security-secrets

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

High-signal regex patterns for detecting secrets in codebases.

</overview> <patterns>

用于检测代码库中敏感信息的高可信度正则规则。

</overview> <patterns>

High-Signal Regex Patterns

高可信度正则规则

Secret Type	Pattern	Notes
AWS Access Key	`AKIA[0-9A-Z]{16}`	Always 20 chars, starts AKIA
AWS Secret	`(?i)aws(.{0,20})?['"][0-9a-zA-Z/+]{40}['"]`	40 chars base64-ish
Google API Key	`AIza[0-9A-Za-z\-_]{35}`	39 chars total
Google OAuth	`[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com`	Client ID
Google Service Account	`"type":\s*"service_account"`	In JSON files
GitHub Token	`gh[pousr]_[A-Za-z0-9_]{36,}`	ghp_/gho_/ghu_/ghs_/ghr_
GitHub PAT (fine-grained)	`github_pat_[A-Za-z0-9_]{22,}`	Newer format
GitLab Token	`glpat-[A-Za-z0-9\-]{20,}`	Personal access token
Stripe Secret	`sk_(live	test)_[0-9a-zA-Z]{24,}`
Stripe Restricted	`rk_(live	test)_[0-9a-zA-Z]{24,}`
Stripe Publishable	`pk_(live	test)_[0-9a-zA-Z]{24,}`
Slack Bot Token	`xoxb-[A-Za-z0-9-]+`	Bot token
Slack User Token	`xoxp-[A-Za-z0-9-]+`	User token
Slack Workflow Token	`xwfp-[A-Za-z0-9-]+`	Workflow token
Slack App Token	`xapp-[A-Za-z0-9-]+`	App-level token
Slack Webhook	`https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[a-zA-Z0-9]+`
Discord Token	`[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}`	Bot token
Discord Webhook	`https://discord\.com/api/webhooks/[0-9]+/[A-Za-z0-9_-]+`
OpenAI Key	`sk-[A-Za-z0-9]{48}`	API key
Anthropic Key	`sk-ant-[A-Za-z0-9\-]{32,}`	API key
Twilio	`SK[a-z0-9]{32}`	API key SID
SendGrid	`SG\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{43}`	API key
Mailgun	`key-[0-9a-zA-Z]{32}`	API key
Mailchimp	`[a-f0-9]{32}-us[0-9]{1,2}`	API key
Firebase	`(?i)firebase[a-z0-9\-]+\.firebaseio\.com`	Database URL
Supabase	`eyJ[A-Za-z0-9_-]\.[A-Za-z0-9_-]\.[A-Za-z0-9_-]*`	JWT (check context)
Heroku	`[hH]eroku.*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}`	API key
NPM Token	`npm_[A-Za-z0-9]{36}`	Publish token
PyPI Token	`pypi-[A-Za-z0-9_-]{50,}`	Upload token
Private Key	`-----BEGIN (RSA	EC
Database URL	`(?i)(postgres	mysql
Password in URL	`[a-zA-Z]{3,15}://[^/\\:@]+:[^/\\:@]+@.{1,100}`	Basic auth
JWT Secret	`(?i)(jwt[_-]?secret	token[_-]?secret)['"]?\s[:=]\s['"][^'"]+['"]`
Generic Secret	`(?i)(password	passwd

</patterns> <commands>

敏感信息类型	Pattern	说明
AWS Access Key	`AKIA[0-9A-Z]{16}`	固定20个字符，以AKIA开头
AWS Secret	`(?i)aws(.{0,20})?['"][0-9a-zA-Z/+]{40}['"]`	40个字符的类base64格式
Google API Key	`AIza[0-9A-Za-z\-_]{35}`	总计39个字符
Google OAuth	`[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com`	客户端ID
Google Service Account	`"type":\s*"service_account"`	存在于JSON文件中
GitHub Token	`gh[pousr]_[A-Za-z0-9_]{36,}`	格式为ghp_/gho_/ghu_/ghs_/ghr_
GitHub PAT (fine-grained)	`github_pat_[A-Za-z0-9_]{22,}`	较新的格式
GitLab Token	`glpat-[A-Za-z0-9\-]{20,}`	个人访问令牌
Stripe Secret	`sk_(live	test)_[0-9a-zA-Z]{24,}`
Stripe Restricted	`rk_(live	test)_[0-9a-zA-Z]{24,}`
Stripe Publishable	`pk_(live	test)_[0-9a-zA-Z]{24,}`
Slack Bot Token	`xoxb-[A-Za-z0-9-]+`	机器人令牌
Slack User Token	`xoxp-[A-Za-z0-9-]+`	用户令牌
Slack Workflow Token	`xwfp-[A-Za-z0-9-]+`	工作流令牌
Slack App Token	`xapp-[A-Za-z0-9-]+`	应用级令牌
Slack Webhook	`https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[a-zA-Z0-9]+`
Discord Token	`[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}`	机器人令牌
Discord Webhook	`https://discord\.com/api/webhooks/[0-9]+/[A-Za-z0-9_-]+`
OpenAI Key	`sk-[A-Za-z0-9]{48}`	API密钥
Anthropic Key	`sk-ant-[A-Za-z0-9\-]{32,}`	API密钥
Twilio	`SK[a-z0-9]{32}`	API密钥SID
SendGrid	`SG\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{43}`	API密钥
Mailgun	`key-[0-9a-zA-Z]{32}`	API密钥
Mailchimp	`[a-f0-9]{32}-us[0-9]{1,2}`	API密钥
Firebase	`(?i)firebase[a-z0-9\-]+\.firebaseio\.com`	数据库URL
Supabase	`eyJ[A-Za-z0-9_-]\.[A-Za-z0-9_-]\.[A-Za-z0-9_-]*`	JWT（需结合上下文判断）
Heroku	`[hH]eroku.*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}`	API密钥
NPM Token	`npm_[A-Za-z0-9]{36}`	发布令牌
PyPI Token	`pypi-[A-Za-z0-9_-]{50,}`	上传令牌
Private Key	`-----BEGIN (RSA	EC
Database URL	`(?i)(postgres	mysql
Password in URL	`[a-zA-Z]{3,15}://[^/\\:@]+:[^/\\:@]+@.{1,100}`	基础认证
JWT Secret	`(?i)(jwt[_-]?secret	token[_-]?secret)['"]?\s[:=]\s['"][^'"]+['"]`
Generic Secret	`(?i)(password	passwd

</patterns> <commands>

CLI Scanning Commands

CLI扫描命令

bash

undefined

bash

undefined

Quick grep scan (fast, high signal)

rg -n "(AKIA[0-9A-Z]{16}|sk_(live|test)|rk(live|test)|pk(live|test)|xox[baprs]-|xapp-|xwfp-|gh[pousr]|github_pat_)" . rg -n "BEGIN (RSA|EC|OPENSSH|DSA|PGP) PRIVATE KEY" . rg -n "(?i)(api[_-]?key|secret|token|password)\s*[:=]\s*['"][^'"]{8,}" .

Dedicated scanners (thorough)

gitleaks detect --source . --redact --no-git semgrep scan --config p/secrets --error trufflehog filesystem . --only-verified


</commands>

<priority_files>

gitleaks detect --source . --redact --no-git semgrep scan --config p/secrets --error trufflehog filesystem . --only-verified


</commands>

<priority_files>

Files to Prioritize

优先扫描文件

File Pattern	Risk Level	Why
`.env*`	CRITICAL	Often contains all secrets
`config.js/ts/json`	HIGH	App configuration
`secret` , `credential`	HIGH	Named suspiciously
`docker-compose*.yml`	HIGH	DB passwords, service creds
`.github/workflows/*.yml`	HIGH	CI/CD secrets
`test` , `spec` , `fixture`	MEDIUM	Test data with real creds
`.pem` , `.key` , `*.p12`	CRITICAL	Private keys

</priority_files>

<rules>

文件规则	风险等级	原因
`.env*`	CRITICAL	通常包含所有敏感信息
`config.js/ts/json`	HIGH	应用配置文件
`secret` , `credential`	HIGH	文件名称存疑
`docker-compose*.yml`	HIGH	包含数据库密码、服务凭证
`.github/workflows/*.yml`	HIGH	CI/CD中的敏感信息
`test` , `spec` , `fixture`	MEDIUM	测试数据中可能包含真实凭证
`.pem` , `.key` , `*.p12`	CRITICAL	私钥文件

</priority_files>

<rules>

Redaction Format

脱敏格式

When reporting secrets, MUST always redact:

Original: AKIAIOSFODNN7EXAMPLE
Redacted: AKIA****...****MPLE

Original: sk_test_XXXXYYYYZZZZ11112222
Redacted: sk_****...****2222

Show first 4 + last 4 characters only. MUST instruct immediate rotation.

</rules>

上报敏感信息时，必须按照以下格式脱敏：

Original: AKIAIOSFODNN7EXAMPLE
Redacted: AKIA****...****MPLE

Original: sk_test_XXXXYYYYZZZZ11112222
Redacted: sk_****...****2222

仅显示前4位和后4位字符。必须提示立即轮换敏感信息。

</rules>