Lines 78-118javascript
79 // AWS secret access key in a key=value shape. The value pattern is
80 // intentionally lenient (40-char Base64-ish) because real AWS secret
81 // keys are 40 chars of Base64. We require the `aws_secret` token
82 // nearby to gate on intent.
84 id: 'secret_aws_secret_access_key',
86 re: /(?:aws[_-]?secret[_-]?(?:access[_-]?)?key)[\s:=]+["']?[A-Za-z0-9/+=]{16,}/i,
88 // Generic api_key / secret / password / passwd / token / bearer
89 // in a key=value shape. 20-char minimum on the value catches
90 // realistic key shapes without flagging short test fixtures
91 // (api_key=abc123 → only 6 chars, skipped).
93 id: 'secret_generic_credential',
95 re: /(?:api[_-]?key|secret|password|passwd|token|bearer)[\s:=]+["']?[A-Za-z0-9_\-/+=]{20,}/i,
97 // PEM private key armor. The "RSA "/"EC "/"OPENSSH "/"PGP "
98 // variants are optional, so plain `-----BEGIN PRIVATE KEY-----`
CriticalCritical Secret
Package contains a critical-looking secret pattern.
src/poison-guard.mjsView on unpkg · L98 101 id: 'secret_pem_private_key',
103 re: /-----BEGIN (?:RSA |EC |OPENSSH |PGP |DSA |ENCRYPTED )?PRIVATE KEY-----/,
105 // GitHub personal access token: ghp_ prefix + 36 alphanumeric.
106 // No trailing \b — adjacent alphanumeric padding (in tests; rare in
107 // real input but possible) shouldn't suppress detection. Leading \b
108 // is enough to prevent matching mid-identifier (e.g. "xghp_..." is
111 id: 'secret_github_pat',
113 re: /\bghp_[A-Za-z0-9]{36}/,
115 // Task 134: the other GitHub token classes — OAuth (gho_), user-to-server
116 // (ghu_), server-to-server (ghs_), refresh (ghr_). Same ghp_ shape (prefix
117 // + 36 alnum); the 36-char floor is what keeps "ghost"/"ghs config" prose
118 // out (a real English word can't reach prefix+36 alphanumerics).