Contributing Additional Examples #7
Description
Awesome project. Here are a bunch of high-signal patterns you can add to your collection. I’ve grouped them and tried to keep them specific enough to cut down on false positives.
We could use case-insensitive (i) where noted, and wrap many with \b boundaries when scanning plaintext. I am expanding some that you already had and many others that are new.
Cloud & major platforms
- GitHub classic PATs
Examples:ghp_…,gho_…,ghu_…,ghs_…,ghr_…
Regex:\bgh[opusr]_[0-9a-zA-Z]{36}\b - GitHub fine-grained PATs
Example:github_pat_11AABBCCDDEEFF001122334455667788AABBCCDDEEFF
Regex:\bgithub_pat_[0-9A-Za-z_]{22,}?[0-9A-Za-z]{20,}\b - GitLab PAT
Example:glpat-abc123…
Regex:\bglpat-[0-9a-zA-Z_-]{20,}\b - Bitbucket App Password
Often 20–40 chars alnum with:in HTTPS URL.
Regex (URL form):https?:\/\/[^:\s\/]+:[0-9A-Za-z_\-]{20,40}@bitbucket\.org\/ - Azure Storage Connection String
Regex:\bDefaultEndpointsProtocol=https;AccountName=[a-z0-9]{3,24};AccountKey=[A-Za-z0-9+\/=]{80,}(\;EndpointSuffix=core\.windows\.net)?\b - Azure SAS Token (blob/table/queue/file)
Regex:\bsv=\d{4}-\d{2}-\d{2}&ss=[bqtfsr]+&srt=[sc]\w*&sp=[rwdlacupx\-]+&se=\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z&st=\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z&spr=https?&sig=[A-Za-z0-9%]+ - AWS Secret Access Key (pair with Access Key ID hit)
Regex:\b(?i:aws)?_?secret(_|)access(_|)key"?\s*[:=]\s*['"][A-Za-z0-9\/+=]{40}['"] - AWS Session Token (STS)
Often beginsIQoJand is long base64url.
Regex:\bIQoJ[A-Za-z0-9\/+=]{200,}\b - GCP Service Account JSON (structural)
Regex (key fields):\{\s*"type"\s*:\s*"service_account"\s*,\s*"project_id"\s*:\s*".+?"\s*,\s*"private_key_id"\s*:\s*"[0-9a-f]{40}"\s*,\s*"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----[\s\S]+?-----END PRIVATE KEY-----"\s*,\s*"client_email"\s*:\s*".+?\.gserviceaccount\.com" - Firebase/Google Web API key (same as YouTube/GCP)
Regex:\bAIza[0-9A-Za-z\-_]{35}\b - Slack tokens
Bot/User/Legacy:xox[baprs]-
Regex:\bxox[baprs]-[0-9A-Za-z-]{10,100}\b - Slack Webhook
Regex:\bhttps://hooks\.slack\.com/services/[A-Z0-9]{9}/[A-Z0-9]{9,}/[A-Za-z0-9]{24,}\b - Discord Bot Token
Format:\d{18,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}
Regex:\b\d{18,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}\b - Discord Webhook
Regex:\bhttps://discord(?:app)?\.com/api/webhooks/\d{16,20}/[A-Za-z0-9_-]{30,}\b - Telegram Bot Token
Regex:\b\d{8,10}:[A-Za-z0-9_-]{35}\b - PagerDuty Integration/Route Key
Regex:\b(routing|integration)_key\s*[:=]\s*['"]?[0-9a-f]{32}['"]?\b - Sentry DSN
Regex:\bhttps?:\/\/[0-9a-f]{32}@[a-z0-9\.-]+\/\d+\b - Datadog API Key
Regex:\bdatadog(?:_api)?_key\s*[:=]\s*['"]?[0-9a-f]{32}['"]?\b - New Relic API Key
Examples:NRAK-...(ingest),NRII-...(insights)
Regex:\bNR(AK|II|RA)-[A-Za-z0-9]{27}\b - SendGrid API Key
Regex:\bSG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}\b - Mapbox Token
Regex:\bsk\.[A-Za-z0-9]{64}\b|\bpk\.[A-Za-z0-9]{60,}\b - Okta API Token
Often 40 chars, many start with00.
Regex:\b00[0-9a-zA-Z]{38}\b
Payments & commerce
-
Stripe Secret/Publishable/Webhook
Secret:sk_live_[0-9A-Za-z]{24}
Publishable:pk_live_[0-9A-Za-z]{24}
Webhook Secret:whsec_[0-9A-Za-z]{28,}
Regex:\bsk_(?:live|test)_[0-9A-Za-z]{24}\b\bpk_(?:live|test)_[0-9A-Za-z]{24}\b\bwhsec_[0-9A-Za-z]{28,}\b
-
Braintree Access Token
Regex:\baccess_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}\b -
Shopify Shared Secret
Regex (hex 32):\bshpss_[0-9a-f]{32}\b
Admin API token:\bshpat_[0-9a-f]{32}\b
CI/CD & Dev tooling
- CircleCI Token
Regex:\bCIRCLECI_TOKEN[=:]\s*['"]?[0-9a-f]{40}['"]?\b - Travis/JWT-ish Env Secrets
Regex:\b(travis|CI)_TOKEN[=:]\s*['"]?[A-Za-z0-9_\-]{20,}['"]?\b - Heroku API Key
Regex:\bheroku[a-z0-9]{6,}-[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}\b|\b(?i:heroku).*apikey.*['"][0-9a-f]{32}['"] - Snyk Token
Regex:\b(?i:snyk)_?token\s*[:=]\s*['"]?[a-f0-9]{8}(?:-[a-f0-9]{4}){3}-[a-f0-9]{12}['"]?\b
Social & comms
- Trello API Key/Token
Regex:\b[0-9a-f]{32}\b(?=.*\bTRELLO\b)|\bTRELLO_?(KEY|TOKEN)\s*=\s*[0-9a-zA-Z]{32,64}\b - Zoom JWT App Secret
Regex:\b(?i:zoom).*(secret|token)\s*[:=]\s*['"][A-Za-z0-9\-_]{32,}['"] - WhatsApp Business (Meta) Token
Regex:\bEAA[A-Za-z0-9]{20,}\b(similar to Facebook tokens but broader match)
Databases & connection strings
- PostgreSQL URL
Regex:\bpostgres(?:ql)?:\/\/[^:\s\/]+:[^@\s\/]+@[^:\s\/]+:\d+\/[^\s'"]+\b - MySQL URL
Regex:\bmysql:\/\/[^:\s\/]+:[^@\s\/]+@[^:\s\/]+:\d+\/[^\s'"]+\b - MongoDB SRV URL
Regex:\bmongodb\+srv:\/\/[^:\s\/]+:[^@\s\/]+@[^\/\s]+\/[^\s'"]+\b - Redis URL
Regex:\bredis:\/\/:[^@\s]+@[^:\s\/]+:\d+\b
OAuth, JWTs & generic credentials
- JWT
Regex:\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b - Basic Auth in URLs
Regex:\bhttps?:\/\/[^:\s\/]+:[^@\s\/]+@[^\/\s]+ - Generic “password/secret/api_key” assignment (use with path/filename allowlists to reduce noise)
Regex:(?i)\b(pass(word)?|secret|api[_-]?key|token)\b\s*[:=]\s*['"][^'"]{8,}['"] - PEM Private Keys
RSA:-----BEGIN RSA PRIVATE KEY-----[\s\S]+?-----END RSA PRIVATE KEY-----
PKCS8:-----BEGIN PRIVATE KEY-----[\s\S]+?-----END PRIVATE KEY-----
EC:-----BEGIN EC PRIVATE KEY-----[\s\S]+?-----END EC PRIVATE KEY----- - SSH Private Key
Regex:-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]+?-----END OPENSSH PRIVATE KEY----- - PGP Private Key
Regex:-----BEGIN PGP PRIVATE KEY BLOCK-----[\s\S]+?-----END PGP PRIVATE KEY BLOCK-----
More provider-specific API tokens
- Dropbox Access Token
Regex:\b[A-Za-z0-9_-]{15}AAAAAA[A-Za-z0-9_-]{43}\b - DigitalOcean Personal Access Token
Regex:\bdo(pat|_token)?[_-]?[A-Za-z0-9]{30,}\b|\b(?i:digitalocean).*(token|key)\s*[:=]\s*['"][A-Za-z0-9]{30,}['"] - Linode Token
Regex:\b(?i:linode).*(token|key)\s*[:=]\s*['"][A-Za-z0-9_-]{40,}['"] - Toggl API Token
Regex:\b[0-9a-f]{32}\b(?=.*\bTOGGL\b) - Twilio Auth Token
Regex:\b(?i:twilio).*?(auth[_-]?token)\s*[:=]\s*['"]?[0-9a-f]{32}['"]?\b - Atlassian API Token (email:token)
Regex:\b[a-z0-9._%+-]+@(?:atlassian|jira|confluence)[^:]*:[A-Za-z0-9]{24}\b - Zendesk API Token
Regex:\b(?i:zendesk).*(api[_-]?token)\s*[:=]\s*['"][A-Za-z0-9]{40}['"] - Auth0 Client Secret
Regex:\b(?i:auth0).*(client[_-]?secret)\s*[:=]\s*['"][A-Za-z0-9\-_]{32,}['"]