# Secret-pattern corpus for push-gate regex layer.
#
# Format: one regex per non-empty, non-comment line. Lines starting with `#`
# are comments. The scan-secrets.sh script feeds these to ripgrep.
#
# Patterns use Rust regex syntax (ripgrep's default). Anchors are NOT added
# automatically — write them yourself if needed. Match is against the diff
# body (added lines only; prefix `^+` is stripped before match).

# === API / OAuth tokens (vendor-specific) ===
sk-[A-Za-z0-9_-]{20,}
sk-ant-api[0-9]+-[A-Za-z0-9_-]{20,}
sk-ant-oauth-[A-Za-z0-9_-]{20,}
sk-proj-[A-Za-z0-9_-]{20,}
ghp_[A-Za-z0-9]{36}
gh[suor]_[A-Za-z0-9]{30,}
github_pat_[A-Za-z0-9_]{20,}
xox[baprs]-[0-9A-Za-z-]{10,}
AKIA[0-9A-Z]{16}
ASIA[0-9A-Z]{16}
sk_live_[0-9a-zA-Z]{24,}
rk_live_[0-9a-zA-Z]{24,}
AIza[0-9A-Za-z_-]{35}
ya29\.[0-9A-Za-z_-]+
SG\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}
(?i)dckr_pat_[A-Za-z0-9_-]{20,}
npm_[A-Za-z0-9]{36}
glpat-[0-9A-Za-z_-]{20}

# === Cryptographic material ===
-----BEGIN (RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP |PGP PRIVATE KEY BLOCK)?PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+

# === DSNs with embedded credentials ===
(postgres|postgresql|mysql|mongodb|mongodb\+srv|redis|rediss|amqp|amqps|clickhouse)://[^:/"' ]+:[^@/"' ]{4,}@

# === Generic (high false-positive; FP-filter applies) ===
(?i)(password|passwd|secret|token|api[_-]?key|apikey|private[_-]?key|access[_-]?key|client[_-]?secret|auth[_-]?token|oauth[_-]?token|bearer)\s*[=:]\s*["'][^"'\s]{12,}["']

# === Env-file leakage (by content shape, not filename) ===
(?i)^\s*(password|secret|token|api_key|apikey|access_key|private_key|client_secret|auth_token)\s*=\s*[^$\s<]{12,}$
