Lines 79-119javascript
80 // AWS secret access key in a key=value shape. The value pattern is
81 // intentionally lenient (40-char Base64-ish) because real AWS secret
82 // keys are 40 chars of Base64. We require the `aws_secret` token
83 // nearby to gate on intent.
85 id: 'secret_aws_secret_access_key',
87 re: /(?:aws[_-]?secret[_-]?(?:access[_-]?)?key)[\s:=]+["']?[A-Za-z0-9/+=]{16,}/i,
89 // Generic api_key / secret / password / passwd / token / bearer
90 // in a key=value shape. 20-char minimum on the value catches
91 // realistic key shapes without flagging short test fixtures
92 // (api_key=abc123 → only 6 chars, skipped).
94 id: 'secret_generic_credential',
96 re: /(?:api[_-]?key|secret|password|passwd|token|bearer)[\s:=]+["']?[A-Za-z0-9_\-/+=]{20,}/i,
98 // PEM private key armor. The "RSA "/"EC "/"OPENSSH "/"PGP "
99 // variants are optional, so plain `-----BEGIN PRIVATE KEY-----`
CriticalCritical Secret
Package contains a critical-looking secret pattern.
src/poison-guard.mjsView on unpkg · L99 102 id: 'secret_pem_private_key',
104 re: /-----BEGIN (?:RSA |EC |OPENSSH |PGP |DSA |ENCRYPTED )?PRIVATE KEY-----/,
106 // GitHub personal access token: ghp_ prefix + 36 alphanumeric.
107 // No trailing \b — adjacent alphanumeric padding (in tests; rare in
108 // real input but possible) shouldn't suppress detection. Leading \b
109 // is enough to prevent matching mid-identifier (e.g. "xghp_..." is
112 id: 'secret_github_pat',
114 re: /\bghp_[A-Za-z0-9]{36}/,
116 // Task 134: the other GitHub token classes — OAuth (gho_), user-to-server
117 // (ghu_), server-to-server (ghs_), refresh (ghr_). Same ghp_ shape (prefix
118 // + 36 alnum); the 36-char floor is what keeps "ghost"/"ghs config" prose
119 // out (a real English word can't reach prefix+36 alphanumerics).