diff --git a/README.md b/README.md
index 9f2acb0..16ad5f1 100644
--- a/README.md
+++ b/README.md
@@ -101,6 +101,12 @@ Custom Secret Scanning Patterns repository.
- IBAN
- Norwegian national identity number/D number
+
+- US Social Security number
+
+- US Individual Taxpayer Identification Number (ITIN)
+
+- UK National Insurance Number
### [RSA Keys](./rsa)
@@ -206,4 +212,14 @@ Custom Secret Scanning Patterns repository.
- Azure Shared Access Signature (SAS) Token
- CircleCI API token
+
+- AWS Key ID (standalone)
+
+- Azure generic key
+
+- Azure generic key (legacy)
+
+- AWS Bedrock API Key
+
+- AWS Bedrock API Key (2)
\ No newline at end of file
diff --git a/configs/README.md b/configs/README.md
index 5fbbc22..eb5c3ae 100644
--- a/configs/README.md
+++ b/configs/README.md
@@ -639,7 +639,7 @@ Add these additional matches to the [Secret Scanning Custom Pattern](https://doc
- Not Match:
```regex
- ^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}+(/[a-z._-]{1,}){2,}/?$
+ ^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}(/[a-z._-]{1,}){2,}/?$
```
diff --git a/configs/patterns.yml b/configs/patterns.yml
index 8e34745..7b73d4a 100644
--- a/configs/patterns.yml
+++ b/configs/patterns.yml
@@ -327,7 +327,7 @@ patterns:
# non-secret related content
- ^(?i)(true|false|y(es)?|no?|on|off|0|1|nill|null|none|(\\x[a-f0-9]{2})+)$
# a path
- - '^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}+(/[a-z._-]{1,}){2,}/?$'
+ - '^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}(/[a-z._-]{1,}){2,}/?$'
comments:
- "Looks for secrets in the format of `SECRET=secret` at the start of a line, possibly with an `ENV ` or `export ` prefix"
- "Allows no whitespace in the secret, to cut false positives"
diff --git a/pii/README.md b/pii/README.md
index ce0c639..37dd5ac 100644
--- a/pii/README.md
+++ b/pii/README.md
@@ -233,4 +233,159 @@ Add these additional matches to the [Secret Scanning Custom Pattern](https://doc
1111111111[123]|11112222333|01123456978|410185 ?123 ?45|220676 ?123 ?45|01010202010|01010101023
```
+
+
+## US Social Security number
+
+
+
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+- This can produce false positives, since it doesn't check for all known-invalid numbers
+
+- Examples include 123-45-6789 and 078-05-1120 - the latter is ignored already
+
+
+
+Pattern Format
+
+```regex
+(?P00[1-9]|0[1-9][0-9]|[1-8][0-9][0-9])-(?P0[1-9]|[1-9][0-9])-(?P[0-9]{4})
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^0-9A-Za-z_-]
+```
+
+
+End Pattern
+
+```regex
+\z|[^0-9A-Za-z_-]
+```
+
+
+
+
+Additional Matches
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+ ```regex
+ ^666-.*$
+ ```
+- Not Match:
+
+ ```regex
+ ^.*-0000$
+ ```
+- Not Match:
+
+ ```regex
+ ^078-05-1120$
+ ```
+
+
+
+## US Individual Taxpayer Identification Number (ITIN)
+
+
+
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- This can produce false positives, since it doesn't check for all known-invalid numbers
+
+- There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+
+
+Pattern Format
+
+```regex
+9[0-9][0-9]-(?:5[0-9]|6[0-5]|7[0-9]|8[0-8]|9[0-24-9])-[0-9]{4}
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^0-9A-Za-z_-]
+```
+
+
+End Pattern
+
+```regex
+\z|[^0-9A-Za-z_-]
+```
+
+
+
+## UK National Insurance Number
+
+
+
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+
+
+Pattern Format
+
+```regex
+[A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^0-9A-Za-z]
+```
+
+
+End Pattern
+
+```regex
+\z|[^0-9A-Za-z]
+```
+
+
+
+
+Additional Matches
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+ ```regex
+ ^QQ ?12 ?34 ?56 ?[A-D]$
+ ```
+
\ No newline at end of file
diff --git a/pii/patterns.yml b/pii/patterns.yml
index f092404..61a4f2a 100644
--- a/pii/patterns.yml
+++ b/pii/patterns.yml
@@ -257,3 +257,63 @@ patterns:
- With no validation of the checksum this can cause a lot of false positives
- The example test data does not have a valid checksum - it is one of the examples used with one digit in the checksum changed
- You can test using the correct checksum, but it is used as a NOT match here to prevent false positives on other test data
+
+ - name: US Social Security number
+ type: us_ssn
+ regex:
+ pattern: |
+ (?P00[1-9]|0[1-9][0-9]|[1-8][0-9][0-9])-(?P0[1-9]|[1-9][0-9])-(?P[0-9]{4})
+ start: |
+ \A|[^0-9A-Za-z_-]
+ end: |
+ \z|[^0-9A-Za-z_-]
+ additional_not_match:
+ - ^666-.*$
+ - ^.*-0000$
+ - ^078-05-1120$
+ test:
+ data: |
+ 123-45-6789
+ start_offset: 0
+ end_offset: 11
+ comments:
+ - There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+ - This can produce false positives, since it doesn't check for all known-invalid numbers
+ - Examples include 123-45-6789 and 078-05-1120 - the latter is ignored already
+
+ - name: US Individual Taxpayer Identification Number (ITIN)
+ type: us_itin
+ regex:
+ pattern: |
+ 9[0-9][0-9]-(?:5[0-9]|6[0-5]|7[0-9]|8[0-8]|9[0-24-9])-[0-9]{4}
+ start: |
+ \A|[^0-9A-Za-z_-]
+ end: |
+ \z|[^0-9A-Za-z_-]
+ test:
+ data: |
+ 912-70-1234
+ start_offset: 0
+ end_offset: 11
+ comments:
+ - This can produce false positives, since it doesn't check for all known-invalid numbers
+ - There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+ - name: UK National Insurance Number
+ type: uk_national_insurance_number
+ regex:
+ pattern: |
+ [A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]
+ start: |
+ \A|[^0-9A-Za-z]
+ end: |
+ \z|[^0-9A-Za-z]
+ additional_not_match:
+ - ^QQ ?12 ?34 ?56 ?[A-D]$
+ test:
+ data: |
+ QQ012345C
+ start_offset: 0
+ end_offset: 9
+ comments:
+ - There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
diff --git a/vendors/README.md b/vendors/README.md
index eed07b4..3a3ea23 100644
--- a/vendors/README.md
+++ b/vendors/README.md
@@ -1550,4 +1550,231 @@ _version: v0.1_
['"`\r\n,]|\z
```
+
+
+## AWS Key ID (standalone)
+
+
+AWS Key ID not confirmed. to be paired with a secret key
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- This rule detects AWS Key IDs without any attempt to pair them with a secret key.
+
+- This adds to the risk of false positives, so we exclude any Key IDs that end with 'EXAMPLE' which are often used in documentation and sample code.
+
+- The built-in detection for AWS Key ID + Secret Key pairs should be preferred where possible, but this can provide push protection blocking in cases where only the Key ID is present.
+
+
+
+Pattern Format
+
+```regex
+(?:A3T[A-Z0-9]|A(?:[KBS]I|CC|GP|I[DP]|N[PV]|PK|RO|SC)A)[A-Z2-7]{16}
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^0-9A-Za-z+/_-]
+```
+
+
+End Pattern
+
+```regex
+\z|[^0-9A-Za-z=%+/_-]
+```
+
+
+
+
+Additional Matches
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+ ```regex
+ ^.*EXAMPLE$
+ ```
+
+
+
+## Azure generic key
+
+
+Azure generic key - imprecise detection that does not tell you which service is affected
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- This is an imprecise detection for Azure keys that does not identify which Azure service the key is for.
+
+- Prefer using built-in more-specific rules for Azure services where possible.
+
+- This is useful for older versions of Enterprise Server that do not already have this detection.
+
+
+
+Pattern Format
+
+```regex
+[A-Za-z0-9]{52}JQQJ99[AB][A-Za-z0-9]AC[A-Za-z0-9]{10}AAA[A-Za-z0-9]{9}
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^A-Za-z0-9/+]
+```
+
+
+End Pattern
+
+```regex
+\z|[^A-Za-z0-9/+=]
+```
+
+
+
+## Azure generic key (legacy)
+
+
+Azure generic key - legacy format without internal identifiable features
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- This is an imprecise detection for Azure keys that does not identify which Azure service the key is for.
+
+- The key lacks internal identifiable features, which are used in modern keys issued by these Azure services.
+
+
+
+Pattern Format
+
+```regex
+[a-f0-9]{32}
+```
+
+
+
+
+Start Pattern
+
+```regex
+(?i)(?:Ocp-Apim-Subscription-Key: |Ocp-Apim-Subscription-Key=|OcpApimSubscriptionKey=|Subscription-Key=)
+```
+
+
+End Pattern
+
+```regex
+\z|[^A-Za-z0-9/+=]
+```
+
+
+
+## AWS Bedrock API Key
+
+
+AWS Bedrock API Key - automatic username
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- AWS Bedrock API Keys start with the prefix 'ABSKQmVkcm9ja0FQSUtleS' followed by a base64-encoded string.
+
+- Matches AWS Bedrock keys that have an auto-generated 'BedrockAPIKey-' username.
+
+
+
+Pattern Format
+
+```regex
+ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^A-Za-z0-9/+]
+```
+
+
+End Pattern
+
+```regex
+\z|[^A-Za-z0-9/+=]
+```
+
+
+
+## AWS Bedrock API Key (2)
+
+
+AWS Bedrock API Key - manual username
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- AWS Bedrock API Keys start with the prefix 'ABSK' followed by a base64-encoded string.
+
+- This rule matches an alternative format of AWS Bedrock API Keys that do not have the auto-generated 'BedrockAPIKey-' username.
+
+
+
+Pattern Format
+
+```regex
+ABSK(?:[A-Za-z0-9+/]{4}){26,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
+```
+
+
+
+
+Start Pattern
+
+```regex
+\A|[^A-Za-z0-9/+]
+```
+
+
+End Pattern
+
+```regex
+\z|[^A-Za-z0-9/+=]
+```
+
+
+
+
+Additional Matches
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+ ```regex
+ ^ABSKQmVkcm9ja0FQSUtleS
+ ```
+
\ No newline at end of file
diff --git a/vendors/patterns.yml b/vendors/patterns.yml
index a6bc114..b258ed1 100644
--- a/vendors/patterns.yml
+++ b/vendors/patterns.yml
@@ -741,3 +741,104 @@ patterns:
circle_ci_api_token: "0123456789abcdef0123456789abcdef01234567"
start_offset: 22
end_offset: 62
+
+ - name: AWS Key ID (standalone)
+ type: aws_key_id_standalone
+ description: AWS Key ID not confirmed. to be paired with a secret key
+ regex:
+ pattern: |
+ (?:A3T[A-Z0-9]|A(?:[KBS]I|CC|GP|I[DP]|N[PV]|PK|RO|SC)A)[A-Z2-7]{16}
+ start: |
+ \A|[^0-9A-Za-z+/_-]
+ end: |
+ \z|[^0-9A-Za-z=%+/_-]
+ additional_not_match:
+ - ^.*EXAMPLE$
+ test:
+ data: |
+ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7AAAAAAA
+ start_offset: 18
+ end_offset: 38
+ comments:
+ - "This rule detects AWS Key IDs without any attempt to pair them with a secret key."
+ - "This adds to the risk of false positives, so we exclude any Key IDs that end with 'EXAMPLE' which are often used in documentation and sample code."
+ - "The built-in detection for AWS Key ID + Secret Key pairs should be preferred where possible, but this can provide push protection blocking in cases where only the Key ID is present."
+
+ - name: Azure generic key
+ type: azure_generic_key
+ description: Azure generic key - imprecise detection that does not tell you which service is affected
+ regex:
+ pattern: |
+ [A-Za-z0-9]{52}JQQJ99[AB][A-Za-z0-9]AC[A-Za-z0-9]{10}AAA[A-Za-z0-9]{9}
+ start: |
+ \A|[^A-Za-z0-9/+]
+ end: |
+ \z|[^A-Za-z0-9/+=]
+ test:
+ data: |
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQQJ99AAAC0123456789AAA012345678
+ start_offset: 0
+ end_offset: 84
+ comments:
+ - "This is an imprecise detection for Azure keys that does not identify which Azure service the key is for."
+ - "Prefer using built-in more-specific rules for Azure services where possible."
+ - "This is useful for older versions of Enterprise Server that do not already have this detection."
+
+ - name: Azure generic key (legacy)
+ type: azure_generic_key_legacy
+ description: Azure generic key - legacy format without internal identifiable features
+ regex:
+ pattern: |
+ [a-f0-9]{32}
+ start: |
+ (?i)(?:Ocp-Apim-Subscription-Key: |Ocp-Apim-Subscription-Key=|OcpApimSubscriptionKey=|Subscription-Key=)
+ end: |
+ \z|[^A-Za-z0-9/+=]
+ test:
+ data: |
+ Ocp-Apim-Subscription-Key=0123456789abcdef0123456789abcdef
+ start_offset: 26
+ end_offset: 58
+ comments:
+ - "This is an imprecise detection for Azure keys that does not identify which Azure service the key is for."
+ - "The key lacks internal identifiable features, which are used in modern keys issued by these Azure services."
+
+ - name: AWS Bedrock API Key
+ type: aws_bedrock_api_key
+ description: AWS Bedrock API Key - automatic username
+ regex:
+ pattern: |
+ ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
+ start: |
+ \A|[^A-Za-z0-9/+]
+ end: |
+ \z|[^A-Za-z0-9/+=]
+ test:
+ data: |
+ BedrockApiKey=ABSKQmVkcm9ja0FQSUtleSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ start_offset: 14
+ end_offset: 82
+ comments:
+ - "AWS Bedrock API Keys start with the prefix 'ABSKQmVkcm9ja0FQSUtleS' followed by a base64-encoded string."
+ - "Matches AWS Bedrock keys that have an auto-generated 'BedrockAPIKey-' username."
+
+ - name: AWS Bedrock API Key (2)
+ type: aws_bedrock_api_key_2
+ description: AWS Bedrock API Key - manual username
+ regex:
+ pattern: |
+ ABSK(?:[A-Za-z0-9+/]{4}){26,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
+ start: |
+ \A|[^A-Za-z0-9/+]
+ end: |
+ \z|[^A-Za-z0-9/+=]
+ additional_not_match:
+ - ^ABSKQmVkcm9ja0FQSUtleS
+ test:
+ data: |
+ bedrock_api_key: ABSKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ start_offset: 17
+ end_offset: 189
+ comments:
+ - "AWS Bedrock API Keys start with the prefix 'ABSK' followed by a base64-encoded string."
+ - "This rule matches an alternative format of AWS Bedrock API Keys that do not have the auto-generated 'BedrockAPIKey-' username."