Vibecosystem secret-patterns
30+ service-specific secret detection regex patterns, entropy-based detection, PEM/JWT/Base64 identification, and false positive filtering.
install
source · Clone the upstream repo
git clone https://github.com/vibeeval/vibecosystem
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/vibeeval/vibecosystem "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/secret-patterns" ~/.claude/skills/vibeeval-vibecosystem-secret-patterns && rm -rf "$T"
manifest:
skills/secret-patterns/SKILL.mdsource content
Secret Detection Patterns
Patterns for finding leaked credentials in codebases, git history, and CI logs.
AWS Credentials
# Access Key ID: always starts with AKIA (long-term) or ASIA (session) AKIA[0-9A-Z]{16} ASIA[0-9A-Z]{16} # Secret Access Key: 40-char base64-ish string after aws_secret aws_secret_access_key\s*=\s*[A-Za-z0-9/+=]{40} # ripgrep one-liner rg --no-heading -n '(AKIA|ASIA)[0-9A-Z]{16}' .
GitHub Tokens
# Personal access tokens (classic and fine-grained) ghp_[A-Za-z0-9]{36} github_pat_[A-Za-z0-9_]{82} # OAuth / app tokens gho_[A-Za-z0-9]{36} ghs_[A-Za-z0-9]{36} ghu_[A-Za-z0-9]{36} ghr_[A-Za-z0-9]{36} rg --no-heading -n 'gh[pousr]_[A-Za-z0-9]{36}' .
Stripe Keys
# Live secret (never commit) sk_live_[A-Za-z0-9]{24,} # Test secret (flag but lower severity) sk_test_[A-Za-z0-9]{24,} # Publishable keys (public, lower severity) pk_live_[A-Za-z0-9]{24,} pk_test_[A-Za-z0-9]{24,} rg --no-heading -n 'sk_(live|test)_[A-Za-z0-9]{24,}' .
OpenAI / Anthropic Keys
# OpenAI sk-proj-[A-Za-z0-9\-_]{50,} sk-[A-Za-z0-9]{48} # Anthropic sk-ant-[A-Za-z0-9\-_]{90,} rg --no-heading -n '(sk-proj-|sk-ant-)' .
JWT Tokens
# Three base64url segments separated by dots eyJ[A-Za-z0-9\-_]+\.eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+ # Decode header to verify (Python) import base64, json header = token.split('.')[0] + '==' print(json.loads(base64.urlsafe_b64decode(header)))
PEM Private Keys
# RSA, EC, OpenSSH private keys -----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY----- rg --no-heading -n '\-\-\-\-\-BEGIN.+PRIVATE KEY' . # Also catch generic PEM blocks -----BEGIN CERTIFICATE----- -----BEGIN PGP PRIVATE KEY BLOCK-----
Slack Tokens
xoxb-[0-9]{11,}-[0-9]{11,}-[A-Za-z0-9]{24} # Bot token xoxp-[0-9]{11,}-[0-9]{11,}-[A-Za-z0-9]{32} # User token xoxe\.[A-Za-z0-9\-_]{80,} # Enterprise grid xoxs-[A-Za-z0-9\-]{80,} # SCIM token rg --no-heading -n 'xox[bpse][-.]' .
Database Connection Strings
# PostgreSQL postgres(ql)?://[^:]+:[^@]+@[^/]+/\S+ postgresql\+asyncpg://[^:]+:[^@]+@ # MongoDB mongodb(\+srv)?://[^:]+:[^@]+@ # MySQL / MariaDB mysql://[^:]+:[^@]+@ rg --no-heading -n '(postgres|mongodb|mysql)://\S+:\S+@' .
NPM, SendGrid, Twilio, Mailgun
# NPM publish token npm_[A-Za-z0-9]{36} # SendGrid SG\.[A-Za-z0-9\-_]{22}\.[A-Za-z0-9\-_]{43} # Twilio account SID + auth token AC[0-9a-f]{32} # Account SID SK[0-9a-f]{32} # API Key SID # Mailgun API key key-[A-Za-z0-9]{32} rg --no-heading -n '(npm_[A-Za-z0-9]{36}|SG\.[A-Za-z0-9_-]{22}\.)' .
SSH Private Keys
-----BEGIN OPENSSH PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY----- -----BEGIN EC PRIVATE KEY----- -----BEGIN DSA PRIVATE KEY-----
Google Service Account JSON
// Detect the "type": "service_account" JSON pattern rg --no-heading -n '"type"\s*:\s*"service_account"' . // Or the private_key field rg --no-heading -n '"private_key"\s*:\s*"-----BEGIN' .
High-Entropy String Detection (Shannon Entropy)
import math from collections import Counter def shannon_entropy(s: str) -> float: if not s: return 0.0 freq = Counter(s) length = len(s) return -sum((c / length) * math.log2(c / length) for c in freq.values()) def is_high_entropy_secret(value: str, threshold: float = 4.5) -> bool: # Ignore short strings and common words if len(value) < 20: return False return shannon_entropy(value) > threshold # Example usage candidates = [ "AKIAIOSFODNN7EXAMPLE", # entropy ~4.1 (low, example key) "wJalrXUtnFEMI/K7MDENG/bPxRfi", # entropy ~4.7 (real secret) "my-password-123", # entropy ~3.8 (low) ] for c in candidates: print(f"{c[:20]}... entropy={shannon_entropy(c):.2f} secret={is_high_entropy_secret(c)}")
False Positive Filtering Rules
FALSE_POSITIVE_PATHS = [ r'test[s]?/', r'__tests__/', r'spec/', r'fixtures/', r'examples/', r'docs/', r'\.md$', r'CHANGELOG', r'README', ] FALSE_POSITIVE_VALUES = [ 'example', 'placeholder', 'your_key_here', 'INSERT_KEY', 'REPLACE_ME', 'xxxx', '1234', 'test', 'dummy', 'fake', ] def is_false_positive(path: str, value: str) -> bool: import re for pattern in FALSE_POSITIVE_PATHS: if re.search(pattern, path, re.IGNORECASE): return True lower = value.lower() return any(fp in lower for fp in FALSE_POSITIVE_VALUES)
Pre-commit Hook Integration
# .pre-commit-config.yaml repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.18.4 hooks: - id: gitleaks - repo: https://github.com/trufflesecurity/trufflehog rev: v3.63.5 hooks: - id: trufflehog entry: trufflehog git file://. --since-commit HEAD --only-verified --fail
# Manual scan of full git history gitleaks detect --source . --log-opts="--all" # TruffleHog targeted scan trufflehog git https://github.com/org/repo --only-verified # ripgrep composite scan (fast, no install) rg --no-heading -n \ '(AKIA|ASIA|ghp_|sk_live_|sk-proj-|sk-ant-|xoxb-|npm_|SG\.|-----BEGIN.+PRIVATE)' \ --glob '!{node_modules,dist,.git}' .
Key rule: Any match outside
test/docs/examples/