diff --git a/docs/rules.md b/docs/rules.md
index d2fb42b..b3e255d 100644
--- a/docs/rules.md
+++ b/docs/rules.md
@@ -2,10 +2,11 @@
Auto-generated by `make docs`
-Total rules: 150
+Total rules: 163
| Name | ID | Description | Tags | Entropy |
|------|----|-----------|----|---------|
+| [Adafruit API Key](#ghost.adafruit.1) | ghost.adafruit.1 | Adafruit API key. | api, adafruit | 4.1 |
| [Airtable PAT](#ghost.airtable.1) | ghost.airtable.1 | Airtable PAT | api, airtable, pat | 4.1 |
| [Algolia API Key](#ghost.algolia.1) | ghost.algolia.1 | Algolia API key variable declaration. | api, algolia | 3.6 |
| [Alibaba API Key](#ghost.alibaba.1) | ghost.alibaba.1 | Alibaba API Key | api, alibaba | 3.5 |
@@ -21,6 +22,9 @@ Total rules: 150
| [Auth0 Client Secret](#ghost.auth0.1) | ghost.auth0.1 | Auth0 client secret. | api, auth0, client, secret | 5.1 |
| [AWS Secret Access Key](#ghost.aws.1) | ghost.aws.1 | AWS secret access key variable declaration. | api, aws | 4.1 |
| [AWS Session Token](#ghost.aws.2) | ghost.aws.2 | AWS session token variable declaration. | api, aws | 5.5 |
+| [AWS Bedrock API Key](#ghost.aws.3) | ghost.aws.3 | AWS Bedrock API Key | api, aws, bedrock | 4.7 |
+| [AWS CloudWatch Logs API Key](#ghost.aws.4) | ghost.aws.4 | AWS CloudWatch Logs API Key | api, aws, cloudwatch, logs | 4.7 |
+| [AWS Mantle API Key](#ghost.aws.5) | ghost.aws.5 | AWS Mantle API Key | api, aws, mantle | 4.7 |
| [Axiom API Key](#ghost.axiom.1) | ghost.axiom.1 | Axiom API key. | api, axiom | 3.2 |
| [Azure Storage Account Key](#ghost.azure.1) | ghost.azure.1 | Matches an Azure storage account key variable declaration. | api, azure, storage | 4.4 |
| [Azure OpenAI API Key](#ghost.azure.2) | ghost.azure.2 | Matches an Azure OpenAI API key variable declaration. | api, azure, openai | 4.1 |
@@ -35,7 +39,8 @@ Total rules: 150
| [Clearbit API Key](#ghost.clearbit.1) | ghost.clearbit.1 | Clearbit API key. | api, clearbit | 4.1 |
| [Clerk API Key](#ghost.clerk.1) | ghost.clerk.1 | Clerk API key. | api, clerk | 4.5 |
| [ClickHouse API Key](#ghost.clickhouse.1) | ghost.clickhouse.1 | ClickHouse API key. | api, clickhouse | 4.2 |
-| [Cloudflare API Key](#ghost.cloudflare.1) | ghost.cloudflare.1 | Cloudflare API key. | api, cloudflare | 4.2 |
+| [Cloudflare API Key](#ghost.cloudflare.1) | ghost.cloudflare.1 | Cloudflare Legacy API key. | api, cloudflare | 4.2 |
+| [Cloudflare API Token](#ghost.cloudflare.2) | ghost.cloudflare.2 | Cloudflare API Token | api, cloudflare | 4.5 |
| [Cloudinary API Key](#ghost.cloudinary.1) | ghost.cloudinary.1 | Cloudinary API Key variable declaration. | api, cloudinary | 4.5 |
| [Cohere API Key](#ghost.cohere.1) | ghost.cohere.1 | Cohere API key variable declaration. | api, cohere | 4.1 |
| [Confluent API Key](#ghost.confluent.1) | ghost.confluent.1 | Confluent API Key | api, confluent | 4.7 |
@@ -52,6 +57,7 @@ Total rules: 150
| [Dynatrace API Token](#ghost.dynatrace.1) | ghost.dynatrace.1 | Dynatrace API token. | api, dynatrace | 4.5 |
| [Eleven Labs API Key](#ghost.elevenlabs.1) | ghost.elevenlabs.1 | Eleven Labs API key. | api, eleven, elevenlabs | 3.4 |
| [Fastly API Key](#ghost.fastly.1) | ghost.fastly.1 | Fastly API key. | api, fastly | 4.2 |
+| [Figma PAT](#ghost.figma.1) | ghost.figma.1 | Figma Personal Access Token | api, figma, pat | 4.5 |
| [Firecrawl API Key](#ghost.firecrawl.1) | ghost.firecrawl.1 | Firecrawl API key. | api, firecrawl | 3.1 |
| [Fireworks API Key](#ghost.fireworks.1) | ghost.fireworks.1 | Fireworks AI API Key | api, fireworks | 4.1 |
| [Fly.io API Key](#ghost.flyio.1) | ghost.flyio.1 | Fly.io API key. | api, flyio | 5.5 |
@@ -72,6 +78,7 @@ Total rules: 150
| [GitLab Deploy Token](#ghost.gitlab.5) | ghost.gitlab.5 | GitLab deploy token. | api, gitlab, deploy, token | 3.5 |
| [Google Cloud API Key](#ghost.google.1) | ghost.google.1 | Google Cloud API key. | api, google | 4.5 |
| [Google Cloud OAuth Client Secret](#ghost.google.2) | ghost.google.2 | Google Cloud OAuth Client Secret. | api, google, oauth | 4.3 |
+| [Grafana Service Account Token](#ghost.grafana.1) | ghost.grafana.1 | Grafana Service Account token. | api, grafana | 4.5 |
| [Groq API Key](#ghost.groq.1) | ghost.groq.1 | Groq API Key | api, groq, token | 4.7 |
| [HackerOne API Key](#ghost.hackerone.1) | ghost.hackerone.1 | HackerOne API key variable declaration. | api, hackerone | 4.2 |
| [Harness Service Account Key](#ghost.harness.1) | ghost.harness.1 | Harness Service Account API Key | api, harness | 4.9 |
@@ -82,10 +89,12 @@ Total rules: 150
| [InfluxDB API Token](#ghost.influxdb.1) | ghost.influxdb.1 | InfluxDB API token variable declaration. | api, influxdb | 5.1 |
| [Intercom API Key](#ghost.intercom.1) | ghost.intercom.1 | Intercom API key. | api, intercom | 4.2 |
| [JumpCloud API Key](#ghost.jumpcloud.1) | ghost.jumpcloud.1 | JumpCloud API key. | api, jumpcloud | 4.2 |
+| [Langfuse Secret Key](#ghost.langfuse.1) | ghost.langfuse.1 | Langfuse Secret Key. | api, langfuse | 3.5 |
| [LangSmith Personal Access Token](#ghost.langsmith.1) | ghost.langsmith.1 | LangSmith personal access token. | api, langsmith, pat | 3.1 |
| [LangSmith Service Key](#ghost.langsmith.2) | ghost.langsmith.2 | LangSmith service key. | api, langsmith, service | 3.1 |
| [Lightfield API Key](#ghost.lightfield.1) | ghost.lightfield.1 | Lightfield API Key | api, lightfield | 4.7 |
| [Linear API Key](#ghost.linear.1) | ghost.linear.1 | Linear API key. | api, linear | 4.2 |
+| [Logfire API Key](#ghost.logfire.1) | ghost.logfire.1 | Logfire API key. | api, logfire | 4.7 |
| [MailerSend API Key](#ghost.mailersend.1) | ghost.mailersend.1 | MailerSend API Key | api, mailersend | 3.5 |
| [Mailgun API Key](#ghost.mailgun.1) | ghost.mailgun.1 | Mailgun API key. | api, mailgun | 4.1 |
| [Mistral API Key](#ghost.mistral.1) | ghost.mistral.1 | Mistral API key. | api, mistral | 4.5 |
@@ -106,6 +115,7 @@ Total rules: 150
| [OpenRouter API Key](#ghost.openrouter.1) | ghost.openrouter.1 | OpenRouter API Key | api, openrouter | 3.5 |
| [OpenWeather API Key](#ghost.openweather.1) | ghost.openweather.1 | OpenWeather API key variable declaration. | api, openweather | 3.5 |
| [Perplexity API Key](#ghost.perplexity.1) | ghost.perplexity.1 | Perplexity API key. | api, perplexity | 4.3 |
+| [Pinecode API Key](#ghost.pinecone.1) | ghost.pinecone.1 | Pinecone API key | api, pinecone | 4.7 |
| [Plaid API Key](#ghost.plaid.1) | ghost.plaid.1 | Plaid API Key variable declaration. | api, plaid | 3.5 |
| [PlanetScale API Key](#ghost.planetscale.1) | ghost.planetscale.1 | PlanetScale API key. | api, planetscale | 4.1 |
| [PostgreSQL Senstive Connection String](#ghost.postgres.1) | ghost.postgres.1 | PostgreSQL connection string with credentials. | api, postgres, postgresql | 4.1 |
@@ -114,6 +124,8 @@ Total rules: 150
| [PostHog Feature Flag API Key](#ghost.posthog.3) | ghost.posthog.3 | PostHog Feature Flag Secure API Key | api, posthog, feature flag | 4.7 |
| [PostHog OAuth Access Token](#ghost.posthog.4) | ghost.posthog.4 | PostHog OAuth Access Token | api, posthog, oauth | 4.5 |
| [PostHog OAuth Access Token](#ghost.posthog.5) | ghost.posthog.5 | PostHog OAuth Refresh Token | api, posthog, oauth | 4.5 |
+| [Postman API Key](#ghost.postman.1) | ghost.postman.1 | Postman API key. | api, postman | 3.5 |
+| [Pubnub Secret Key](#ghost.pubnub.1) | ghost.pubnub.1 | Pubnub Secret key. | api, pubnub | 4.1 |
| [Pulumi Access Token](#ghost.pulumi.1) | ghost.pulumi.1 | Pulumi access token. | api, pulumi | 3.3 |
| [PyPI API Key](#ghost.pypi.1) | ghost.pypi.1 | PyPI API key. | api, pypi | 4.5 |
| [Raindrop AI API Key](#ghost.raindrop.1) | ghost.raindrop.1 | Raindrop AI API key variable declaration. | api, raindrop | 3.5 |
@@ -149,6 +161,7 @@ Total rules: 150
| [Supabase Sensitive Connection String](#ghost.supabase.1) | ghost.supabase.1 | Supabase connection string with credentials. | api, supabase | 4.1 |
| [Supabase API Key](#ghost.supabase.2) | ghost.supabase.2 | Supabase API key. | api, supabase | 4.1 |
| [Supabase Personal Access Token](#ghost.supabase.3) | ghost.supabase.3 | Supabase personal access token. | api, supabase, pat | 3.3 |
+| [Tavily API Key](#ghost.tavily.1) | ghost.tavily.1 | Tavily API key. | api, tavily | 4.7 |
| [Telegram Bot Token](#ghost.telegram.1) | ghost.telegram.1 | Telegram Bot Token | api, telegram, bot | 4.5 |
| [Travis Token](#ghost.travisci.1) | ghost.travisci.1 | Travis CI token. | api, travisci | 4.1 |
| [Twilio API Key](#ghost.twilio.1) | ghost.twilio.1 | Twilio API key or. | api, twilio, key | 4.1 |
@@ -159,6 +172,31 @@ Total rules: 150
## Rule Details
+
+### Adafruit API Key
+
+**ID:** `ghost.adafruit.1`
+
+**Description:** Adafruit API key.
+
+**Tags:** api, adafruit
+
+**Pattern:**
+```
+(?x)
+ \b
+ (aio_(?i)[A-Z0-9]{28})
+ \b
+
+```
+
+**Min entropy:** 4.1
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
### Airtable PAT
@@ -552,6 +590,81 @@ Total rules: 150
- assert_not: 3 cases
+
+### AWS Bedrock API Key
+
+**ID:** `ghost.aws.3`
+
+**Description:** AWS Bedrock API Key
+
+**Tags:** api, aws, bedrock
+
+**Pattern:**
+```
+(?x)
+ \b
+ (ABSK(?i)[A-Z0-9]{110,112}={0,2})
+ \b
+
+```
+
+**Min entropy:** 4.7
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
+
+### AWS CloudWatch Logs API Key
+
+**ID:** `ghost.aws.4`
+
+**Description:** AWS CloudWatch Logs API Key
+
+**Tags:** api, aws, cloudwatch, logs
+
+**Pattern:**
+```
+(?x)
+ \b
+ (ACWL(?i)[A-Z0-9]{110,112}={0,2})
+ \b
+
+```
+
+**Min entropy:** 4.7
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
+
+### AWS Mantle API Key
+
+**ID:** `ghost.aws.5`
+
+**Description:** AWS Mantle API Key
+
+**Tags:** api, aws, mantle
+
+**Pattern:**
+```
+(?x)
+ \b
+ (AEAA(?i)[A-Z0-9]{110,112}={0,2})
+ \b
+
+```
+
+**Min entropy:** 4.7
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
### Axiom API Key
@@ -917,7 +1030,7 @@ Total rules: 150
**ID:** `ghost.cloudflare.1`
-**Description:** Cloudflare API key.
+**Description:** Cloudflare Legacy API key.
**Tags:** api, cloudflare
@@ -939,6 +1052,31 @@ Total rules: 150
- assert_not: 1 cases
+
+### Cloudflare API Token
+
+**ID:** `ghost.cloudflare.2`
+
+**Description:** Cloudflare API Token
+
+**Tags:** api, cloudflare
+
+**Pattern:**
+```
+(?x)
+ \b
+ (cfat_(?i)[A-Z0-9]{48})
+ \b
+
+```
+
+**Min entropy:** 4.5
+
+**Tests:**
+- assert: 5 cases
+- assert_not: 3 cases
+
+
### Cloudinary API Key
@@ -1355,6 +1493,31 @@ Total rules: 150
- assert_not: 2 cases
+
+### Figma PAT
+
+**ID:** `ghost.figma.1`
+
+**Description:** Figma Personal Access Token
+
+**Tags:** api, figma, pat
+
+**Pattern:**
+```
+(?x)
+ \b
+ (figd_(?i)[A-Z0-9_-]{40})
+ \b
+
+```
+
+**Min entropy:** 4.5
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
### Firecrawl API Key
@@ -1877,6 +2040,31 @@ Total rules: 150
- assert_not: 3 cases
+
+### Grafana Service Account Token
+
+**ID:** `ghost.grafana.1`
+
+**Description:** Grafana Service Account token.
+
+**Tags:** api, grafana
+
+**Pattern:**
+```
+(?x)
+ \b
+ (glsa_(?i)[a-z0-9]{32}_[a-f0-9]{8})
+ \b
+
+```
+
+**Min entropy:** 4.5
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 4 cases
+
+
### Groq API Key
@@ -2137,6 +2325,31 @@ Total rules: 150
- assert_not: 1 cases
+
+### Langfuse Secret Key
+
+**ID:** `ghost.langfuse.1`
+
+**Description:** Langfuse Secret Key.
+
+**Tags:** api, langfuse
+
+**Pattern:**
+```
+(?x)
+ \b
+ (sk-lf-(?i)[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})
+ \b
+
+```
+
+**Min entropy:** 3.5
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
### LangSmith Personal Access Token
@@ -2237,6 +2450,31 @@ Total rules: 150
- assert_not: 2 cases
+
+### Logfire API Key
+
+**ID:** `ghost.logfire.1`
+
+**Description:** Logfire API key.
+
+**Tags:** api, logfire
+
+**Pattern:**
+```
+(?x)
+ \b
+ (pylf_v\d_[a-z]{2}_(?i)[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}_[a-z0-9]{44})
+ \b
+
+```
+
+**Min entropy:** 4.7
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 4 cases
+
+
### MailerSend API Key
@@ -2771,6 +3009,31 @@ Total rules: 150
- assert_not: 2 cases
+
+### Pinecode API Key
+
+**ID:** `ghost.pinecone.1`
+
+**Description:** Pinecone API key
+
+**Tags:** api, pinecone
+
+**Pattern:**
+```
+(?x)
+ \b
+ (pcsk_(?i)[A-Z0-9]{6}_[A-Z0-9]{63})
+ \b
+
+```
+
+**Min entropy:** 4.7
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 4 cases
+
+
### Plaid API Key
@@ -2977,6 +3240,56 @@ Total rules: 150
- assert_not: 3 cases
+
+### Postman API Key
+
+**ID:** `ghost.postman.1`
+
+**Description:** Postman API key.
+
+**Tags:** api, postman
+
+**Pattern:**
+```
+(?x)
+ \b
+ (PMAK-(?i)[a-f0-9]{24}-[a-f0-9]{34})
+ \b
+
+```
+
+**Min entropy:** 3.5
+
+**Tests:**
+- assert: 4 cases
+- assert_not: 4 cases
+
+
+
+### Pubnub Secret Key
+
+**ID:** `ghost.pubnub.1`
+
+**Description:** Pubnub Secret key.
+
+**Tags:** api, pubnub
+
+**Pattern:**
+```
+(?x)
+ \b
+ (sec-c-(?i)[A-Z0-9]{48})
+ \b
+
+```
+
+**Min entropy:** 4.1
+
+**Tests:**
+- assert: 3 cases
+- assert_not: 3 cases
+
+
### Pulumi Access Token
@@ -3910,6 +4223,31 @@ Total rules: 150
- assert_not: 3 cases
+
+### Tavily API Key
+
+**ID:** `ghost.tavily.1`
+
+**Description:** Tavily API key.
+
+**Tags:** api, tavily
+
+**Pattern:**
+```
+(?x)
+ \b
+ (tvly-(?:dev|prod)-(?i)[A-Z0-9\-]{49})
+ \b
+
+```
+
+**Min entropy:** 4.7
+
+**Tests:**
+- assert: 5 cases
+- assert_not: 5 cases
+
+
### Telegram Bot Token
diff --git a/pkg/rules/adafruit.yaml b/pkg/rules/adafruit.yaml
new file mode 100644
index 0000000..ce96c1d
--- /dev/null
+++ b/pkg/rules/adafruit.yaml
@@ -0,0 +1,27 @@
+rules:
+ - name: Adafruit API Key
+ id: ghost.adafruit.1
+ description: Adafruit API key.
+ tags:
+ - api
+ - adafruit
+ pattern: |
+ (?x)
+ \b
+ (aio_(?i)[A-Z0-9]{28})
+ \b
+ entropy: 4.1
+ redact: [8, 4]
+ tests:
+ assert:
+ - aio_vUNz42yN0X3PIlLUJOgt4xKV2cw6
+ - aio_JrVD04gaKJEC8U1Yg42GHJhqjXp1
+ - aio_KsTE15hbLKFD9V2Zh53HIKirkYq2
+ assert_not:
+ - aio_vUNz42yN0X3PIlLUJOgt4xKV2cw6x
+ - aio_JrVD04gaKJEC8U1Yg42GHJhqjXp
+ - aio_KsTE15hbLKFD9%2Zh53HIKirkYq2
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://io.adafruit.com/api/
diff --git a/pkg/rules/aws.yaml b/pkg/rules/aws.yaml
index 9ef8227..4f11384 100644
--- a/pkg/rules/aws.yaml
+++ b/pkg/rules/aws.yaml
@@ -21,13 +21,13 @@ rules:
- 'export AWS_SECRET_ACCESS_KEY="qDhThtrkeMhCoOZA+vm4ykuE4AdyZpbGhL1QYwvl"'
- 'export AWS_SECRET_ACCESS_KEY="1GTdO8YGWxwngbmy6ayrPZ/pIlWV+0sE65Ikxyvu"'
- 'const AWS_SECRET_ACCESS_KEY = "Mss7b8mKOD2inkntQg75H6FClnj+xAYKvO9HflVj"'
- - 'export AWS_SECRET_ACCESS_KEY=Mss7b8mKOD2inkntQg75H6FClnj+xAYKvO9HflVj'
+ - "export AWS_SECRET_ACCESS_KEY=Mss7b8mKOD2inkntQg75H6FClnj+xAYKvO9HflVj"
assert_not:
- aws_secret_access_key_id=abc123
- 'export AWS_SECRET_ACCESS_KEY="Mss7b8mKOD2inkntQg75H6FClnj+xAYKvO9HflVjxx"'
- 'export AWS_SECRET_ACCESS_KEY="Mss7b8mKOD2inkntQg75H6FClnj+xAYKvO9HflV"'
- 'AWS_SESSION_TOKEN="AQoDYXdzEHoaCXVzLWVhc3CIQCzOfn2RRDrFYRNqc9wWbvfIPwz"'
- - 'AWS_SESSION_TOKEN=AQoDYXdzEHoaCXVzLWVhc3CIQCzOfn2RRDrFYRNqc9wWbvfIPwz'
+ - "AWS_SESSION_TOKEN=AQoDYXdzEHoaCXVzLWVhc3CIQCzOfn2RRDrFYRNqc9wWbvfIPwz"
history:
- 2025-08-07 initial version
refs:
@@ -60,3 +60,85 @@ rules:
- 2025-08-07 initial version
refs:
- https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tokens-a6c76469cba7
+ - name: AWS Bedrock API Key
+ id: ghost.aws.3
+ description: AWS Bedrock API Key
+ tags:
+ - api
+ - aws
+ - bedrock
+ pattern: |
+ (?x)
+ \b
+ (ABSK(?i)[A-Z0-9]{110,112}={0,2})
+ \b
+ entropy: 4.7
+ redact: [8, 4]
+ tests:
+ assert:
+ - ABSKdGVzdDEtYXQtNzMwMzM1NjYzODY0OjRiZXRmTVBnYjhROGpTekNBRjJjb1hiOHVBRC9ncitHT1VMUjQzVGwzY09UV0RPNGlGb2dtbXpZQzBVPQ==
+ - ABSKdGVzdDErMS1hdC03MzAzMzU2NjM4NjQ6elpvTGlXQkdGOHQzUTM3SkJwWVB3dHpJdm1Qc1ZCZjdiMGlmbUFmTU9JVk5rR3h1Z00rc0lXYnBqUEE9
+ - ABSKdGVzdDEtYXQtNzMwMzM1NjYzODY0OlNXK3hjN3dsdWdjbDlDVE1qODRVRWllY3FlQ1VqL3c4TTQ3cktqWjd0Ym5SZDFVeTlkMk9PWDErVFhRPQ==
+ assert_not:
+ - ABSKdGVzdDEtYXQtNzMwMzM1NjYzODY0OjRiZXRmTVBnYjhROGpTekNBRjJjb1hiOHVBRC9ncitHT1VMUjQzVGwzY09UV0RPNGlGb2dtbXpZQzBVPQxxx==
+ - ABSKdGVzdDErMS1hdC03MzAzMzU2NjM4NjQ6elpvTGlXQkdGOHQzUTM3SkJwWVB3dHpJdm1Qc1ZCZjdiMGlmbUFmTU9JVk5rR3h1Z00rc0lXYn
+ - ABSKdGVzdDEtYXQtNzMwMzM1NjYzODY%OlNXK3hjN3dsdWdjbDlDVE1qODRVRWllY3FlQ1VqL3c4TTQ3cktqWjd0Ym5SZDFVeTlkMk9PWDErVFhRPQ==
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html
+ - name: AWS CloudWatch Logs API Key
+ id: ghost.aws.4
+ description: AWS CloudWatch Logs API Key
+ tags:
+ - api
+ - aws
+ - cloudwatch
+ - logs
+ pattern: |
+ (?x)
+ \b
+ (ACWL(?i)[A-Z0-9]{110,112}={0,2})
+ \b
+ entropy: 4.7
+ redact: [8, 4]
+ tests:
+ assert:
+ - ACWLdGVzdDEtYXQtNzMwMzM1NjYzODY0OmF1dkUrMHVmUElKdysyQjF6aDYrN0NQMEFYekJmRlJ4RXpnVnlSZzAwcGJNNnlzWkx1OWhHZHEwYjNJPQ==
+ - ACWLdGVzdDErMS1hdC03MzAzMzU2NjM4NjQ6L3krNytYYmp4RnRkdDY2c2FQZG5sMWc4RDhrNHA1VGQ5NGNVOEVvb2VjS3NmczhGWThhTUc2QVprdEE9
+ - ACWLdGVzdDErMi1hdC03MzAzMzU2NjM4NjQ6WHp1ME8zdEFFWWx2cmNwODFMbmhISDl1QThCOThXaGp3OW1kTU5vWU9TbmpNWThGeWN1MlRwTXJJM2M9
+ assert_not:
+ - ACWLdGVzdDEtYXQtNzMwMzM1NjYzODY0OmF1dkUrMHVmUElKdysyQjF6aDYrN0NQMEFYekJmRlJ4RXpnVnlSZzAwcGJNNnlzWkx1OWhHZHEwYjNJPQxxx==
+ - ACWLdGVzdDErMS1hdC03MzAzMzU2NjM4NjQ6L3krNytYYmp4RnRkdDY2c2FQZG5sMWc4RDhrNHA1VGQ5NGNVOEVvb2VjS3NmczhGWThhTUc2
+ - ACWLdGVzdDErMi1hdC03MzAzMzU2NjM4NjQ6WH%1ME8zdEFFWWx2cmNwODFMbmhISDl1QThCOThXaGp3OW1kTU5vWU9TbmpNWThGeWN1MlRwTXJJM2M9
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bedrock_cloudwatchlogs.html
+ - name: AWS Mantle API Key
+ id: ghost.aws.5
+ description: AWS Mantle API Key
+ tags:
+ - api
+ - aws
+ - mantle
+ pattern: |
+ (?x)
+ \b
+ (AEAA(?i)[A-Z0-9]{110,112}={0,2})
+ \b
+ entropy: 4.7
+ redact: [8, 4]
+ tests:
+ assert:
+ - AEAAdGVzdDEtYXQtNzMwMzM1NjYzODY0OkVUNXBxY3JrNjVvZUxxQXV0YU5VQlp3bWVRMW9GdXY3Uyt2bkRmWm9XL0VoMTlHQXZnTWtrUWxNOGtNPQ==
+ - AEAAdGVzdDErMS1hdC03MzAzMzU2NjM4NjQ6MmZPMjVYSm9ob3FERUo5YU1CRXE3VjhULzlLNlVZQmdWNjlnemdlbGlVTVZndzh5YStvUzNxckpXWUk9
+ - AEAAdGVzdDEtYXQtNzMwMzM1NjYzODY0OnBSejFIL2RicE94aWYvR2s2VzVYYmg0YTlDeGwzN0hhNkM2cWkyU2RCYUJndWY1dFVEL0c4TUlnSUg0PQ==
+ assert_not:
+ - AEAAdGVzdDEtYXQtNzMwMzM1NjYzODY0OkVUNXBxY3JrNjVvZUxxQXV0YU5VQlp3bWVRMW9GdXY3Uyt2bkRmWm9XL0VoMTlHQXZnTWtrUWxNOGtNPQxxx==
+ - AEAAdGVzdDErMS1hdC03MzAzMzU2NjM4NjQ6MmZPMjVYSm9ob3FERUo5YU1CRXE3VjhULzlLNlVZQmdWNjlnemdlbGlVTVZndzh5YStvUz
+ - AEAAdGVzdDEtYXQtNzMwMzM1NjYzODY0OnBSejFIL2RicE%4aWYvR2s2VzVYYmg0YTlDeGwzN0hhNkM2cWkyU2RCYUJndWY1dFVEL0c4TUlnSUg0PQ==
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-generate.html
diff --git a/pkg/rules/cloudflare.yaml b/pkg/rules/cloudflare.yaml
index ba9b78a..311aef8 100644
--- a/pkg/rules/cloudflare.yaml
+++ b/pkg/rules/cloudflare.yaml
@@ -1,7 +1,7 @@
rules:
- name: Cloudflare API Key
id: ghost.cloudflare.1
- description: Cloudflare API key.
+ description: Cloudflare Legacy API key.
tags:
- api
- cloudflare
@@ -16,12 +16,40 @@ rules:
redact: [4, 4]
tests:
assert:
- - 'export CLOUDFLARE_API_KEY=LZ16Lc034UX_CVz6n0dLKMcSicjYBWKVKvHiL3FQ'
- - 'export CLOUDFLARE_KEY=T6n_WTtEMYCCMn_SyYg-gaYGSXQAcyyhttLHJ4OV'
- - 'export CLOUDFLARE_TOKEN=X45xjDWKQt3wbgVJ5u90yiriCOykOap1khf9L16g'
+ - "export CLOUDFLARE_API_KEY=LZ16Lc034UX_CVz6n0dLKMcSicjYBWKVKvHiL3FQ"
+ - "export CLOUDFLARE_KEY=T6n_WTtEMYCCMn_SyYg-gaYGSXQAcyyhttLHJ4OV"
+ - "export CLOUDFLARE_TOKEN=X45xjDWKQt3wbgVJ5u90yiriCOykOap1khf9L16g"
assert_not:
- - 'CLOUDFLARE_API_KEY=1234567890123456789012345'
+ - "CLOUDFLARE_API_KEY=1234567890123456789012345"
history:
- 2025-08-12 initial version
refs:
- https://developers.cloudflare.com/api/keys/
+ - name: Cloudflare API Token
+ id: ghost.cloudflare.2
+ description: Cloudflare API Token
+ tags:
+ - api
+ - cloudflare
+ pattern: |
+ (?x)
+ \b
+ (cfat_(?i)[A-Z0-9]{48})
+ \b
+ entropy: 4.5
+ redact: [8, 4]
+ tests:
+ assert:
+ - cfat_UB0MfOlxpFgubYq2dC5IHsEEqrzIrfRFMYxCMQ0Z40aa7eda
+ - cfat_ZWxJwxygFEfd2FCJ5slUVbObT30TEJGDqsXMRjjXae4b8856
+ - cfat_8toU86YGBaJRm2LiePgdL7WhJGX8XYDSdJlN18hKde12870e
+ - cfat_hP1JZqIhfQcXHlHtLOJdtOZoGL8IJow1cjfRHgaU071eccaa
+ - cfat_sl5NHodTTUKmsyHJ7ggw7fNckDW6cQqcO3jPcpXZ8e5f938c
+ assert_not:
+ - cfat-8toU86YGBaJRm2LiePgdL7WhJGX8XYDSdJlN18hKde12870e
+ - cfat_hP1JZqIhfQcXHlHtLOJdtOZoGL8IJow1cjfRHgaU071eccaax
+ - cfat_sl5NHodTTUKmsyHJ7ggw7fNckDW6cQqcO3jPcpXZ8e5f938
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://developers.cloudflare.com/fundamentals/api/get-started/create-token/
diff --git a/pkg/rules/figma.yaml b/pkg/rules/figma.yaml
new file mode 100644
index 0000000..67daf2f
--- /dev/null
+++ b/pkg/rules/figma.yaml
@@ -0,0 +1,28 @@
+rules:
+ - name: Figma PAT
+ id: ghost.figma.1
+ description: Figma Personal Access Token
+ tags:
+ - api
+ - figma
+ - pat
+ pattern: |
+ (?x)
+ \b
+ (figd_(?i)[A-Z0-9_-]{40})
+ \b
+ entropy: 4.5
+ redact: [8, 4]
+ tests:
+ assert:
+ - figd_3N1VI0Ha_uwiJ5PKUtgA7wgmEkOle-nf3ttktnNp
+ - figd_XRPmuSnRfDu2ZT3KVmgJETJws75rDDD9qezI1LNk
+ - figd_znvr_DUZeLOJxhRKW1G5TRdSTZjD0iPMv-1Sju3c
+ assert_not:
+ - figd-3N1VI0Ha_uwiJ5PKUtgA7wgmEkOle-nf3ttktnNp
+ - figd_XRPmuSnRfDu2ZT3KVmgJETJws75rDDD9qezI1LNkX
+ - figd_znvr_DUZeLOJxhRKW1G5TRdSTZjD0iPMv-1Sju3
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://help.figma.com/hc/en-us/articles/8085703771159-Manage-personal-access-tokens
diff --git a/pkg/rules/grafana.yaml b/pkg/rules/grafana.yaml
new file mode 100644
index 0000000..c692445
--- /dev/null
+++ b/pkg/rules/grafana.yaml
@@ -0,0 +1,28 @@
+rules:
+ - name: Grafana Service Account Token
+ id: ghost.grafana.1
+ description: Grafana Service Account token.
+ tags:
+ - api
+ - grafana
+ pattern: |
+ (?x)
+ \b
+ (glsa_(?i)[a-z0-9]{32}_[a-f0-9]{8})
+ \b
+ entropy: 4.5
+ redact: [8, 4]
+ tests:
+ assert:
+ - glsa_03XVEFyrK28hSv4t7n3k2MLxTD7VHW03_a7bfd9a6
+ - glsa_z6QUYEllV4qeToSBaBwZwhVgpiUJ0p3d_256a49e4
+ - glsa_C2mMRokbTwC22X7f7knWqp3f1vnTKaDE_2e76d2d1
+ assert_not:
+ - glsa_03XVEFyrK28hSv4t7n3k2MLxTD7VHW03_a7bfd9a6b
+ - glsa_z6QUYEllV4qeToSBaBwZwhVgpiUJ0p3db_256a49e4
+ - glsa_C2mMRokbTwC22X7f7knWqp3f1vnTKaD_2e76d2d1
+ - glsa_C2mMRokbTwC22X7f7knWqp3f1vnTKaDE_2e76d2x1
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/http-api/examples/create-api-tokens-for-org/
diff --git a/pkg/rules/langfuse.yaml b/pkg/rules/langfuse.yaml
new file mode 100644
index 0000000..902d670
--- /dev/null
+++ b/pkg/rules/langfuse.yaml
@@ -0,0 +1,27 @@
+rules:
+ - name: Langfuse Secret Key
+ id: ghost.langfuse.1
+ description: Langfuse Secret Key.
+ tags:
+ - api
+ - langfuse
+ pattern: |
+ (?x)
+ \b
+ (sk-lf-(?i)[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})
+ \b
+ entropy: 3.5
+ redact: [10, 4]
+ tests:
+ assert:
+ - sk-lf-01bba4f0-9594-54db-9c74-b8a8697fbfdc
+ - sk-lf-301fbb40-4c9d-5505-9bac-d464d786994e
+ - sk-lf-35fb6929-95ac-4b29-9143-aab8bd65f7ec
+ assert_not:
+ - sk-lf-01bba4f0-9594-54db-9c74-b8a8697fbfdcb
+ - sk-lf-301fbb40-4c9d-5505-9bac-d464d786994x
+ - sk-lf-35fb6929-95ac-4b29-9143-aab8bd65f7e
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://langfuse.com/docs/api-and-data-platform/features/public-api
diff --git a/pkg/rules/logfire.yaml b/pkg/rules/logfire.yaml
new file mode 100644
index 0000000..72602e4
--- /dev/null
+++ b/pkg/rules/logfire.yaml
@@ -0,0 +1,28 @@
+rules:
+ - name: Logfire API Key
+ id: ghost.logfire.1
+ description: Logfire API key.
+ tags:
+ - api
+ - logfire
+ pattern: |
+ (?x)
+ \b
+ (pylf_v\d_[a-z]{2}_(?i)[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}_[a-z0-9]{44})
+ \b
+ entropy: 4.7
+ redact: [8, 4]
+ tests:
+ assert:
+ - pylf_v2_us_fcc783e6-5131-4167-9e77-04024f9cc54c_x8PhY6Vj6NNbrRRHP7wSQpJC0Bk0RmNDKPWcmzb6Np1B
+ - pylf_v2_us_5d315215-71f5-473e-9fd7-927d9fe661aa_MnygjlXcNnxzq4TW8p0MN7fkhCWDCRqcVZfk4kBNPcLv
+ - pylf_v2_eu_0d877f16-b7a7-49d9-98d5-625b22d67f39_j8dk0mvKQz9brpBGlg2Y7Gxzzxmq1x3TYDPc1z0zjYZg
+ assert_not:
+ - pylf_v1_us_fcc783e6-5131-4167-9e77-04024f9cc54c_x8PhY6Vj6NNbrRRHP7wSQpJC0Bk0RmNDKPWcmzb6Np1Bx
+ - pylf_v2_eu_5d315215-71f5-473e-9fd7-927d9fe661aa_MnygjlXcNnxz%4TW8p0MN7fkhCWDCRqcVZfk4kBNPcLv
+ - pylf_v3_us_0d877f16-b7a7-49d9-98d5-625b22d67f3_j8dk0mvKQz9brpBGlg2Y7Gxzzxmq1x3TYDPc1z0zjYZg
+ - pylf_v4_eu_0d877f16-b7a7-49d9-98z5-625b22d67f39_j8dk0mvKQz9brpBGlg2Y7Gxzzxmq1x3TYDPc1z0zjYZg
+ history:
+ - 2026-04-01 initial version
+ refs:
+ - https://pydantic.dev/docs/logfire/manage/use-api-keys/#creating-api-keys
diff --git a/pkg/rules/pinecone.yaml b/pkg/rules/pinecone.yaml
new file mode 100644
index 0000000..ae98493
--- /dev/null
+++ b/pkg/rules/pinecone.yaml
@@ -0,0 +1,28 @@
+rules:
+ - name: Pinecode API Key
+ id: ghost.pinecone.1
+ description: Pinecone API key
+ tags:
+ - api
+ - pinecone
+ pattern: |
+ (?x)
+ \b
+ (pcsk_(?i)[A-Z0-9]{6}_[A-Z0-9]{63})
+ \b
+ entropy: 4.7
+ redact: [8, 4]
+ tests:
+ assert:
+ - pcsk_6XuBHw_PeUorjVwHfazjPneYWjxSTTwVYphk8BPcxuiYYfqCLuCeB8925kh8UDuefvSPum
+ - pcsk_2ubPgg_TXD3ShenTomniM5qvHFchivrsPL8mx3Ceev1pefzucxyQ45tFeMJ5YczwHRmryW
+ - pcsk_6kgeUp_7qEtJ3cKs2o7n4YP3ZEJdVjWJ8ZZbZBEnyLWCkUqrMQk9Bv6ybSkFNr5E5oGZsa
+ assert_not:
+ - pcsk_6XuBH_PeUorjVwHfazjPneYWjxSTTwVYphk8BPcxuiYYfqCLuCeB8925kh8UDuefvSPum
+ - pcsk_2ubPgg-TXD3ShenTomniM5qvHFchivrsPL8mx3Ceev1pefzucxyQ45tFeMJ5YczwHRmryW
+ - pcsk_6kgeUp_7qEtJ3cKs2o7n4YP3ZEJdVjWJ8ZZbZBEnyLWCkUqrMQk9Bv6ybSkFNr5E5oGZs
+ - pcsk_6kgeUp_7qEtJ3cKs2o7n4YP%ZEJdVjWJ8ZZbZBEnyLWCkUqrMQk9Bv6ybSkFNr5E5oGZsa
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://docs.pinecone.io/guides/assistant/admin/manage-api-keys#create-an-api-key
diff --git a/pkg/rules/postman.yaml b/pkg/rules/postman.yaml
new file mode 100644
index 0000000..89d0e94
--- /dev/null
+++ b/pkg/rules/postman.yaml
@@ -0,0 +1,29 @@
+rules:
+ - name: Postman API Key
+ id: ghost.postman.1
+ description: Postman API key.
+ tags:
+ - api
+ - postman
+ pattern: |
+ (?x)
+ \b
+ (PMAK-(?i)[a-f0-9]{24}-[a-f0-9]{34})
+ \b
+ entropy: 3.5
+ redact: [7, 4]
+ tests:
+ assert:
+ - PMAK-69d5512421053c00018c509c-6c4ad64b57d61351461393c42ddeb35e69
+ - PMAK-69d5512421053c00018c509c-6cbf30b31c5fdf6e57c8f421992794a65c
+ - PMAK-69c10a2c3b438e00014203a4-8f29a7dbaaec42592ca806b16c7efd4276
+ - PMAK-69c10a402ce42a0001f82ebd-b77e7e91273742e6f661d614b06f42e553
+ assert_not:
+ - PMAK-69d5512421053c00018c509c-6c4ad64b57d61351461393c42ddeb35x69
+ - PMAK-69d5512421053c00018c509c-6cbf30b31c5fdf6e57c8f421992794a65ca
+ - PMAK-69c10a2c3b438e00014203a4-8f29a7dbaaec42592ca806b16c7efd427
+ - PMAK_69c10a402ce42a0001f82ebd_b77e7e91273742e6f661d614b06f42e553
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://learning.postman.com/docs/developer/postman-api/authentication
diff --git a/pkg/rules/pubnub.yaml b/pkg/rules/pubnub.yaml
new file mode 100644
index 0000000..086bf4a
--- /dev/null
+++ b/pkg/rules/pubnub.yaml
@@ -0,0 +1,27 @@
+rules:
+ - name: Pubnub Secret Key
+ id: ghost.pubnub.1
+ description: Pubnub Secret key.
+ tags:
+ - api
+ - pubnub
+ pattern: |
+ (?x)
+ \b
+ (sec-c-(?i)[A-Z0-9]{48})
+ \b
+ entropy: 4.1
+ redact: [8, 4]
+ tests:
+ assert:
+ - sec-c-Nzg2N3E5MjYtMWM0Zi00YzY5LTk1ZjItZmIyMWMyMzJjOWVi
+ - sec-c-ZDlmMjg3MWQtMWNjNi00N3U4LTgxMjYtMzg1M2NkZTFlOTA2
+ - sec-c-Y2I3MWQ0MjItMWMwYS00NzZmLWEwNjktZGJkZjkyNWRkOTRk
+ assert_not:
+ - sec-x-Nzg2N3E5MjYtMWM0Zi00YzY5LTk1ZjItZmIyMWMyMzJjOWVi
+ - sec-c-ZDlmMjg3MWQtMWNjNi00N3U4LTgxMjYtMzg1M2NkZTFlOTA2x
+ - sec-c-Y2I3MWQ0MjItMWMwYS00NzZmLWEwNjktZGJkZjkyNWRkOTR
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://www.pubnub.com/docs/general/portal/keysets
diff --git a/pkg/rules/tavily.yaml b/pkg/rules/tavily.yaml
new file mode 100644
index 0000000..68e15d4
--- /dev/null
+++ b/pkg/rules/tavily.yaml
@@ -0,0 +1,31 @@
+rules:
+ - name: Tavily API Key
+ id: ghost.tavily.1
+ description: Tavily API key.
+ tags:
+ - api
+ - tavily
+ pattern: |
+ (?x)
+ \b
+ (tvly-(?:dev|prod)-(?i)[A-Z0-9\-]{49})
+ \b
+ entropy: 4.7
+ redact: [12, 4]
+ tests:
+ assert:
+ - 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
+ - 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
+ - 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
+ - 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
+ - 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
+ assert_not:
+ - tvly-dev-3FRsBm_DT0UWnK2hwYs4lA4vaSZgxbzzx2AUKWnHKvllYjY5t
+ - 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
+ - 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
+ - tvly-prod-18slw3-XAqzQsHpkJE1JjlRsXTnzPoqS%da1sRN9I567E8Q4S
+ - tvly-prod-35erok_iVqzjn1C5D72VzIa1d7crI4Sm2dEubCBTMlRs1K8S2
+ history:
+ - 2026-04-07 initial version
+ refs:
+ - https://docs.tavily.com/documentation/quickstart