PenScope/regex-pack.json at main · spider12223/PenScope · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
{
  "_version": 1,
  "_updatedAt": "2026-05-05",
  "secrets": [
    {"name":"AWS Access Key","pattern":"AKIA[0-9A-Z]{16}","flags":"g","severity":"critical"},
    {"name":"AWS Temp Access Key","pattern":"ASIA[0-9A-Z]{16}","flags":"g","severity":"critical"},
    {"name":"AWS Secret Key","pattern":"(?:aws_secret_access_key|AWS_SECRET)\\s*[:=]\\s*['\"]?([A-Za-z0-9/+=]{40})['\"]?","flags":"gi","severity":"critical","extract":1},
    {"name":"AWS ARN","pattern":"arn:aws:[a-z0-9-]+:[a-z0-9-]*:\\d{12}:[a-zA-Z0-9/_-]+","flags":"g","severity":"medium"},
    {"name":"Google API Key","pattern":"AIza[0-9A-Za-z_-]{35}","flags":"g","severity":"high"},
    {"name":"Google OAuth ID","pattern":"[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com","flags":"g","severity":"high"},
    {"name":"Google OAuth Secret","pattern":"GOCSPX-[A-Za-z0-9_-]{28}","flags":"g","severity":"critical"},
    {"name":"Firebase Config","pattern":"firebaseConfig\\s*=\\s*\\{[^}]+\\}","flags":"gs","severity":"medium"},
    {"name":"Firebase URL","pattern":"https://[a-z0-9-]+\\.firebaseio\\.com","flags":"g","severity":"medium"},
    {"name":"Slack Bot Token","pattern":"xoxb-[0-9A-Za-z-]{10,}","flags":"g","severity":"critical"},
    {"name":"Slack User Token","pattern":"xoxp-[0-9A-Za-z-]{10,}","flags":"g","severity":"critical"},
    {"name":"Slack Token (legacy)","pattern":"xox[ors]-[0-9A-Za-z-]{10,}","flags":"g","severity":"critical"},
    {"name":"Slack Webhook","pattern":"https://hooks\\.slack\\.com/services/[A-Za-z0-9/]+","flags":"g","severity":"high"},
    {"name":"GitHub Token","pattern":"gh[ps]_[A-Za-z0-9_]{36,}","flags":"g","severity":"critical"},
    {"name":"GitHub Server Token","pattern":"ghs_[A-Za-z0-9]{36,}","flags":"g","severity":"critical"},
    {"name":"GitHub User Token","pattern":"gho_[A-Za-z0-9]{36,}","flags":"g","severity":"critical"},
    {"name":"GitHub Fine-grained","pattern":"github_pat_[A-Za-z0-9_]{22,}","flags":"g","severity":"critical"},
    {"name":"GitLab Token","pattern":"glpat-[A-Za-z0-9_-]{20,}","flags":"g","severity":"critical"},
    {"name":"Azure Account Key","pattern":"(?:AccountKey|SharedAccessKey)\\s*=\\s*([A-Za-z0-9+/=]{40,})","flags":"g","severity":"critical","extract":1},
    {"name":"Azure SAS","pattern":"(?:sv=\\d{4}-\\d{2}-\\d{2}&[^'\"\\s]{20,}|sig=[A-Za-z0-9%+/=]{20,})","flags":"g","severity":"high"},
    {"name":"DigitalOcean Token","pattern":"dop_v1_[a-f0-9]{64}","flags":"g","severity":"critical"},
    {"name":"Cloudflare Legacy Token","pattern":"v1\\.0-[a-f0-9]{40}","flags":"g","severity":"critical"},
    {"name":"Cloudflare API Token","pattern":"(?:CLOUDFLARE_API_TOKEN|cf_api_token|cf-api-token)\\s*[=:]\\s*['\"]?([A-Za-z0-9_-]{40,})['\"]?","flags":"gi","severity":"critical","extract":1},
    {"name":"Stripe Secret","pattern":"sk_(?:live|test)_[A-Za-z0-9]{20,}","flags":"g","severity":"critical"},
    {"name":"Stripe Publishable","pattern":"pk_(?:live|test)_[A-Za-z0-9]{20,}","flags":"g","severity":"high"},
    {"name":"Stripe Restricted","pattern":"rk_(?:live|test)_[A-Za-z0-9]{20,}","flags":"g","severity":"critical"},
    {"name":"Square Token","pattern":"sq0atp-[A-Za-z0-9_-]{22,}","flags":"g","severity":"critical"},
    {"name":"PayPal Braintree","pattern":"access_token\\$(?:production|sandbox)\\$[a-z0-9]{16}\\$[a-f0-9]{32}","flags":"g","severity":"critical"},
    {"name":"SendGrid Key","pattern":"SG\\.[A-Za-z0-9_-]{22}\\.[A-Za-z0-9_-]{43}","flags":"g","severity":"critical"},
    {"name":"Mailgun Key","pattern":"key-[0-9a-zA-Z]{32}","flags":"g","severity":"high"},
    {"name":"Postmark Token","pattern":"(?:postmark[_-]?(?:server|api|account)[_-]?token|POSTMARK_(?:SERVER|API|ACCOUNT)_TOKEN)\\s*[=:]\\s*['\"]?([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?","flags":"gi","severity":"critical","extract":1},
    {"name":"Mailchimp Key","pattern":"\\b[a-f0-9]{32}-us\\d{1,2}\\b","flags":"g","severity":"high"},
    {"name":"Twilio SID","pattern":"\\bAC[a-f0-9]{32}\\b","flags":"g","severity":"high"},
    {"name":"Twilio Auth Token","pattern":"(?:twilio_auth_token|TWILIO_AUTH(?:_TOKEN)?)\\s*[=:]\\s*['\"]?([a-f0-9]{32})['\"]?","flags":"gi","severity":"critical","extract":1},
    {"name":"Telegram Bot","pattern":"\\b\\d{8,10}:AA[A-Za-z0-9_-]{33,}\\b","flags":"g","severity":"critical"},
    {"name":"Discord Webhook","pattern":"https://(?:discord|discordapp)\\.com/api/webhooks/\\d+/[A-Za-z0-9_-]+","flags":"g","severity":"high"},
    {"name":"Discord Token","pattern":"[MN][A-Za-z0-9]{23,}\\.[\\w-]{6}\\.[\\w-]{27,}","flags":"g","severity":"critical"},
    {"name":"Sentry DSN","pattern":"https://[a-f0-9]{32}@[a-z0-9.]+\\.ingest\\.sentry\\.io/[0-9]+","flags":"g","severity":"medium"},
    {"name":"Datadog API","pattern":"(?:dd_api_key|dd_app_key|datadog\\.api_key|DATADOG_API_KEY|DATADOG_APP_KEY)\\s*[=:]\\s*['\"]?([a-f0-9]{32})['\"]?","flags":"gi","severity":"high","extract":1},
    {"name":"New Relic Key","pattern":"NRAK-[A-Z0-9]{27}","flags":"g","severity":"high"},
    {"name":"MapBox Public","pattern":"\\bpk\\.[A-Za-z0-9]{60,}\\b","flags":"g","severity":"medium"},
    {"name":"MapBox Secret","pattern":"\\bsk\\.[A-Za-z0-9]{60,}\\b","flags":"g","severity":"critical"},
    {"name":"Algolia Admin Key","pattern":"(?:algolia[_-]?admin[_-]?(?:api[_-]?)?key|ALGOLIA_ADMIN(?:_API)?_KEY|adminAPIKey)\\s*[=:]\\s*['\"]?([a-f0-9]{32})['\"]?","flags":"gi","severity":"critical","extract":1},
    {"name":"Heroku API Key","pattern":"(?:heroku[_-]?api[_-]?key|HEROKU_API_KEY)\\s*[=:]\\s*['\"]?([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?","flags":"gi","severity":"critical","extract":1},
    {"name":"Linear API Key","pattern":"\\blin_api_[A-Za-z0-9]{40,}\\b","flags":"g","severity":"high"},
    {"name":"Notion Secret","pattern":"\\bsecret_[A-Za-z0-9]{43}\\b","flags":"g","severity":"critical"},
    {"name":"Figma PAT","pattern":"\\bfigd_[A-Za-z0-9_-]{40,}\\b","flags":"g","severity":"high"},
    {"name":"Plaid Pair","pattern":"(?:PLAID_CLIENT_ID|plaid_client_id)\\s*[=:]\\s*['\"]?([a-f0-9]{24})['\"]?[\\s,;]+(?:PLAID_SECRET|plaid_secret)\\s*[=:]\\s*['\"]?([a-f0-9]{30,})['\"]?","flags":"gi","severity":"critical","extract":1},
    {"name":"Snyk Token","pattern":"\\bsnyk_[a-f0-9]{32,}\\b","flags":"g","severity":"high"},
    {"name":"TFE/Terraform Token","pattern":"\\b[a-zA-Z0-9]{14}\\.atlasv1\\.[A-Za-z0-9_-]{60,}\\b","flags":"g","severity":"critical"},
    {"name":"Pinata API Key","pattern":"(?:pinata[_-]?api[_-]?(?:key|jwt)|PINATA_API_KEY|PINATA_JWT)\\s*[=:]\\s*['\"]?([A-Za-z0-9_.-]{40,})['\"]?","flags":"gi","severity":"high","extract":1},
    {"name":"Shopify Token","pattern":"\\bshpat_[a-fA-F0-9]{32}\\b","flags":"g","severity":"critical"},
    {"name":"JWT","pattern":"eyJ[A-Za-z0-9_-]{10,}\\.eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]+","flags":"g","severity":"high"},
    {"name":"Private Key","pattern":"-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY(?:\\sBLOCK)?-----","flags":"g","severity":"critical"},
    {"name":"SSH Public Key","pattern":"\\bssh-(?:rsa|ed25519|ecdsa-sha2-nistp\\d+) AAAA[A-Za-z0-9+/=]{200,}\\b","flags":"g","severity":"medium"},
    {"name":"Bearer Token","pattern":"[Bb]earer\\s+[A-Za-z0-9_\\-./+=]{20,}","flags":"g","severity":"high"},
    {"name":"Basic Auth","pattern":"[Bb]asic\\s+[A-Za-z0-9+/=]{15,}","flags":"g","severity":"high"},
    {"name":".env Assignment","pattern":"^[A-Z][A-Z0-9_]{4,}\\s*=\\s*['\"]?([A-Za-z0-9+/=._:@!#$%&*-]{16,})['\"]?\\s*$","flags":"gm","severity":"medium","extract":1},
    {"name":"Generic API Key","pattern":"(?:api[_-]?key|apikey|api_secret)\\s*[:=]\\s*['\"]([A-Za-z0-9_\\-]{16,})['\"]?","flags":"gi","severity":"high","extract":1},
    {"name":"Generic Secret","pattern":"(?:secret_key|client_secret|app_secret|private_key)\\s*[:=]\\s*['\"]([^'\"]{8,64})['\"]?","flags":"gi","severity":"high","extract":1},
    {"name":"Generic Password","pattern":"(?:password|passwd|pwd|pass)\\s*[:=]\\s*['\"]([^'\"]{4,64})['\"]?","flags":"gi","severity":"high","extract":1},
    {"name":"Auth Token","pattern":"(?:auth_token|access_token|bearer_token|refresh_token)\\s*[:=]\\s*['\"]([A-Za-z0-9_\\-./+=]{16,})['\"]?","flags":"gi","severity":"high","extract":1},
    {"name":"MongoDB URI","pattern":"mongodb(?:\\+srv)?://[^\\s'\"<]{10,}","flags":"g","severity":"critical"},
    {"name":"PostgreSQL URI","pattern":"postgres(?:ql)?://[^\\s'\"<]{10,}","flags":"g","severity":"critical"},
    {"name":"MySQL URI","pattern":"mysql://[^\\s'\"<]{10,}","flags":"g","severity":"critical"},
    {"name":"Redis URI","pattern":"rediss?://[^\\s'\"<]{10,}","flags":"g","severity":"critical"},
    {"name":"Internal IP","pattern":"(?:https?://)?(?:10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3})(?::\\d+)?(?:/[^\\s'\"<]*)?","flags":"g","severity":"medium"},
    {"name":"S3 Bucket","pattern":"[a-z0-9.-]+\\.s3(?:\\.[a-z0-9-]+)?\\.amazonaws\\.com|s3://[a-z0-9.-]+","flags":"g","severity":"medium"},
    {"name":"GCS Bucket","pattern":"storage\\.googleapis\\.com/[a-z0-9._-]+|gs://[a-z0-9._-]+","flags":"g","severity":"medium"},
    {"name":"GraphQL Endpoint","pattern":"['\"](?:/graphql|/gql|/api/graphql)['\"]","flags":"gi","severity":"medium"},
    {"name":"Debug Mode","pattern":"(?:debug|dev_mode|development|DEBUG|NODE_ENV)\\s*[:=]\\s*(?:true|1|'true'|\"true\"|'development'|\"development\")","flags":"gi","severity":"medium"},
    {"name":"Hardcoded Email","pattern":"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}","flags":"g","severity":"info"},
    {"name":"Supabase JWT","pattern":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+","flags":"g","severity":"high"},
    {"name":"npm Token","pattern":"\\bnpm_[A-Za-z0-9]{36}\\b","flags":"g","severity":"critical"},
    {"name":"OpenAI API Key","pattern":"sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}","flags":"g","severity":"critical"},
    {"name":"Anthropic API Key","pattern":"sk-ant-api03-[a-zA-Z0-9_-]{90,}","flags":"g","severity":"critical"},
    {"name":"Google AI Key","pattern":"AIza[A-Za-z0-9_-]{35}","flags":"g","severity":"high"},
    {"name":"HuggingFace Token","pattern":"\\bhf_[a-zA-Z0-9]{34,}\\b","flags":"g","severity":"high"},
    {"name":"Hashicorp Vault Token","pattern":"\\bhvs\\.[a-zA-Z0-9_-]{24,}\\b","flags":"g","severity":"critical"},
    {"name":"Vault Service Token","pattern":"\\bs\\.[a-zA-Z0-9]{24,}\\b","flags":"g","severity":"high"},
    {"name":"Vault Batch Token","pattern":"\\bb\\.[a-zA-Z0-9]{24,}\\b","flags":"g","severity":"high"}
  ],

  "respPatterns": [
    {"name":"Admin flag","pattern":"\"(?:is_admin|isAdmin|admin|is_superuser|is_staff|is_moderator)\"\\s*:\\s*(true|false|1|0)","flags":"gi","severity":"high","desc":"Privilege flag — IDOR/escalation"},
    {"name":"Role field","pattern":"\"(?:role|user_role|userRole|permission|permissions|access_level|privilege|scope|group_name|groupName)\"\\s*:\\s*\"?([^\",}\\]]{1,50})","flags":"gi","severity":"high","desc":"Role/permission exposed"},
    {"name":"Auth token","pattern":"\"(?:access_token|refresh_token|bearer|jwt|session_token|auth_token|id_token)\"\\s*:\\s*\"([^\"]{10,})\"","flags":"gi","severity":"high","desc":"Auth token in response"},
    {"name":"API key in resp","pattern":"\"(?:api_key|apiKey|api_secret|client_secret|secret_key)\"\\s*:\\s*\"([^\"]{8,})\"","flags":"gi","severity":"critical","desc":"API key/secret in response"},
    {"name":"Internal ID","pattern":"\"(?:user_id|userId|account_id|accountId|internal_id|_id|member_id|customer_id|employee_id)\"\\s*:\\s*\"?([^\",}\\]]{1,80})","flags":"gi","severity":"medium","desc":"Internal ID — IDOR candidate"},
    {"name":"Email in resp","pattern":"\"(?:email|mail|user_email|emailAddress)\"\\s*:\\s*\"([^\"]{5,80})\"","flags":"gi","severity":"low","desc":"Email leaked"},
    {"name":"Phone in resp","pattern":"\"(?:phone|mobile|tel|phone_number)\"\\s*:\\s*\"?(\\+?[\\d\\s()-]{7,20})","flags":"gi","severity":"medium","desc":"Phone leaked"},
    {"name":"SSN/Tax ID","pattern":"\"(?:ssn|social_security|tax_id|national_id)\"\\s*:\\s*\"?([^\",}\\]]{5,20})","flags":"gi","severity":"critical","desc":"SSN/Tax ID exposed"},
    {"name":"Password hash","pattern":"\"(?:password_hash|passwordHash|hashed_password|encrypted_password)\"\\s*:\\s*\"([^\"]{10,})\"","flags":"gi","severity":"critical","desc":"Password hash exposed"},
    {"name":"Stack trace (Java)","pattern":"at\\s+[\\w$.]+\\([\\w]+\\.java:\\d+\\)","flags":"g","severity":"high","desc":"Java stack trace"},
    {"name":"Stack trace (Python)","pattern":"File\\s+\"[^\"]+\\.py\",\\s+line\\s+\\d+","flags":"g","severity":"high","desc":"Python traceback"},
    {"name":"Stack trace (Node)","pattern":"at\\s+[\\w$.]+\\s+\\((?:/[\\w./-]+|node:internal):\\d+:\\d+\\)","flags":"g","severity":"high","desc":"Node.js stack trace"},
    {"name":"Stack trace (PHP)","pattern":"#\\d+\\s+[\\w\\\\/]+\\.php\\(\\d+\\)","flags":"g","severity":"high","desc":"PHP stack trace"},
    {"name":"Stack trace (.NET)","pattern":"at\\s+[\\w.]+\\s+in\\s+[\\w:\\\\/.]+:\\s*line\\s+\\d+","flags":"g","severity":"high","desc":".NET stack trace"},
    {"name":"Stack trace (Ruby)","pattern":"[\\w/]+\\.rb:\\d+:in\\s+`","flags":"g","severity":"high","desc":"Ruby stack trace"},
    {"name":"Stack trace (Go)","pattern":"goroutine\\s+\\d+\\s+\\[","flags":"g","severity":"high","desc":"Go goroutine stack"},
    {"name":"Spring Boot error","pattern":"\"timestamp\"\\s*:\\s*\"\\d{4}-\\d{2}-\\d{2}T[^\"]+\"[^}]*\"status\"\\s*:\\s*\\d{3}[^}]*\"trace\"\\s*:\\s*\"java\\.","flags":"g","severity":"high","desc":"Spring Boot error response"},
    {"name":"Rails ActiveRecord error","pattern":"ActiveRecord::(?:RecordNotFound|RecordInvalid|StatementInvalid|ConnectionTimeoutError)","flags":"g","severity":"high","desc":"Rails ActiveRecord error"},
    {"name":"Django DEBUG page","pattern":"<title>[^<]*at\\s+/[^<]*</title>[\\s\\S]{0,500}Django Version","flags":"g","severity":"critical","desc":"Django DEBUG=True page exposed"},
    {"name":"ASP.NET YSOD","pattern":"<title>Server Error in [^<]*</title>","flags":"g","severity":"high","desc":"ASP.NET Yellow Screen Of Death"},
    {"name":"Express error JSON","pattern":"\\{\"error\"\\s*:\\s*\"\\w+\"[^}]*\"message\"\\s*:[^}]*\"stack\"\\s*:\\s*\"Error:[^\"]+at ","flags":"g","severity":"high","desc":"Express default error JSON shape"},
    {"name":"Apollo Did You Mean","pattern":"Cannot query field [\"'][^\"']+[\"'][^.]*\\.(?:\\s*Did you mean [\"'])","flags":"g","severity":"medium","desc":"Apollo GraphQL field-suggestion error"},
    {"name":"MSSQL error","pattern":"Msg \\d+, Level \\d+, State \\d+(?:, Procedure)?","flags":"g","severity":"high","desc":"MSSQL error message"},
    {"name":"AWS Request ID body","pattern":"\"(?:requestId|RequestId|x-amzn-RequestId)\"\\s*:\\s*\"[A-Z0-9]{16,32}\"","flags":"g","severity":"info","desc":"AWS request ID in body"},
    {"name":"GCP Trace ID body","pattern":"\"(?:trace|traceId|trace_id|spanId|span_id)\"\\s*:\\s*\"[a-f0-9]{16,32}\"","flags":"g","severity":"info","desc":"GCP trace/span ID in body"},
    {"name":"Sentry Event ID body","pattern":"\"(?:event_id|eventId|sentry_event_id)\"\\s*:\\s*\"[a-f0-9]{32}\"","flags":"g","severity":"info","desc":"Sentry event ID in body"},
    {"name":"SQL error","pattern":"(?:mysql_|pg_|sqlite_|ORA-\\d{5}|SQLSTATE|syntax error.*SQL|near \".*\": syntax error|Unclosed quotation mark)","flags":"gi","severity":"critical","desc":"SQL error — possible SQLi"},
    {"name":"MongoDB error","pattern":"(?:MongoError|MongoServerError|BSONTypeError)","flags":"g","severity":"high","desc":"MongoDB error"},
    {"name":"Debug mode","pattern":"\"(?:debug|DEBUG|dev_mode|environment|NODE_ENV)\"\\s*:\\s*\"?(?:true|1|development|staging|dev)","flags":"gi","severity":"medium","desc":"Debug/dev mode active"},
    {"name":"Internal path","pattern":"(?:/home/\\w+/\\w|/var/(?:www|log|lib)/\\w|/opt/\\w+/\\w|/srv/\\w+/\\w|C:\\\\(?:Users|inetpub|Program)\\\\|/usr/local/\\w|/etc/\\w+/\\w|/tmp/\\w+/\\w)","flags":"g","severity":"medium","desc":"Filesystem path leaked"},
    {"name":"Connection string","pattern":"(?:Server|Data Source|Host)\\s*=\\s*[^;]{5,};\\s*(?:Database|Initial Catalog)\\s*=","flags":"gi","severity":"critical","desc":"DB connection string"},
    {"name":"GraphQL introspection","pattern":"\"__schema\"|\"__type\"|\"queryType\"|\"mutationType\"","flags":"g","severity":"high","desc":"GraphQL introspection enabled"},
    {"name":"Pagination meta","pattern":"\"(?:total_count|totalCount|total_pages|totalPages|total_records)\"\\s*:\\s*\"?(\\d+)","flags":"gi","severity":"low","desc":"Dataset size revealed"},
    {"name":"Version info","pattern":"\"(?:version|api_version|app_version|build|build_number|commit|git_sha)\"\\s*:\\s*\"([^\"]{1,40})\"","flags":"gi","severity":"info","desc":"Version disclosure"},
    {"name":"Redirect URL","pattern":"\"(?:redirect_uri|redirect_url|return_url|returnUrl|next|callback_url|continue|goto)\"\\s*:\\s*\"(https?://[^\"]+)\"","flags":"gi","severity":"medium","desc":"Redirect URL — open redirect test"},
    {"name":"Upload URL","pattern":"\"(?:upload_url|uploadUrl|presigned_url|presignedUrl|signed_url)\"\\s*:\\s*\"(https?://[^\"]+)\"","flags":"gi","severity":"medium","desc":"Pre-signed upload URL"},
    {"name":"Webhook URL","pattern":"\"(?:webhook_url|webhookUrl|callback_url|notify_url)\"\\s*:\\s*\"(https?://[^\"]+)\"","flags":"gi","severity":"medium","desc":"Webhook URL exposed"},
    {"name":"Feature flag","pattern":"\"(?:feature_flag|featureFlag|feature_enabled|experiment|ab_test|variant)\"\\s*:\\s*\"?([^\",}\\]]{1,50})","flags":"gi","severity":"low","desc":"Feature flag exposed"},
    {"name":"AWS ARN in resp","pattern":"arn:aws:[a-z0-9-]+:[a-z0-9-]*:\\d{12}:[a-zA-Z0-9/_-]+","flags":"g","severity":"medium","desc":"AWS ARN exposed"},
    {"name":"Internal URL","pattern":"\"(?:internal_url|internalUrl|private_url|backend_url|service_url)\"\\s*:\\s*\"(https?://[^\"]+)\"","flags":"gi","severity":"high","desc":"Internal/private URL exposed"},
    {"name":"OpenAI API Key","pattern":"sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}","flags":"g","severity":"critical","desc":"OpenAI API key in response"},
    {"name":"Anthropic API Key","pattern":"sk-ant-api03-[a-zA-Z0-9_-]{90,}","flags":"g","severity":"critical","desc":"Anthropic API key in response"},
    {"name":"Google AI Key","pattern":"AIza[A-Za-z0-9_-]{35}","flags":"g","severity":"high","desc":"Google AI/API key in response"},
    {"name":"HuggingFace Token","pattern":"hf_[a-zA-Z0-9]{34,}","flags":"g","severity":"high","desc":"HuggingFace token in response"}
  ]
}