Lines 1-70json
3 "display_name": "Cryptographic Material & Private Keys",
6 "id": "rsa-private-key",
7 "name": "RSA Private Key",
8 "severity": "critical",
9 "regex": "-----BEGIN RSA PRIVATE KEY-----",
CriticalCritical Secret
Package contains a critical-looking secret pattern.
patterns/crypto.jsonView on unpkg · L9 CriticalSecret Pattern
RSA private key in patterns/crypto.json
patterns/crypto.jsonView on unpkg · L9 10 "description": "RSA private key in PEM format",
11 "risk": "Can impersonate the key owner, decrypt data, sign documents. If used for SSH, grants server access.",
12 "fix": "Never commit private keys. Use SSH agent, secret manager, or mount at runtime."
15 "id": "openssh-private-key",
16 "name": "OpenSSH Private Key",
17 "severity": "critical",
18 "regex": "-----BEGIN OPENSSH PRIVATE KEY-----",
CriticalSecret Pattern
OpenSSH private key in patterns/crypto.json
patterns/crypto.jsonView on unpkg · L18 19 "description": "OpenSSH private key (Ed25519, ECDSA, or RSA)",
20 "risk": "Grants SSH access to any server that has the corresponding public key in authorized_keys.",
21 "fix": "Use SSH agent forwarding. Never commit SSH keys to a repository."
24 "id": "ec-private-key",
25 "name": "EC Private Key",
26 "severity": "critical",
27 "regex": "-----BEGIN EC PRIVATE KEY-----",
28 "description": "Elliptic Curve private key in PEM format",
29 "risk": "Can sign data, authenticate, and decrypt EC-encrypted content.",
30 "fix": "Use a secret manager or mount the key at runtime."
33 "id": "dsa-private-key",
34 "name": "DSA Private Key",
35 "severity": "critical",
36 "regex": "-----BEGIN DSA PRIVATE KEY-----",
37 "description": "DSA private key in PEM format (deprecated algorithm)",
38 "risk": "Can sign data and authenticate. DSA is deprecated — migrate to Ed25519.",
39 "fix": "Remove and rotate. Migrate to Ed25519 keys."
42 "id": "pgp-private-key-block",
43 "name": "PGP Private Key Block",
44 "severity": "critical",
45 "regex": "-----BEGIN PGP PRIVATE KEY BLOCK-----",
46 "description": "PGP/GPG private key block",
47 "risk": "Can decrypt PGP-encrypted data and sign messages as the key owner.",
48 "fix": "Use GPG agent. Never store private keys in repositories."
51 "id": "generic-private-key",
52 "name": "Generic Private Key",
53 "severity": "critical",
54 "regex": "-----BEGIN PRIVATE KEY-----",
55 "description": "PKCS#8 private key in PEM format",
56 "risk": "Generic private key — risk depends on what it's used for (TLS, signing, auth).",
57 "fix": "Use a certificate manager (ACM, Let's Encrypt auto-renewal) or secret vault."
60 "id": "pkcs12-password",
61 "name": "PKCS12/PFX Password",
62 "severity": "warning",
63 "regex": "(?i)(?:pkcs12|pfx|p12).*(?:password|pass|passphrase)\\s*[=:]\\s*['\"]?[^\\s'\"]+['\"]?",
64 "description": "Password for a PKCS12/PFX certificate bundle",
65 "risk": "Can unlock the certificate bundle and extract the private key.",
66 "fix": "Store the password in a secret manager, reference by environment variable."