped Access Token
+
+**ID:** `ghost.sonarqube.2`
+
+**Description:** SonarQube Scoped Access Token
+
+**Tags:** api, sonarqube, token
+
+**Pattern:**
+```
+(?x)
+  \b
+    (
+      (sqco_(?i)[A-Z0-9]{59})
+    )
+  \b
+
+```
+
+**Min entropy:** 4.5
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
 <a id="ghost.sourcegraph.1"></a>
 ### Sourcegraph Legacy Token
 

diff --git a/pkg/rules/alibaba.yaml b/pkg/rules/alibaba.yaml
@@ -0,0 +1,27 @@
+rules:
+  - name: Alibaba API Key
+    id: ghost.alibaba.1
+    description: Alibaba API Key
+    tags:
+      - api
+      - alibaba
+    pattern: |
+      (?x)
+        \b
+          (sk-(?i)[a-f0-9]{32})
+        \b
+    entropy: 3.5
+    redact: [6, 4]
+    tests:
+      assert:
+        - sk-3e3f172c956e4d32a87135c37eec4a5f
+        - sk-9e2596f50f014cb2a8f02d59e4f872db
+        - sk-40d84e35978d8e7cf0afe45c52989cad
+      assert_not:
+        - sk-3e3f172c956e4d32a87135c37eec4a5fx
+        - sk-9e2596f50f014cb2a8f02d59e4f872d
+        - sk-40d84e35978d8e-7cf0afe45c52989ca
+    history:
+      - 2026-03-28 initial version
+    refs:
+      - https://www.alibabacloud.com/help/en/ram/user-guide/create-an-accesskey-pair
diff --git a/pkg/rules/cohere.yaml b/pkg/rules/cohere.yaml
@@ -18,14 +18,14 @@ rules:
     entropy: 4.1
     tests:
       assert:
-        - 'cohere: w9piJHtWe0p01rRO420M6PTJmCTerjuHOH0wZsgB'
-        - 'cohere=szJiK1fy6FaEedPWSw8e41kAXTbtArCX5ks7wQP3'
-        - 'cohere = fVst85KDGHJxfjrXtSJGjwQ27W92ORERq4bV6Ais'
+        - "cohere: w9piJHtWe0p01rRO420M6PTJmCTerjuHOH0wZsgB"
+        - "cohere=szJiK1fy6FaEedPWSw8e41kAXTbtArCX5ks7wQP3"
+        - "cohere = fVst85KDGHJxfjrXtSJGjwQ27W92ORERq4bV6Ais"
         - 'let cohere = "s8Cuh6T6Tz4ZP5Xg7HTxsX0JZY3J92KGX0p1yt47"'
         - 'export COHERE_KEY="s8Cuh6T6Tz4ZP5Xg7HTxsX0JZY3J92KGX0p1yt47"'
-        - 'CO_API_KEY=w9piJHtWe0p01rRO420M6PTJmCTerjuHOH0wZsgB'
+        - "CO_API_KEY=w9piJHtWe0p01rRO420M6PTJmCTerjuHOH0wZsgB"
         - 'const CO_API_KEY = "szJiK1fy6FaEedPWSw8e41kAXTbtArCX5ks7wQP3"'
-        - 'CO_API_KEY=fVst85KDGHJxfjrXtSJGjwQ27W92ORERq4bV6Ais'
+        - "CO_API_KEY=fVst85KDGHJxfjrXtSJGjwQ27W92ORERq4bV6Ais"
       assert_not:
         - 9MbXxamGfTkx2cfasR7oUUzylk14gqTAK9GMlSDuX
         - 9MbXxamGfTkx2cfasR7oUUzylk14gqTAK9GMlSD
@@ -34,3 +34,5 @@ rules:
       - 2025-08-06 initial version
       - 2025-08-07 simplify pattern with fewer capture groups
       - 2025-08-12 combined into one pattern to match when either "COHERE" or "CO_API" are used in the variable name
+    refs:
+      - https://docs.cohere.com/docs/rate-limits