Pattern Reference
Complete reference of all 71 secret detection patterns.
Auto-generated
This page documents every pattern in the patterns/ directory. Each entry includes the regex, severity, risk assessment, and recommended fix.
AWS
| ID | Name | Severity | Fix |
aws-access-key-id | AWS Access Key ID | đ´ | AWS_ACCESS_KEY_ID env var or IAM roles |
aws-secret-access-key | AWS Secret Access Key | đ´ | AWS_SECRET_ACCESS_KEY env var or IAM roles |
aws-session-token | AWS Session Token | đ´ | Use AWS SDK credential providers |
aws-mws-key | AWS MWS Key | đ´ | AWS Secrets Manager or env var |
GCP
| ID | Name | Severity | Fix |
gcp-api-key | Google API Key | đ´ | GOOGLE_API_KEY env var, restrict in GCP console |
gcp-oauth-client-secret | Google OAuth Client Secret | đ´ | Env var or secret manager |
gcp-service-account-key | GCP Service Account Key | đ´ | Workload Identity Federation |
firebase-config | Firebase Configuration | đĄ | Firebase client config is public by design; check security rules |
Azure
| ID | Name | Severity | Fix |
azure-storage-account-key | Azure Storage Account Key | đ´ | Managed Identity or SAS tokens |
azure-client-secret | Azure AD Client Secret | đ´ | AZURE_CLIENT_SECRET env var or Key Vault |
azure-connection-string | Azure Service Connection String | đ´ | Azure Key Vault or env var |
azure-sas-token | Azure SAS Token | đĄ | Generate at runtime with minimal scope |
GitHub & Git
| ID | Name | Severity | Fix |
github-pat-fine-grained | GitHub Fine-Grained PAT | đ´ | GITHUB_TOKEN env var or deploy keys |
github-pat-classic | GitHub Classic PAT | đ´ | Migrate to fine-grained PAT |
github-oauth-token | GitHub OAuth Token | đ´ | Secure session storage |
github-app-token | GitHub App Token | đ´ | Generate at runtime via App private key |
github-refresh-token | GitHub App Refresh Token | đ´ | Encrypted session storage |
gitlab-pat | GitLab PAT | đ´ | CI/CD variables or env var |
gitlab-pipeline-trigger | GitLab Pipeline Trigger | đ´ | CI/CD variables |
bitbucket-app-password | Bitbucket App Password | đ´ | Env var or Pipelines secure variables |
AI Providers
| ID | Name | Severity | Fix |
openai-api-key | OpenAI API Key (legacy) | đ´ | OPENAI_API_KEY env var |
openai-api-key-project | OpenAI Project API Key | đ´ | OPENAI_API_KEY env var |
anthropic-api-key | Anthropic API Key | đ´ | ANTHROPIC_API_KEY env var |
cohere-api-key | Cohere API Key | đ´ | COHERE_API_KEY env var |
huggingface-token | Hugging Face Token | đ´ | HF_TOKEN env var |
replicate-api-token | Replicate API Token | đ´ | REPLICATE_API_TOKEN env var |
Payments
| ID | Name | Severity | Fix |
stripe-live-secret-key | Stripe Live Secret Key | đ´ | STRIPE_SECRET_KEY env var. ROTATE IMMEDIATELY if committed. |
stripe-live-restricted-key | Stripe Live Restricted Key | đ´ | Env var with minimal permissions |
stripe-webhook-secret | Stripe Webhook Secret | đ´ | STRIPE_WEBHOOK_SECRET env var |
stripe-test-key | Stripe Test Key | âšī¸ | Still best to use env var |
paypal-client-secret | PayPal Client Secret | đ´ | PAYPAL_CLIENT_SECRET env var |
square-access-token | Square Access Token | đ´ | SQUARE_ACCESS_TOKEN env var |
Databases
| ID | Name | Severity | Fix |
postgres-connection-string | PostgreSQL Connection String | đ´ | DATABASE_URL env var |
mysql-connection-string | MySQL Connection String | đ´ | DATABASE_URL env var |
mongodb-connection-string | MongoDB Connection String | đ´ | MONGODB_URI env var |
redis-connection-with-password | Redis Connection with Password | đ´ | REDIS_URL env var |
supabase-service-role-key | Supabase Service Role Key | đ´ | SUPABASE_SERVICE_ROLE_KEY env var. Never in client code. |
planetscale-password | PlanetScale Password | đ´ | DATABASE_URL env var |
Messaging
| ID | Name | Severity | Fix |
slack-bot-token | Slack Bot Token | đ´ | SLACK_BOT_TOKEN env var |
slack-user-token | Slack User Token | đ´ | SLACK_USER_TOKEN env var |
slack-webhook-url | Slack Webhook URL | đĄ | SLACK_WEBHOOK_URL env var |
discord-bot-token | Discord Bot Token | đ´ | DISCORD_TOKEN env var |
discord-webhook-url | Discord Webhook URL | đĄ | DISCORD_WEBHOOK_URL env var |
twilio-auth-token | Twilio Auth Token | đ´ | TWILIO_AUTH_TOKEN env var |
sendgrid-api-key | SendGrid API Key | đ´ | SENDGRID_API_KEY env var |
mailgun-api-key | Mailgun API Key | đ´ | MAILGUN_API_KEY env var |
telegram-bot-token | Telegram Bot Token | đ´ | TELEGRAM_BOT_TOKEN env var |
CI/CD
| ID | Name | Severity | Fix |
npm-token | npm Access Token | đ´ | NPM_TOKEN env var |
pypi-token | PyPI API Token | đ´ | Trusted publishing or TWINE_PASSWORD |
docker-hub-token | Docker Hub Token | đ´ | DOCKER_TOKEN env var |
vercel-token | Vercel Token | đ´ | VERCEL_TOKEN env var |
netlify-token | Netlify Token | đ´ | NETLIFY_AUTH_TOKEN env var |
heroku-api-key | Heroku API Key | đ´ | HEROKU_API_KEY env var |
terraform-cloud-token | Terraform Cloud Token | đ´ | TFE_TOKEN env var |
circleci-token | CircleCI Token | đ´ | CIRCLECI_TOKEN env var |
Cryptographic Material
| ID | Name | Severity | Fix |
rsa-private-key | RSA Private Key | đ´ | SSH agent or secret manager |
openssh-private-key | OpenSSH Private Key | đ´ | SSH agent forwarding |
ec-private-key | EC Private Key | đ´ | Secret manager |
dsa-private-key | DSA Private Key | đ´ | Migrate to Ed25519 |
pgp-private-key-block | PGP Private Key | đ´ | GPG agent |
generic-private-key | Generic Private Key | đ´ | Certificate manager or vault |
pkcs12-password | PKCS12/PFX Password | đĄ | Secret manager |
Generic
| ID | Name | Severity | Fix |
generic-password-assignment | Hardcoded Password | đĄ | Env var or secret manager |
generic-secret-assignment | Hardcoded Secret | đĄ | Env var named after service |
generic-api-key-assignment | Hardcoded API Key | đĄ | Identify service, use appropriate env var |
generic-token-assignment | Hardcoded Token | đĄ | Obtain at runtime via OAuth/OIDC |
generic-jwt-secret | JWT Signing Secret | đ´ | JWT_SECRET env var, use RS256 in production |
generic-basic-auth-url | URL with Basic Auth | đ´ | Separate credentials from URLs |
generic-bearer-token-inline | Inline Bearer Token | đ´ | Obtain tokens at runtime |
generic-encryption-key | Hardcoded Encryption Key | đ´ | KMS (AWS KMS, GCP KMS, Azure Key Vault) |
ip-address-private | Private IP Address | âšī¸ | Use DNS names or config variables |