gitlab-secret_detection 0.11.1 → 0.39.2

data/lib/gitlab/secret_detection/core/secret_push_protection_rules.toml

@@ -0,0 +1,1072 @@
+# rule-set version: 0.21.2
+# Rules are auto-generated. See https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules for instructions on updating the rules.
+[[rules]]
+id = 'AdafruitIOKey'
+regex = '\baio_[A-Za-z]{4}[0-9]{2}[0-9A-Za-z]{22}\b'
+description = 'Adafruit IO Key'
+title = 'Adafruit IO Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['aio_']
+
+[[rules]]
+id = 'Adobe Client Secret'
+regex = '\b(p8e-)[a-zA-Z0-9]{32}\b'
+description = "An Adobe client secret was detected. Adobe client secrets are used to connect to various API or webhook event based\nservices. Depending on which type of service was defined for a project, a malicious actor with access to the secret can\nuse it to gain access to various APIs or events that may contain sensitive information."
+title = 'Adobe client secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nRemediation steps depend on which type of client secret was leaked, please see the following\ntypes of remediation steps below and use the one that applies to the secret that was detected.\n\nOAuth (Server-to-Server):\n\n- Sign in to your account at <https://developer.adobe.com/console>\n- Select the project or \"All projects\" to find the project that is impacted\n- On the left-hand side, under \"Credentials\", select \"OAuth Server-to-Server\"\n- Under \"Client Secret\" select \"Retrieve client secret\"\n- After the table of secrets is visible, below the table, select \"Add new client secret\"\n- After the new secret has been created, find the leaked token value and select the trash icon to remove it\n- Copy the secret value and update all services with the new client secret\n\nOAuth Web App (Event based project):\n\n- Sign in to your account at <https://developer.adobe.com/console>\n- Select the project or select \"All projects\" to find the project that is impacted\n- On the left-hand side, under \"Credentials\", select \"OAuth Web App\".\n- Select \"Retrieve client secret\"\n- Verify this is the leaked secret\n- If this project is configured for events, copy all event details before removing it. You can do this by finding the\n  event listed on the right hand side and selecting on it. You should be brought to a dashboard that shows its details\n  such as event delivery methods, providers, subscribed events, and connected Credentials.\n- To remove the event, select \"...\" in the event, which is on the right hand side of the project page, above\n  \"Connect another service\".\n  - Select \"remove\"\n  - When prompted, type in the project name and select \"Delete Events Registration\"\n- In the top right-hand corner, select \"Delete credential\"\n  - When prompted, type in the project name and select \"Delete Credential\"\n- Re-add the event with the same details as before\n  - When prompted to add back the Credentials, be sure to use \"User Authentication\" OAuth\n  - Select \"Web App\" for OAuth 2.0 authentication and authorization\n- After the event has been re-added, under \"Credentials\" on left hand side, select \"OAuth Web App\"\n- Select \"Retrieve client secret\"\n- Copy the secret value and update all services with the new client secret\n\nOAuth Web App (API Service based project):\n\n- Sign in to your account at <https://developer.adobe.com/console>\n- Select the project or select \"All projects\" to find the project that is impacted\n- On the left-hand side, under \"Credentials\", select \"OAuth Web App\"\n- Select \"Retrieve client secret\"\n- If this project is configured for API, select the trash icon \"Remove\" to remove the connected product and service.\n  - When prompted, enter the project name and select \"Remove API\"\n- In the top right-hand corner, select \"Delete credential\"\n  - When prompted, type in the project name and select \"Delete Credential\"\n- Re-add the API with the same details as before\n  - Select \"Web App\" for OAuth 2.0 authentication and authorization\n- After the service has been re-added, on the left-hand side under \"Credentials\", select \"OAuth Web App\"\n- Select \"Retrieve client secret\"\n- Copy the secret value and update all services with the new client secret"
+tags = ['gitlab_blocking']
+keywords = ['p8e-']
+
+[[rules]]
+id = 'AivenServicePassword'
+regex = '\bAVNS_[0-9A-Za-z_-]{15,123}\b'
+description = 'Aiven Service Password'
+title = 'Aiven Service Password'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AVNS_']
+
+[[rules]]
+id = 'AmazonOAuthClientID'
+regex = '\bamzn1\.application-oa2-client\.[a-fA-F0-9]{32}\b'
+description = "An Amazon OAuth Client ID was detected. This credential is part of Amazon's Login with Amazon service\nand is used for OAuth 2.0 authentication flows to allow users to sign in using their Amazon\ncredentials. The Client ID is typically paired with a Client Secret for secure authentication. A\nmalicious actor with access to these credentials could potentially impersonate your application,\nredirect users to malicious sites, or access customer profile data that users have consented to share."
+title = 'AmazonOAuthClientID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Amazon OAuth Client ID credentials:\n\n1. Log in to the Amazon Developer Console at <https://developer.amazon.com>\n2. Navigate to Apps & Services > My Apps, or go directly to the Login with Amazon console at\n   <https://developer.amazon.com/loginwithamazon/console/site/lwa/overview.html>\n3. Locate the security profile associated with your compromised Client ID from the Security Profile\n   Management table\n4. Click on the security profile name, then select \"Web Settings\" from the management options\n5. Click the \"Rotate Secret\" button to generate a new Client Secret (the Client ID remains the same)\n6. Update all applications, services, and configurations that use this Client ID with the new Client\n   Secret\n7. Test your applications to ensure they can successfully authenticate with the new credentials\n8. The old Client Secret will expire automatically after 7 days, providing a grace period for\n   updates\n\nFor detailed information on managing Amazon OAuth credentials and Login with Amazon security profiles,\nplease see the\n[Login with Amazon Documentation](https://developer.amazon.com/docs/login-with-amazon/documentation-overview.html)."
+tags = ['gitlab_blocking']
+keywords = ['amzn1.application-oa2-client']
+
+[[rules]]
+id = 'anthropic_key'
+regex = '\bsk-ant-[a-z]{3}\d{2}-[0-9A-Za-z_-]{94}[0-9A-Za-z_]\b'
+description = "An Anthropic API key was detected. Anthropic keys are used to access generative AI services. Malicious\nactors could use these keys to build up excessive charges to your account."
+title = 'Anthropic API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo remediate a leaked Anthropic key, you should delete it from the list of API keys for your organization.\n\n- Sign in to your [Anthropic account](https://console.anthropic.com/)\n- Go to \"API settings\" by selecting your profile icon and then selecting \"API Keys\" or through the Settings tab\n- Identify the leaked API key and select the meatball menu (three horizontal dots) next to the key you want to delete\n- Select \"Delete API Key\"\n  - Note: Deleting an API key is a permanent action and cannot be undone\n- Generate a new key by selecting \"Create Key\" and give it a descriptive name\n\nFor more information, please see Anthropic's website: <https://support.anthropic.com/en/articles/8384961-what-should-i-do-if-i-suspect-my-api-key-has-been-compromised>."
+tags = ['gitlab_blocking', 'client_side_sd']
+keywords = ['sk-ant-']
+
+[[rules]]
+id = 'AsanaPersonalAccessTokenV2'
+regex = '\b2\/[0-9]{16}\/[0-9]{16}:[0-9a-f]{32}\b'
+description = "An Asana personal access token was identified. Personal access tokens allow programmatic access to the Asana API. a\nmalicious actor who got access to this access token could execute functionality with the same permissions as that user."
+title = 'Asana personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the detected Asana personal access token:\n\n- Sign in to your developer account and access <https://app.asana.com/0/my-apps>\n- Find the token under the \"Personal access tokens\" section of the \"My apps\" page\n- Select \"View details\"\n- Select \"Delete\" in the \"Token details\" dialog\n\nFor more information see [Asana's developer documentation on personal access tokens](https://developers.asana.com/docs/personal-access-token)."
+tags = ['gitlab_blocking']
+keywords = ['2/']
+
+[[rules]]
+id = 'AsanaPersonalAccessTokenV1'
+regex = '\b1\/[0-9]{14,16}:[0-9a-f]{32}\b'
+description = "An Asana personal access token was identified. Personal access tokens allow programmatic access to the Asana API. A\nmalicious actor who got access to this access token could execute functionality with the same permissions as that user."
+title = 'Asana personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['1/']
+
+[[rules]]
+id = 'AtlassianUserApiToken'
+regex = '\bATATT3xFfGF0[0-9A-Za-z_-]{171}=[0-9A-F]{8}\b'
+description = "An Atlassian User API token was detected. User tokens can be used in scripts or other processes to perform basic\nauthentication with Jira Cloud applications or Confluence Cloud. You should treat API tokens as securely as any other\npassword. A malicious actor with access to this token can compromise any repository or Atlassian service this user has\naccess to."
+title = 'Atlassian user API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an Atlassian User API token:\n\n- Sign in to <https://id.atlassian.com/manage-profile/security/api-tokens>.\n- Select \"Revoke\" next to the API token that you want to revoke.\n\nPlease see [Atlassians help page](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/)\nfor more information on managing API tokens for your Atlassian account."
+tags = ['gitlab_blocking']
+keywords = ['ATATT3xFfGF0']
+
+[[rules]]
+id = 'AtlassianApiKey'
+regex = '\bATCTT3xFfGN0[0-9A-Za-z_-]{171}=[0-9A-F]{8}\b'
+description = "An Atlassian Admin API Key or Bitbucket Repository Access Token was identified. These API keys allow you to manage your\norganization through the Atlassian Admin APIs.\n\n- For Admin API Keys a malicious actor can take over the entire organization's Atlassian products and services using\n  this key.\n- For Bitbucket Repository Access Tokens, a malicious actor can gain the privileges assigned to the repository token\n  which could be full access to a repository or just read access to certain aspects of the workspace."
+title = 'Atlassian admin API key / Bitbucket repository access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an Atlassian Repository Token:\n\n- At <https://bitbucket.org>, go to the repository the access token was created for\n- On the sidebar, select \"Repository Settings\"\n- On the sidebar, under Security, select \"Access tokens\"\n- Find the access token and select \"Revoke\", then confirm that you want to revoke the token\n\nFor more information on revoking and creating Atlassian Bitbucket Repository Tokens, please see their [documentation](https://support.atlassian.com/bitbucket-cloud/docs/create-a-repository-access-token/).\n\nTo revoke an Atlassian Admin API key:\n\n- Go to <https://admin.atlassian.com>\n- Select your organization if you have more than one\n- Select \"Settings > API keys\"\n- Select \"Revoke\" next to the API key\n\nFor more information on revoking and creating Atlassian Admin API Keys, please see their [documentation](https://support.atlassian.com/organization-administration/docs/manage-an-organization-with-the-admin-apis/)."
+tags = ['gitlab_blocking']
+keywords = ['ATCTT3xFfGN0']
+
+[[rules]]
+id = 'AWS'
+regex = '\b(?:AKIA|ASIA|A3T[A-Z0-9])[2-7A-Z]{16}\b'
+description = "An AWS Access Key ID was detected. AWS Access Key IDs come in different types: long-term IAM user access keys\n(starting with AKIA), temporary STS credentials (starting with ASIA), or AWS STS service bearer tokens. These\ncredentials are paired with Secret Access Keys to authenticate programmatic requests to AWS services. A\nmalicious actor with access to both the Access Key ID and its associated Secret Access Key can access AWS\nresources with the permissions granted to that credential, potentially leading to data breaches, resource\nmanipulation, or unauthorized charges."
+title = 'AWS Access Key ID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\n- **For Long-term IAM Access Keys (AKIA/A3T prefix)**:\n\nTo delete a long-term IAM access key:\n\n1. Log in to the AWS Management Console at <https://console.aws.amazon.com>\n2. Navigate to the IAM service by searching for \"IAM\" in the search bar or accessing it directly at\n   <https://console.aws.amazon.com/iam>\n3. In the left navigation pane, select \"Users\" and locate the IAM user associated with the compromised key\n4. Select the username to view the user details page\n5. Navigate to the \"Security credentials\" tab\n6. In the \"Access keys\" section, find the key that matches the leaked Access Key ID\n7. Select \"Actions\" dropdown next to the key\n8. Select \"Deactivate\" to immediately disable the key, then select \"Delete\" to permanently remove it\n9. Generate a new access key pair if needed by selecting \"Create access key\"\n10. Update all applications, scripts, and systems that were using the compromised credentials with the new key\n11. Verify the old key is no longer active by checking the \"Access keys\" section shows the key as deleted\n\n- **For Temporary STS Credentials (ASIA prefix)**:\n\nTemporary credentials cannot be manually deleted but will expire automatically. To mitigate exposure:\n\n1. Log in to the AWS Management Console at <https://console.aws.amazon.com>\n2. Navigate to the IAM service at <https://console.aws.amazon.com/iam>\n3. Identify the IAM role or user that generated the temporary credentials by reviewing AWS CloudTrail logs\n4. If the credentials were generated via AssumeRole, consider attaching a deny policy to the role to prevent\n   further access until credentials expire\n5. Review and reduce the session duration policy on the role to minimize exposure window for future sessions\n6. Monitor CloudTrail logs for any unauthorized activity during the credential validity period\n7. For immediate revocation, you can revoke active sessions by attaching an inline policy to the role with\n   a condition that denies access for sessions created before the current time\n8. Update the trust policy or role permissions if the compromise indicates a broader security issue\n\n- **For All Access Key Types**:\n\nAfter remediation:\n\n1. Review AWS CloudTrail logs to identify any unauthorized activity that occurred using the compromised\n   credentials at <https://console.aws.amazon.com/cloudtrail>\n2. Check for any unauthorized resource creation, modification, or data access\n3. Implement AWS CloudWatch alarms to detect unusual API activity patterns\n4. Consider enabling Amazon GuardDuty for continuous threat detection\n5. Review and update IAM policies to follow the principle of least privilege\n\nFor information on how to manage and revoke access keys for AWS, please see their\n[official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)\nand\n[STS temporary credentials documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)."
+tags = ['aws', 'revocation_type', 'gitlab_blocking']
+keywords = ['AKIA', 'ASIA', 'A3T']
+
+[[rules]]
+id = 'AWSBedrockKey'
+regex = '\bABSK[A-Za-z0-9+/]{70,150}={0,2}'
+description = "An AWS Bedrock Key was detected. AWS Bedrock Keys are usually paired along with their secret key values. A malicious\nactor with access to this token can access AWS services with the same permissions as the user which generated the key,\nprovided they have access to both values."
+title = 'AWS Bedrock Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo delete an AWS Bedrock key:\n\n1. Sign in to the AWS Management Console and open the [Amazon Bedrock console](https://console.aws.amazon.com/bedrock/).\n1. In the left navigation pane, select **API keys.**\n1. In the **API keys for Amazon Bedrock** section, choose a key.\n1. Choose **Actions**.\n1. Select **Delete**.\n\nFor information on how to manage and revoke bedrock keys for AWS please see their [documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-revoke.html)."
+tags = ['gitlab_blocking']
+keywords = ['ABSK']
+
+[[rules]]
+id = 'AWSBedrockShortLivedKey'
+regex = '\bbedrock-api-key-[A-Za-z0-9+/]{100,}={0,2}\b'
+description = "An AWS Bedrock Short Lived Key was detected. These are temporary credentials generated to access Amazon\nBedrock, AWS's managed service for foundation models and generative AI applications. Short-lived keys are\ntypically issued through AWS Security Token Service (STS) and include an access key ID, secret access key,\nand session token. A malicious actor with access to these credentials could invoke Bedrock models, access\ncustom models, or retrieve sensitive data within the permissions scope until the credentials expire."
+title = 'AWS Bedrock Short Lived Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nShort-lived credentials cannot be manually revoked but will expire automatically based on their session\nduration. To mitigate exposure:\n\n1. Log in to the AWS Management Console at <https://console.aws.amazon.com>\n2. Navigate to AWS CloudTrail at <https://console.aws.amazon.com/cloudtrail> to identify the IAM entity\n   (user or role) that generated the temporary credentials\n3. Review the CloudTrail event history for AssumeRole or GetSessionToken API calls that match the timeframe\n   of credential creation\n4. Navigate to the IAM service at <https://console.aws.amazon.com/iam> and locate the source IAM role or\n   user that generated the credentials\n5. For immediate mitigation, attach an inline deny policy to the IAM role or user to revoke active sessions\n   by adding a condition that denies access for sessions created before the current time using the\n   `aws:TokenIssueTime` condition key\n6. Review and reduce the maximum session duration on the IAM role to minimize future exposure windows by\n   editing the role's \"Maximum session duration\" setting (minimum 1 hour, maximum 12 hours)\n7. Navigate to Amazon Bedrock at <https://console.aws.amazon.com/bedrock> and review recent API activity\n   in the Bedrock service logs to identify any unauthorized model invocations or data access\n8. Monitor AWS CloudTrail logs continuously during the credential validity period for suspicious Bedrock\n   API calls such as InvokeModel, InvokeModelWithResponseStream, or GetFoundationModelAvailability\n9. If unauthorized access is confirmed, review and update IAM policies following the principle of least\n   privilege to restrict Bedrock permissions to only required models and actions\n10. Consider implementing AWS CloudWatch alarms to detect unusual Bedrock API usage patterns\n11. Enable Amazon GuardDuty if not already active for continuous threat detection across AWS services\n12. Update applications or systems that were using the compromised credentials once new credentials are\n    generated through proper authentication flows\n\nFor detailed information on managing temporary credentials and Amazon Bedrock security, please see the\n[AWS STS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)\nand\n[Amazon Bedrock security documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/security.html)."
+tags = ['gitlab_blocking']
+keywords = ['bedrock-api-key-']
+
+[[rules]]
+id = 'AWSSessionToken'
+regex = '\b(?:FwoGZXIvYXdzE|IQoJb3JpZ2luX2VjE|FQoDYXdzE)[A-Za-z0-9+/]{180,1000}={0,2}'
+description = "An AWS Session Token is a temporary security credential that is part of AWS Security Token Service (STS)\ntemporary credentials. These tokens are used alongside temporary access key IDs and secret access keys to\nauthenticate requests to AWS services. While session tokens expire automatically, a malicious actor with\naccess to valid temporary credentials can access AWS resources with the same permissions as the assumed role\nor federated user until the token expires, potentially lasting from minutes to several hours."
+title = 'AWS Session Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your AWS Session Token:\n\n1. Log in to the AWS Management Console at <https://console.aws.amazon.com/>\n2. Navigate to the IAM service dashboard\n3. Identify the source of the temporary credentials:\n   - For assumed roles: Go to \"Roles\" and locate the role that was assumed\n   - For federated users: Check the identity provider configuration\n   - For temporary credentials from GetSessionToken: Review the IAM user that generated them\n4. Revoke active sessions:\n   - For roles: Select the role, go to \"Revoke sessions\" tab, and click \"Revoke active sessions\"\n   - For IAM users: Go to \"Users\", select the user, \"Security credentials\" tab, and revoke sessions\n5. Update or remove any applications or scripts that were using the compromised temporary credentials\n6. Verify the session is no longer active by checking AWS CloudTrail logs for any API calls made with the\n   compromised credentials after revocation\n7. Review and update the permissions or trust policies of the role or user to prevent future unauthorized\n   access\n\nFor detailed information on managing temporary security credentials and revoking sessions, please see the\n[AWS IAM documentation on temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)\nand [revoking IAM role sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html)."
+tags = ['gitlab_blocking']
+keywords = ['FwoGZXIvYXdzE', 'IQoJb3JpZ2luX2VjE', 'FQoDYXdzE']
+
+[[rules]]
+id = 'AzureEntraClientSecret'
+regex = "[\\x60=\"' :>\\],\\t.()\\\\?|]{1,10}([0-9A-Za-z.\\-_~]{3}8Q~[0-9A-Za-z\\-_.~]{34})(?:\\\\['\"rn]|['\"\\x60; \\s]|<\\/|$)"
+description = "An Azure Entra (previously Active Directory) Client Secret is a confidential credential used\nby applications to authenticate with Microsoft Azure services and APIs. This secret is paired\nwith a Client ID to enable application-level access to Azure resources and Microsoft Graph APIs.\nA malicious actor with access to this client secret could impersonate the application, access\nprotected resources, and perform actions with the same permissions granted to the\napplication registration."
+title = 'Azure Entra Client Secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Azure Entra Client Secret:\n\n1. Log in to the [Azure Portal](https://portal.azure.com)\n2. Navigate to \"Microsoft Entra ID\" (formerly Azure Active Directory)\n3. Select \"App registrations\" from the left navigation menu\n4. Find and select the application registration associated with the compromised client secret\n5. Go to \"Certificates & secrets\" in the application settings\n6. In the \"Client secrets\" section, create a new client secret before deleting the old one\n7. Update all applications, configuration files, and key vaults that reference the old client secret\n8. Delete the compromised client secret from the \"Client secrets\" section\n9. Test your applications to ensure they are functioning with the new client secret\n\nFor detailed information on managing Azure Entra Client Secrets, please see the\n[Microsoft Entra application registration documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)."
+tags = ['gitlab_blocking']
+keywords = ['8Q~']
+
+[[rules]]
+id = 'AzureAPIManagementGatewayKey'
+regex = 'GatewayKey [A-Za-z0-9_-]{3,64}&[0-9]{12}&[A-Za-z0-9+\/]{60,90}=='
+description = "An Azure API Management Gateway Key was detected. These keys provide access to APIs\npublished through Azure API Management services and are tied to specific subscriptions and products. A\nmalicious actor with access to this key can consume APIs within the configured rate limits and access\npolicies, potentially leading to unauthorized data access, service abuse, or unexpected charges."
+title = 'Azure API Management Gateway Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate your Azure API Management Gateway Key:\n\n1. Log in to the [Azure Portal](https://portal.azure.com)\n2. Navigate to your API Management service instance\n3. In the left menu, select \"Subscriptions\" under the \"APIs\" section\n4. Locate the compromised subscription by matching the key prefix or subscription name\n5. Click on the subscription name to open its details\n6. In the subscription details, click \"Regenerate primary key\" or \"Regenerate secondary key\"\n   (regenerate the compromised key)\n7. Update all applications and clients that use this subscription key with the new key value\n8. Monitor API usage logs to verify the old key is no longer being used\n9. Consider temporarily disabling the subscription if immediate key rotation isn't possible\n\nFor detailed information on managing Azure API Management subscriptions and keys, please see the\n[Azure API Management documentation](https://docs.microsoft.com/en-us/azure/api-management/api-management-subscriptions)."
+tags = ['gitlab_blocking']
+keywords = ['GatewayKey']
+
+[[rules]]
+id = 'AzureAppConfigConnectionString'
+regex = '\.azconfig\.io;Id=[A-Za-z0-9+\/=:_-]{8,100};Secret=([A-Za-z0-9+\/~=]{32,88})'
+description = "An Azure App Configuration Connection String was detected. This connection string provides access to an Azure\nApp Configuration store, which contains application settings and feature flags. A malicious actor with access to\nthis connection string could read sensitive configuration data, modify application settings, or manipulate\nfeature flags, potentially compromising application functionality and security."
+title = 'Azure App Config Connection String'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Azure App Configuration Connection String:\n\n1. Log in to the [Azure Portal](https://portal.azure.com)\n2. Navigate to \"Azure App Configuration\" from the left-hand menu or search for it in the search bar\n3. Select the specific App Configuration store that contains the compromised connection string\n4. In the left-hand menu, select \"Access keys\" under the \"Settings\" section\n5. Identify the compromised key (Primary or Secondary) and select \"Regenerate\" next to the appropriate key\n6. Copy the new connection string and update all applications, services, and configuration files that use this\n   connection string\n7. Test your applications to ensure they can successfully connect using the new connection string\n8. Once verified, consider regenerating the other key as well for complete security\n\nFor detailed information on managing Azure App Configuration access keys, please see the\n[Azure App Configuration documentation](https://docs.microsoft.com/en-us/azure/azure-app-configuration/howto-disable-access-key-authentication)."
+tags = ['gitlab_blocking']
+keywords = ['.azconfig.io;Id=']
+
+[[rules]]
+id = 'AzureCommServicesConnectionString'
+regex = '\.azure\.com\/;accesskey=([A-Za-z0-9+\/]{80,140}={0,2})'
+description = "An Azure Communication Services connection string was detected. This connection string provides access to Azure\nCommunication Services resources including SMS, email, chat, voice calling, and video calling capabilities. A\nmalicious actor with access to this connection string could send unauthorized communications, access conversation\ndata, make unauthorized calls, or incur charges on your Azure account."
+title = 'Azure Communication Services Connection String'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Azure Communication Services Connection String:\n\n1. Log in to the [Azure Portal](https://portal.azure.com)\n2. Navigate to your Communication Services resource by searching for \"Communication Services\" in the top search bar\n3. Select your specific Communication Services resource from the list\n4. In the left navigation menu, select \"Keys\" under the \"Settings\" section\n5. Click \"Regenerate\" for either the Primary or Secondary key (regenerate the compromised key first)\n6. Copy the new connection string and update all applications, configuration files, and environment variables that\n   use this credential\n7. Test your applications to ensure they can successfully connect with the new connection string\n8. After confirming everything works, regenerate the other key for complete security\n\nFor detailed information on managing Azure Communication Services Connection Strings, please see the\n[Azure Communication Services Keys documentation](https://docs.microsoft.com/en-us/azure/communication-services/quickstarts/create-communication-resource?tabs=windows&pivots=platform-azp#access-your-connection-strings-and-service-endpoints)."
+tags = ['gitlab_blocking']
+keywords = ['.azure.com/;accesskey=']
+
+[[rules]]
+id = 'AzureFunctionsAPIKeyViaURL'
+regex = '\.azurewebsites\.net\/api\/.{3,64}?code=([a-zA-Z0-9\/+_-]{54}==|[a-zA-Z0-9%\/+_-]{54,84}%3[dD]%3[dD])'
+description = "An Azure Functions API Key (also called a function key or host key) is a secret token used to authenticate\nrequests to Azure Functions endpoints. These keys provide access to invoke specific functions or all\nfunctions within a function app. A malicious actor with access to this key could execute your serverless\nfunctions, potentially triggering unauthorized operations, accessing connected resources, or incurring\nsignificant Azure costs through excessive invocations."
+title = 'Azure Functions API Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Azure Functions API Key:\n\n1. Log in to the [Azure Portal](https://portal.azure.com)\n2. Navigate to your Function App by searching for \"Function App\" or selecting it from your resources\n3. Select the specific Function App that contains the compromised key\n4. In the left menu, under \"Functions\", select \"App keys\" for host keys or select the individual function\n   and then \"Function Keys\" for function-specific keys\n5. Identify the compromised key by name or value, select the three dots menu next to it, and choose \"Delete\"\n6. Create a new key by selecting \"New function key\" or \"New host key\", provide a name, and save it\n7. Update all applications, scripts, and services that call your Azure Functions with the new key value\n8. Test your applications to verify they can successfully invoke the functions with the new key\n9. Monitor Azure Function logs to ensure no unauthorized access attempts occur with the old key\n\nFor detailed information on managing Azure Functions API Keys, please see the\n[Azure Functions security documentation](https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts)."
+tags = ['gitlab_blocking']
+keywords = ['.azurewebsites.net/api/']
+
+[[rules]]
+id = 'AzureLogicAppSAS'
+regex = '\.(?:azure|windows)\.net\/.{0,64}\?.{0,128}sig=([a-zA-Z0-9%]{43,73}%3[dD])'
+description = "An Azure Logic App Shared Access Signature (SAS) was detected. This credential provides delegated access to\ntrigger Azure Logic App workflows through HTTP requests without requiring Azure AD authentication. A malicious\nactor with access to this SAS URL could trigger automated workflows, potentially causing unwanted data processing,\nintegration with other services, or execution of business processes."
+title = 'Azure Logic App Shared Access Signature'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Azure Logic App Shared Access Signature:\n\n1. Log in to the [Azure Portal](https://portal.azure.com)\n2. Navigate to your Logic App by searching for \"Logic Apps\" or finding it in your resources\n3. Select the specific Logic App that contains the compromised SAS token\n4. In the Logic App menu, select \"Logic app designer\" to view the workflow\n5. Locate the HTTP trigger or connector that generated the compromised SAS URL\n6. Click on the trigger/connector to expand its settings\n7. Select \"Regenerate URL\" or disable the trigger entirely if no longer needed\n8. Copy the new SAS URL if regenerated\n9. Update all external applications, webhooks, or services that use the old SAS URL\n10. Test the new URL to verify it works correctly\n11. Monitor Logic App run history to ensure no unauthorized triggers occur\n\nFor detailed information on managing Azure Logic App Shared Access Signature, please see the\n[Azure Logic Apps documentation](https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-request-based-triggers)."
+tags = ['gitlab_blocking']
+keywords = ['azure.net', 'windows.net']
+
+[[rules]]
+id = 'AzureSignalRAccessKey'
+regex = '\.signalr\.net;AccessKey=([a-zA-Z0-9\/+]{43}[=]?)'
+description = "An Azure SignalR Access Key was detected. Azure SignalR Access Keys are authentication credentials\nthat provide access to Azure SignalR Service, a real-time messaging service that enables web\napplications with real-time communication capabilities. A malicious actor with access to this key\ncan authenticate to the SignalR service, send messages to connected clients, manage connection\ngroups, and potentially disrupt real-time communication or access sensitive messaging data within\nyour applications."
+title = 'Azure SignalR Access Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate your Azure SignalR Access Key:\n\n1. Sign in to the [Azure portal](https://portal.azure.com/)\n2. Navigate to your Azure SignalR Service resource\n3. In the left navigation menu, select **Keys** under the **Settings** section\n4. Select either **Regenerate Primary Key** or **Regenerate Secondary Key** (regenerate the\n   compromised key first, then the other key after applications are updated)\n5. Copy the newly generated connection string displayed after regeneration\n6. Update all application configurations, environment variables, and Azure Key Vault secrets that\n   use the old connection string with the new connection string\n7. Restart all applications and services that use the Azure SignalR Service to ensure they pick up\n   the new connection string\n8. Verify successful connections by monitoring your applications and checking the Azure SignalR\n   Service metrics and logs in the Azure portal\n\nFor detailed information on managing Azure SignalR Access Keys, please see the\n[Rotate access keys for Azure SignalR Service](https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-howto-key-rotation)."
+tags = ['gitlab_blocking']
+keywords = ['signalr.net']
+
+[[rules]]
+id = 'CDSCanadaNotifyAPIKey'
+regex = 'ApiKey-v1 gcntfy-[a-zA-Z0-9_\-]{1,64}-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}'
+description = "A Canada Digital Service Notify API Key provides programmatic access to GC Notify, the Government of\nCanada's official notification service for sending emails and text messages to citizens and users.\nThis credential allows applications to automatically send notifications through the GC Notify platform,\nwhich is used for government communications including appointment reminders, application status updates,\nand authentication codes. A malicious actor with access to this API key could send unauthorized\nemails and text messages through government channels, potentially damaging public trust or conducting\nphishing attacks using official government branding."
+title = 'CDSCanadaNotifyAPIKey'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your Canada Digital Service Notify API Key:\n\n1. Sign in to GC Notify at <https://notification.canada.ca/sign-in>\n2. Go to the API integration page from the main dashboard\n3. Select \"API keys\" from the available options\n4. Locate the compromised API key in the list and select \"Revoke\" for that specific key\n5. Create a new API key by selecting \"Create an API key\" and configure it with appropriate permissions\n6. Update all applications, scripts, and systems that use the old API key with the new credentials\n7. Verify the change was successful by testing a notification through the API or checking the\n   dashboard for recent activity\n\nFor detailed information on managing Canada Digital Service Notify API Key, please see the\n[Official API Keys Documentation](https://documentation.notification.canada.ca/en/keys.html)."
+tags = ['gitlab_blocking']
+keywords = ['ApiKey-v1']
+
+[[rules]]
+id = 'ContentfulPersonalAccessToken'
+regex = '\bCFPAT-([a-zA-Z0-9_\-]){43}\b'
+description = "A Contentful personal access token was identified. Personal access tokens are tied to the user who requests them and\ncarry the same permissions, including access to organizations, spaces, and content."
+title = 'Contentful personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a personal access token:\n\n- Sign in and visit your account profile: <https://app.contentful.com/account/profile/user>\n- Select the \"CMA tokens\" tab in the top menu\n- Identify the token that was detected\n- Select \"Revoke\" in the right hand column\n- Select \"Revoke\" when prompted\n\nFor more information, please see the developer [documentation on personal access tokens](https://www.contentful.com/help/token-management/personal-access-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['CFPAT-']
+
+[[rules]]
+id = 'DockerPersonalAccessToken'
+regex = '\bdckr_pat_[0-9A-Za-z_]{27}\b'
+description = 'Docker Personal Access Token'
+title = 'Docker Personal Access Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['dckr_pat_']
+
+[[rules]]
+id = 'Doppler API token'
+regex = '\bdp\.pt\.[0-9A-Za-z]{40,44}\b'
+description = 'Doppler personal access token was detected.'
+title = 'Doppler API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the Doppler personal access token:\n\n- Open and sign in to <https://dashboard.doppler.com/>\n- Select \"Tokens\" on the right-hand side menu\n- Select the \"Personal\" tab\n- Find the personal token and select \"Roll\" in the Action column\n- After the \"Roll Personal Token\" dialog is displayed select \"Roll\"\n- Copy the new token's value\n\nFor more information please see their documentation: <https://docs.doppler.com/docs/start>"
+tags = ['gitlab_blocking']
+keywords = ['dp.pt.']
+
+[[rules]]
+id = 'Doppler Service token'
+regex = '\bdp\.st\.[0-9A-Za-z]{40,44}\b'
+description = 'Doppler service token was detected.'
+title = 'Doppler Service token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['dp.st.']
+
+[[rules]]
+id = 'Dropbox short lived API token'
+regex = '\bsl\.[0-9A-Za-z_-]{136,200}\b'
+description = "A Dropbox short lived API token was detected. These tokens were deprecated in 2021,\nsee <https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens#introducing-scoped-apps> for more\ndetails."
+title = 'Dropbox short lived API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sl.']
+
+[[rules]]
+id = 'DropboxAppAccessToken'
+regex = '\bsl\.B_[a-zA-Z0-9_-]{138}\b'
+description = "A Dropbox application access token was detected. These tokens are primarily used for testing before switching to a\nproper OAuth authorization flow. Application access tokens allow programmatic access to the Dropbox API. The application\ncan be restricted to an App folder or the full Dropbox account. Additionally, individual scopes can be set under the\npermissions tab, further restricting access. A malicious actor with access to this token can execute functionality only\nto which the permissions were configured. This can lead to sensitive files being accessed or modified."
+title = 'Dropbox application access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a new application access token:\n\n- Open <https://www.dropbox.com/developers/apps/> and sign in to your Dropbox account\n- Find the application which the token was detected in\n- Under the settings tab, scroll down to the \"Generated access token\" section\n- Select \"Generate\" to generate a new access token.\n\nFor more information, please see their documentation: <https://developers.dropbox.com/oauth-guide#implementing-oauth>"
+tags = ['gitlab_blocking']
+keywords = ['sl.']
+
+[[rules]]
+id = 'DynatracePlatformToken'
+regex = '\bdt0s[0-9]{2}\.[A-Z0-9]{8}\.[A-Z0-9]{64}\b'
+description = "A Dynatrace Platform token or OAuth client secret was identified.\n\n- Platform tokens are long-living access tokens for interaction with Dynatrace platform services. They can be created\n  by regular users to consume the services and data inside of Dynatrace by using the API in the bounds of their user\n  permissions.\n- OAuth client secret tokens are tokens for interacting with the API using an OAuth client authorization flow. They can\n  be configured with various permission levels and scopes.\n\nA full list of token types and their prefixes are [documented here](https://docs.dynatrace.com/docs/manage/identity-access-management/access-tokens-and-oauth-clients/access-tokens#token-format-prefixes).\n\nA malicious actor with access to any of these tokens can access and potentially modify application telemetry and cloud\nservice infrastructure information."
+title = 'Dynatrace platform token / OAuth client secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information on managing platform access tokens, please see [Dynatrace's platform token documentation](https://docs.dynatrace.com/docs/manage/identity-access-management/access-tokens-and-oauth-clients/platform-tokens#my-platform-tokens)\n\nFor more information on managing OAuth client secrets, please see [Dynatrace's OAuth clients documentation](https://docs.dynatrace.com/docs/manage/identity-access-management/access-tokens-and-oauth-clients/oauth-clients)"
+tags = ['gitlab_blocking']
+keywords = ['dt0s']
+
+[[rules]]
+id = 'FigmaPersonalAccessToken'
+regex = '\bfigd_[0-9A-Za-z_-]{40}\b'
+description = 'Figma Personal Access Token'
+title = 'Figma Personal Access Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['figd_']
+
+[[rules]]
+id = 'FlutterwaveProdPublicKey'
+regex = '\bFLWPUBK-[0-9A-Ha-h]{32}-X\b'
+description = "A Flutterwave public key was identified. This key is used in \"public\" scenarios, such as in front-end JavaScript code\n(for example Flutterwave Inline). A malicious actor with access to this key cannot do anything with it."
+title = 'Flutterwave production public key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your key:\n\n- Sign in and go to <https://app.flutterwave.com/dashboard/home>\n- Select \"Settings\" on the left-hand menu\n- Select \"API Keys\" under \"Developers\" on the left-hand menu\n- Ensure \"Test mode\" is NOT activated\n- Select \"Generate secret key\" to rotate the public, secret, and encryption key\n\nFor more information, please see the [Flutterwave documentation on authentication](https://developer.flutterwave.com/docs/authentication)."
+tags = ['gitlab_blocking']
+keywords = ['FLWPUBK-']
+
+[[rules]]
+id = 'FlutterwaveProdSecretKey'
+regex = '\bFLWSECK-[0-9A-Ha-h]{32}-X\b'
+description = "A Flutterwave secret key was identified. Secret keys have the highest level of privileges and can authorize any action\non your account. A malicious actor with access to this key can gain access to transaction and user information."
+title = 'Flutterwave production secret key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your key:\n\n- Sign in and go to <https://app.flutterwave.com/dashboard/home>\n- Select \"Settings\" on the left-hand menu\n- Select \"API Keys\" under \"Developers\" on the left-hand menu\n- Ensure \"Test mode\" is NOT activated\n- Select \"Generate secret key\" to rotate the public, secret, and encryption key\n\nFor more information, please see the [Flutterwave documentation on authentication](https://developer.flutterwave.com/docs/authentication)."
+tags = ['gitlab_blocking']
+keywords = ['FLWSECK-']
+
+[[rules]]
+id = 'FlutterwaveProdEncryptedKey'
+regex = '\bFLWSECK[a-h0-9]{12}\b'
+description = "A Flutterwave encryption key was identified. This key is only used with the [direct charge endpoint](https://developer.flutterwave.com/docs/direct-card-charge).\nThis key is used to encrypt payloads of card details prior to sending. More information can be found in\n[Flutterwave's encryption guide](https://developer.flutterwave.com/docs/encryption). A malicious\nactor with access to this key can potentially decrypt transactions which can include credit card information."
+title = 'Flutterwave production encrypted key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your key:\n\n- Sign in and go to <https://app.flutterwave.com/dashboard/home>\n- Select \"Settings\" on the left-hand menu\n- Select \"API Keys\" under \"Developers\" on the left-hand menu\n- Ensure \"Test mode\" is NOT activated\n- Select \"Generate secret key\" to rotate the public, secret, and encryption key\n\nFor more information, please see the [Flutterwave documentation on authentication](https://developer.flutterwave.com/docs/authentication)."
+tags = ['gitlab_blocking']
+keywords = ['FLWSECK']
+
+[[rules]]
+id = 'GCP OAuth client secret'
+regex = 'GOCSPX-[a-zA-Z0-9_-]{28}'
+description = "A GCP OAuth client secret was identified. Client secret are used when allowing users to Sign in to your application.\nDepending on the scopes requested, a malicious actor with access to the secret can impersonate the service to access\nusers information."
+title = 'GCP OAuth client secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the OAuth client secret:\n\n- Sign in to your GCP account and go to <https://console.cloud.google.com/apis/credentials>\n- Under the \"Name\" column of \"OAuth 2.0 Client IDs\" table, select the name of the client of the identified key\n- Under the \"Client secrets\" section, you must first add a new secret, select \"Add Secret\"\n- For the identified key, select \"Disable\"\n- When prompted, select \"Disable\" in the \"Disable this secret?\" dialog\n- You may now select the trash icon to delete the disabled key\n\nFor more information, please see [Googles authentication documentation on setting up OAuth 2.0](https://support.google.com/cloud/answer/6158849?hl=en)"
+tags = ['gitlab_partner_token', 'revocation_type', 'gitlab_blocking']
+keywords = ['GOCSPX-']
+
+[[rules]]
+id = 'Google (GCP) Service-account'
+regex = '\"private_key\":\s*\"-{5}BEGIN PRIVATE KEY-{5}[\s\S]*?",'
+description = "A GCP service account was identified. Service accounts can be assigned a wide range of permissions or access.\nA malicious actor with access to the service account can potentially compromise the entire GCP account or have limited\naccess to resources, depending on the access granted."
+title = 'Google (GCP) service account'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the GCP Service account:\n\n- Sign in to your GCP account and go to <https://console.cloud.google.com/iam-admin/serviceaccounts>\n- Select the correct project from the list (if given a choice)\n- Find the key ID and the associated service account in the \"Service accounts\" table\n- Select the kebab menu (vertical ellipsis) for the identified key and select \"Manage keys\"\n- Select the trash icon next to the identified key\n\nFor more information, please see [Googles documentation on creating service account keys](https://cloud.google.com/iam/docs/keys-create-delete)."
+tags = ['gitlab_partner_token', 'revocation_type', 'gitlab_blocking']
+keywords = ['"private_key":', 'BEGIN PRIVATE KEY']
+
+[[rules]]
+id = 'GCPVertexExpressModeKey'
+regex = '\bAQ\.Ab8R[a-zA-Z0-9_-]{46}\b'
+description = "A GCP Vertex Express Mode Key is an API key used to authenticate requests to Google Cloud's Vertex AI\nplatform in Express Mode. This credential provides access to Vertex AI services including machine learning\nmodel deployment, predictions, and data processing. A malicious actor with this key could consume expensive\ncomputational resources, access sensitive ML models, exfiltrate training data, or manipulate AI workloads."
+title = 'GCP Vertex Express Mode Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your GCP Vertex Express Mode Key:\n\n1. Log in to the [Google Cloud Console](https://console.cloud.google.com/)\n2. Navigate to \"APIs & Services\" > \"Credentials\" from the main navigation menu\n3. Locate the compromised API key in the list of credentials by matching the key prefix or creation date\n4. Click on the key name to view details, then select \"Delete\" or \"Regenerate Key\" as appropriate\n5. Update all applications, notebooks, and services that reference this key with the new credential\n6. Verify the old key no longer works by attempting an API call and confirming authentication failure\n7. Review Cloud Logging for any unauthorized usage during the exposure period\n\nFor detailed information on managing GCP API keys and Vertex AI security, please see the\n[Managing API Keys documentation](https://cloud.google.com/docs/authentication/api-keys) and\n[Vertex AI Security Best Practices](https://cloud.google.com/vertex-ai/docs/general/security-best-practices)."
+tags = ['gitlab_blocking']
+keywords = ['AQ.Ab8R']
+
+[[rules]]
+id = 'Github Personal Access Token'
+regex = 'ghp_[0-9a-zA-Z]{36}'
+description = "A GitHub personal access token (classic) was identified. Personal access tokens can be used to access GitHub services\nas the user who created them. In most cases these tokens are given read-write access to all repositories. A malicious\nactor with access to this token can execute functionality on behalf of the user with the given permissions of the token."
+title = 'GitHub personal access token (classic)'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a personal access token:\n\n- Sign in to your GitHub account and access <https://github.com/settings/tokens>\n- Find the token that was identified and select the name\n- Select \"Regenerate token\" at the top of the page\n\nAlternatively, you could select \"Delete this token\" at the bottom of the page and create a new one. Be sure to note\nthe scopes and permissions set before doing this action.\n\nFor more information, please see [GitHubs documentation on personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['ghp_']
+
+[[rules]]
+id = 'Github OAuth Access Token'
+regex = 'gho_[0-9a-zA-Z]{36}'
+description = "A GitHub OAuth Access Token was identified. Unlike a traditional OAuth token, user access tokens do not use scopes.\nInstead, it uses fine-grained permissions. A user access token only has permissions that both the user and the app have.\nIf a malicious actor gains access to the token and the app was granted permission to write the contents of a\nrepository, but the user can only read the contents, then the user access token can only read the contents."
+title = 'GitHub OAuth Access Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [GitHubs documentation to revoke an OAuth access tokens](https://docs.github.com/en/rest/apps/oauth-applications?apiVersion=2022-11-28#delete-an-app-token).\n\nAlso note, GitHub Apps are preferred over OAuth apps, please see [GitHubs documentation for more details](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps)."
+tags = ['gitlab_blocking']
+keywords = ['gho_']
+
+[[rules]]
+id = 'Github App Token'
+regex = '(ghu|ghs)_[0-9a-zA-Z]{36}'
+description = 'GitHub App Token'
+title = 'GitHub app token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['ghu_', 'ghs_']
+
+[[rules]]
+id = 'Github Refresh Token'
+regex = 'ghr_[0-9a-zA-Z]{76}'
+description = 'GitHub Refresh Token'
+title = 'GitHub refresh token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['ghr_']
+
+[[rules]]
+id = 'GithubFineGrainedPersonalAccessToken'
+regex = '\bgithub_pat_[0-9A-Za-z]{22}_[0-9A-Za-z]{59}\b'
+description = "A GitHub fine-grained personal access token was identified. Personal access tokens can be used to access GitHub services\nas the user who created them. These tokens can be given access to public repositories, a single repository or all\nrepositories. A malicious actor with access to this token can execute functionality on behalf of the user with the given\npermissions of the token."
+title = 'GitHub fine-grained personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a personal access token:\n\n- Sign in to your GitHub account and access <https://github.com/settings/tokens>\n- Under the \"Personal access tokens\" menu in the right hand side, select \"Fine-grained tokens\"\n- Find the token that was identified and select its name in the list\n- Select \"Regenerate token\" at the top of the page\n\nAlternatively, you could select \"Delete this token\" at the bottom of the page and create a new one. Be sure to note\nthe scopes and permissions set before doing this action.\n\nFor more information, please see [GitHubs documentation on personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['github_pat_']
+
+[[rules]]
+id = 'GithubAppInstallationToken'
+regex = '\bv1\.[0-9A-Fa-f]{40}\b'
+description = 'GitHub App Installation Token'
+title = 'GitHub App Installation Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['v1.']
+
+[[rules]]
+id = 'gitlab_personal_access_token'
+regex = '\b(glpat-[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab personal access token was identified. Personal access tokens can be used to access GitLab services\nas the user who created them. In most cases these tokens are given read-write access to all repositories. A malicious\nactor with access to this token can execute functionality on behalf of the user with the given permissions of the token."
+title = 'GitLab personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a personal access token:\n\n- Sign in to your GitLab account and access: <https://gitlab.com/-/profile/preferences>\n- In the \"User settings\" left-hand side menu, select \"Access tokens\"\n- Find the access token that was identified in the \"Active personal access tokens\" table\n- Note the permissions that were assigned to this token\n- Select the trash icon in the \"Action\" column of the token\n- When prompted, select \"Revoke\""
+tags = ['gitlab', 'revocation_type', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glpat']
+
+[[rules]]
+id = 'gitlab_personal_access_token_routable'
+regex = '\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}[0-9a-z]{7}\b'
+description = 'GitLab Personal Access Token (routable)'
+title = 'GitLab Personal Access Token (routable)'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab', 'revocation_type', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glpat-']
+
+[[rules]]
+id = 'gitlab_personal_access_token_routable_versioned'
+regex = '\bglpat-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}\.[0-9a-z]{2}[0-9a-z]{7}\b'
+description = 'GitLab Personal Access Token (routable)'
+title = 'GitLab Personal Access Token (routable)'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab', 'revocation_type', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glpat-']
+
+[[rules]]
+id = 'gitlab_pipeline_trigger_token'
+regex = '\b(glptt-[0-9a-zA-Z_\-]{40})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab pipeline trigger token was identified. Pipeline trigger tokens can be used to execute pipelines for a branch\nor tag of a project. The token impersonates a user's project access and permissions. A malicious actor with access to\nthis token can execute pipelines with custom variables, potentially being able to compromise the repository."
+title = 'GitLab pipeline trigger token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a pipeline trigger token:\n\n- Sign in to your GitLab account and visit the project that created the pipeline trigger token\n- In the left-hand menu, select \"Settings\"\n- Under the \"Settings\" options, select \"CI/CD\"\n- Under the \"Pipeline trigger tokens\" section find the identified token\n- Select the trash icon in the \"Actions\" column of the \"Active pipeline trigger tokens\" table\n- When prompted, select \"Revoke trigger\"\n\nFor more information, please see [GitLabs documentation on pipeline trigger tokens](https://docs.gitlab.com/ee/ci/triggers/index.html#create-a-pipeline-trigger-token)."
+tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glptt']
+
+[[rules]]
+id = 'gitlab_runner_registration_token'
+regex = '\b(GR1348941[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A deprecated GitLab runner registration token was identified. These tokens allow users to register a runner with the\nselected project. A malicious actor with access to this token can add a custom runner to the pipeline and possibly\ncompromise the repository if the runner was used."
+title = 'GitLab runner registration token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a runner registration token:\n\n- Sign in to your GitLab account and visit the project that created the runner registration token\n- In the left-hand menu, select \"Settings\"\n- Under the \"Settings\" options, select \"CI/CD\"\n- Under the \"Runners\" section, select the kebab menu (vertical ellipsis) next to the \"New project runner\"\n- Select \"Reset registration token\" from the dropdown list\n- When prompted select \"Reset token\" in the \"Reset registration token\" dialog\n\nFor more information, please see [GitLabs documentation on using runner authentication tokens instead](https://docs.gitlab.com/runner/register/#register-with-a-runner-authentication-token)."
+tags = ['gitlab', 'gitlab_blocking']
+keywords = ['GR1348941']
+
+[[rules]]
+id = 'gitlab_runner_auth_token'
+regex = '\b(glrt-[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab runner authentication token was identified. These tokens allow users to register or authenticate as a runner\nwith the selected project. A malicious actor with access to this token can add a custom runner to the pipeline and\npossibly compromise the repository if the runner was used."
+title = 'GitLab runner authentication token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a runner authentication token, the runner needs to be removed and re-created\n\n- Sign in to your GitLab account and visit the project that created the runner registration token\n- In the left-hand menu, select \"Settings\"\n- Under the \"Settings\" options, select \"CI/CD\"\n- Under the \"Runners\" section, find the runner with the identified token, (you can check the runner `config.toml` if you\n  are unsure)\n- Select \"Remove runner\"\n- When prompted, select \"Remove\"\n\nFor more information, please see [GitLabs documentation on registering runners](https://docs.gitlab.com/runner/register/)."
+tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glrt']
+
+[[rules]]
+id = 'gitlab_runner_auth_token_routable'
+regex = '\bglrt-[0-9a-zA-Z_-]{27,300}\.[0-9a-z]{2}\.[0-9a-z]{2}[0-9a-z]{7}\b'
+description = "A routable GitLab runner authentication token was identified. These tokens allow users to register or authenticate as\na runner with the selected project. A malicious actor with access to this token can add a custom runner to the pipeline\nand possibly compromise the repository if the runner was used."
+title = 'GitLab runner authentication token (routable)'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a runner authentication token, the runner needs to be removed and re-created\n\n- Sign in to your GitLab account and visit the project that created the runner registration token\n- In the left-hand menu, select \"Settings\"\n- Under the \"Settings\" options, select \"CI/CD\"\n- Under the \"Runners\" section, find the runner with the identified token, (you can check the runner `config.toml` if you\n  are unsure)\n- Select \"Remove runner\"\n- When prompted, select \"Remove\"\n\nFor more information, please see [GitLabs documentation on registering runners](https://docs.gitlab.com/runner/register/)."
+tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glrt-']
+
+[[rules]]
+id = 'gitlab_oauth_app_secret'
+regex = '\b(gloas-[0-9a-zA-Z_\-]{64})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab OAuth application secret was identified. OAuth secrets are used when allowing users to sign in to your\napplication. Depending on the scopes assigned, a malicious actor could impersonate the service to access their\nrepositories or data."
+title = 'GitLab OAuth application secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate an OAuth secret:\n\n- Sign in to your GitLab account and access: <https://gitlab.com/-/profile/preferences>\n- In the \"User settings\" left-hand side menu, select \"Applications\"\n- Find the application that uses the identified token and select the name link in the \"Name\" column\n- Select \"Renew secret\" in the application details page\n- When prompted, select \"Renew secret\"\n\nFor more information, please see [GitLabs documentation on configuring an OAuth 2.0 provider](https://docs.gitlab.com/ee/integration/oauth_provider.html)"
+tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
+keywords = ['gloas']
+
+[[rules]]
+id = 'gitlab_feed_token_v2'
+regex = '\b(glft-[0-9a-zA-Z_\-]{20})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab feed token was identified. Your feed token authenticates you when your RSS reader loads a personalized RSS feed\nor when your calendar application loads a personalized calendar. It is visible in those feed URLs. It cannot be used to\naccess any other data. A malicious actor with access to this token can read your personalized RSS feed and issue RSS\nfeeds to your calendar feed as if they were you."
+title = 'GitLab feed token v2'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a feed token:\n\n- Sign in to your GitLab account and access: <https://gitlab.com/-/profile/preferences>\n- In the \"User settings\" left-hand side menu, select \"Access tokens\"\n- Under the \"Feed token\" section, select the \"reset this token\" link\n- When prompted select \"OK\"\n\nFor more information, please see [GitLabs documentation on feed tokens](https://docs.gitlab.com/ee/security/tokens/#feed-token)."
+tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glft']
+
+[[rules]]
+id = 'gitlab_kubernetes_agent_token'
+regex = '\b(glagent-[0-9a-zA-Z_\-]{50})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab Agent for Kubernetes token was identified. The Kubernetes access token is used to authenticate the GitLab agent\nwith a Kubernetes cluster. A malicious actor with access to this token can access source code in the agent's\nconfiguration project, access source code in any public project on the GitLab instance, or even, under very specific\nconditions, obtain a Kubernetes manifest."
+title = 'GitLab Kubernetes agent token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information please see [GitLabs documentation on rotating the Kubernetes agent token](https://docs.gitlab.com/ee/user/clusters/agent/work_with_agent.html#reset-the-agent-token)."
+tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glagent']
+
+[[rules]]
+id = 'gitlab_incoming_email_token'
+regex = '\b(glimt-[0-9a-zA-Z_\-]{25})(?:[[:punct:]]|[[:space:]]|[[:blank:]]|$)'
+description = "A GitLab incoming email token was identified. Your incoming email token authenticates you when you create a new issue\nby email, and is included in your personal project-specific email addresses. It cannot be used to access any other data.\nA malicious actor with access to this token can create issues as if they were you."
+title = 'GitLab incoming email token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate a feed token:\n\n- Sign in to your GitLab account and access: <https://gitlab.com/-/profile/preferences>\n- In the \"User settings\" left-hand side menu, select \"Access tokens\"\n- Under the \"Incoming email token\" section, select the \"reset this token\" link\n- When prompted select \"OK\"\n\nFor more information, please see [GitLabs documentation on feed tokens](https://docs.gitlab.com/ee/security/tokens/#feed-token)."
+tags = ['gitlab', 'gitlab_blocking', 'client_side_sd']
+keywords = ['glimt']
+
+[[rules]]
+id = 'GrafanaCloudAccessPolicyToken'
+regex = '\bglc_eyJvIjoi[0-9A-Za-z]{120,140}\b'
+description = "A Grafana cloud access policy token was identified. Cloud access policy tokens are used for managing the stacks in\nGrafana. Any tokens defined in the Grafana Administration settings are limited to that Grafana's stack. Depending on the\nassigned scope, a malicious actor with access to this token can read or write metrics, logs, traces, alerts, rules, and\naccess policies."
+title = 'Grafana cloud access policy token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an access policy token:\n\n- Sign in to your Grafana instance and select \"Administration\" on the left-hand menu\n- Under \"User and access\" select \"Cloud access policies\"\n- Find the token that was identified and select the trash icon.\n\nFor more information, please see [Grafana's documentation on cloud access policies](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/)."
+tags = ['gitlab_blocking']
+keywords = ['glc_eyJvIjoi']
+
+[[rules]]
+id = 'GrafanaServiceAccountToken'
+regex = '\bglsa_[a-zA-Z0-9]{32}_[0-9a-f]{8}\b'
+description = "A Grafana service account token was identified. A service account token is a generated random string that acts as an\nalternative to a password when authenticating with Grafana's HTTP API. When you create a service account, you can\nassociate one or more access tokens with it. You can use service access tokens the same way as API keys, for example to\naccess Grafana HTTP API programmatically. A malicious actor with access to this token can call the API with the\npermissions of the service account."
+title = 'Grafana service account token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a service account token:\n\n- Sign in to your Grafana instance and select \"Administration\" on the left-hand menu\n- Under \"User and access\" select \"Service accounts\"\n- Find the service account that uses the identified service account token\n- Select the service account name in the \"Account\" column of the service accounts table\n- Under the \"Tokens\" section of the service account, select the \"X\" to reveal the \"Delete\" option\n- Select \"Delete\"\n\nFor more information, please see [Grafana's documentation on service accounts](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/service-accounts/)."
+tags = ['gitlab_blocking']
+keywords = ['glsa_']
+
+[[rules]]
+id = 'Hashicorp Terraform user/org API token'
+regex = "['\\\"][a-zA-Z0-9]{14}\\.atlasv1\\.[a-zA-Z0-9-_=]{60,70}['\\\"]"
+description = "A HashiCorp Terraform API token was identified. API tokens can be used to access the HCP Terraform API. A malicious\nactor with access to this token can perform all actions the user account is entitled to."
+title = 'HashiCorp Terraform API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API token:\n\n- Sign in to the Terraform HCP console and access <https://app.terraform.io/app/settings/tokens>\n- Find the token that was identified\n- Select the trash icon on the right hand side of the token\n- When prompted, select \"Confirm\" in the \"Deleting token ...\" dialog\n\nFor more information, please see [Terraform's documentation on API tokens](https://app.terraform.io/app/settings/tokens)."
+tags = ['gitlab_blocking']
+keywords = ['.atlasv1.']
+
+[[rules]]
+id = 'Hashicorp Vault batch token'
+regex = 'b\.AAAAAQ[0-9a-zA-Z_-]{156}'
+description = "A HashiCorp Vault batch token was identified. Batch tokens are used when hundereds to thousands of systems need to\naccess Vault but generating unique tokens would not scale. These tokens are usually short lived and bound to a\nspecific vault policy. A malicious actor with access to this token can impersonate a service and would have the same\npermission levels as the policy that the batch token is created for."
+title = 'HashiCorp Vault batch token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nBatch tokens cannot be revoked so you should use very short \"time to live\" values when creating batch tokens.\n\nFor more information, please see [Vault's documentation on batch tokens](https://developer.hashicorp.com/vault/tutorials/tokens/batch-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['b.AAAAAQ']
+
+[[rules]]
+id = 'HashicorpVaultServiceToken'
+regex = '\bhvs\.(?:[a-zA-Z0-9]{24}|CAES[a-zA-Z0-9_-]{80,130})\b'
+description = "A HashiCorp Vault Service Token is an authentication credential used to access HashiCorp Vault, a secrets\nmanagement platform. This token grants access to secrets, encryption keys, and other sensitive data stored in\nVault based on the policies attached to it. A malicious actor with access to this token could read, modify, or\ndelete secrets, potentially compromising entire infrastructure environments and any systems that rely on Vault\nfor credential management."
+title = 'HashiCorp Vault Service Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your HashiCorp Vault Service Token:\n\n1. Log in to your Vault instance at `https://your-vault-address:8200/ui` or use the Vault CLI\n2. Navigate to the \"Access\" section and select \"Auth Methods\" to identify the authentication method used\n3. Use the Vault CLI command `vault token lookup <token>` to identify the compromised token and its accessor\n4. Revoke the token immediately using `vault token revoke <token>` or `vault token revoke -accessor <accessor>`\n5. Generate a new token with appropriate policies using `vault token create -policy=<policy-name>` and update\n   all applications and services that were using the compromised token\n6. Verify the revocation by attempting to use the old token, which should return an authentication error, and\n   audit Vault logs at `/sys/audit` to review any unauthorized access during the exposure period\n\nFor detailed information on managing HashiCorp Vault Service Tokens, please see the\n[Vault Tokens documentation](https://developer.hashicorp.com/vault/docs/concepts/tokens)."
+tags = ['gitlab_blocking']
+keywords = ['hvs.']
+
+[[rules]]
+id = 'Heroku API Key'
+regex = '\bHRKU-[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\b'
+description = "A Heroku API key or application authorization token was identified. API keys and authorization tokens can be used to\nperform API calls on behalf of a user or account. A malicious actor with access to these tokens can access the Heroku\nAPI platform and all deployed applications."
+title = 'Heroku API key or application authorization token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate an API key for the identified user:\n\n- Sign in to your account and visit <https://dashboard.heroku.com/account>\n- Under the \"API Key\" section, select \"Regenerate API Key\"\n- When prompted, select \"Regenerate API Key\" in the \"Regenerate API Key\" dialog\n\nTo regenerate an application authorization token:\n\n- Sign in to your account and visit <https://dashboard.heroku.com/account/applications>\n- Under the \"Authorizations\" section, find the registered authorization that contains the identified token\n- Select the pencil icon\n- Select \"Regenerate token\"\n\nFor more information on API keys, see [their FAQ on generating API keys](https://help.heroku.com/PBGP6IDE/how-should-i-generate-an-api-key-that-allows-me-to-use-the-heroku-platform-api).\n\nHeroku does not have any documentation on application authorization tokens."
+tags = ['gitlab_blocking']
+keywords = ['HRKU-']
+
+[[rules]]
+id = 'HighnoteTestSecretKey'
+regex = '\bsk_test_[0-9A-Za-z_]{63,98}\b'
+description = 'Highnote Test Secret Key'
+title = 'Highnote Test Secret Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sk_test_']
+
+[[rules]]
+id = 'HighnoteLiveSecretKey'
+regex = '\bsk_live_[0-9A-Za-z_]{63,98}\b'
+description = 'Highnote Live Secret Key'
+title = 'Highnote Live Secret Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sk_live_']
+
+[[rules]]
+id = 'Hubspot API token'
+regex = '\bpat-[a-z]{2}[0-9]-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b'
+description = "A HubSpot private app API token was identified. Private apps allow you to use HubSpot's APIs to access specific data\nfrom your HubSpot account and can be restricted by setting specific scopes. A malicious actor with access to this token\ncan call API endpoints with the same levels as those set in the scope of the application. This could be anywhere from\nonly reading marketing campaigns to accessing user and account information and sending emails."
+title = 'HubSpot private app API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a private app API token:\n\n- Sign in to your HubSpot account at <https://app.hubspot.com/>\n- In the left-hand menu, hover over the database icon and select \"Integrations\"\n- Find the private app that has the identified token and select its name\n- Select the \"Auth\" tab in the top of the page\n- In the \"Access token\" section of the page, select \"Rotate\"\n- Select \"Rotate and expire this token now\" when prompted\n- Select \"Rotate now\" in the \"Rotate access token now?\" dialog\n\nFor more information, please see [HubSpot's documentation on private apps](https://developers.hubspot.com/beta-docs/guides/apps/private-apps/overview)"
+tags = ['gitlab_blocking']
+keywords = ['pat-']
+
+[[rules]]
+id = 'HuggingFaceUserAccessToken'
+regex = '\bhf_[A-Za-z]{34}\b'
+description = 'Hugging Face User Access Token'
+title = 'Hugging Face User Access Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['hf_']
+
+[[rules]]
+id = 'Intercom API token'
+regex = '\bdG9rO(?:[0-9A-Za-z]{55}\b|[0-9A-Za-z]{54}=|[0-9A-Za-z]{53}==)'
+description = "An Intercom API Token was detected. These tokens provide direct API access to your Intercom workspace and can\nbe either personal access tokens or app-level access tokens. A malicious actor with access to this token could\nread customer conversations, access user data, send messages, modify workspace settings, and perform other\nactions based on the token's permission scope."
+title = 'Intercom API Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your Intercom API Token:\n\n1. Log in to your [Intercom workspace](https://app.intercom.com/)\n2. Navigate to Settings by clicking the gear icon in the bottom-left corner\n3. Select \"Developers\" from the settings menu, then choose \"Developer Hub\"\n4. Click on \"Your Apps\" and select the app associated with the compromised token\n5. In the \"Authentication\" section, locate the access token that was compromised\n6. Click \"Revoke\" next to the compromised token to immediately invalidate it\n7. Generate a new access token by clicking \"Create access token\" or \"New access token\"\n8. Update all applications, services, and integrations with the new token\n9. Test API calls to verify the new token works correctly and the old token is invalid\n\nFor detailed information on managing Intercom API tokens, please see the\n[Intercom API Authentication Documentation](https://developers.intercom.com/docs/build-an-integration/learn-more/authentication/)."
+tags = ['gitlab_blocking']
+keywords = ['dG9rO']
+
+[[rules]]
+id = 'ArtifactoryApiKey'
+regex = '\bAKCp[0-9A-Za-z/+]{69}\b'
+description = "An Artifactory API Key was identified. An Artifactory API Key enable actions like deploying artifacts,\nmanaging repositories, configuring permissions, and retrieving artifacts from JFrog Artifactory repositories.\nIf leaked, a malicious actor could use it to exfiltrate sensitive proprietary code, inject malicious packages into\nthe build pipeline, or delete critical artifacts that could disrupt an organization's software delivery capabilities."
+title = 'Artifactory API Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AKCp']
+
+[[rules]]
+id = 'ArtifactoryIdentityToken'
+regex = '\bcmVmd[0-9A-Za-z]{59}\b'
+description = "An Artifactory Identity Token was identified.\nAn Artifactory Identity Token allows authentication to access repositories, download artifacts, upload artifacts,\nand execute privileged operations within JFrog Artifactory based on the token's assigned permissions. If leaked,\na malicious actor could use this token to steal proprietary code, inject compromised dependencies into the software\nsupply chain, or potentially gain unauthorized access to connected CI/CD systems that rely on Artifactory for builds."
+title = 'Artifactory Identity Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['cmVmd']
+
+[[rules]]
+id = 'KubernetesServiceAccToken'
+regex = 'eyJ[A-Za-z0-9_-]{20,200}\.eyJ[A-Za-z0-9_-]{80,800}(?:c3lzdGVtOnNlcnZpY2VhY2NvdW50|N5c3RlbTpzZXJ2aWNlYWNjb3VudD|zeXN0ZW06c2VydmljZWFjY291bnQ)[A-Za-z0-9_-]{10,400}\.[A-Za-z0-9_-]{20,800}'
+description = "A Kubernetes Service Account Token is a credential used by pods and services to authenticate with the\nKubernetes API server. This token grants access to cluster resources based on the permissions assigned to the\nservice account through Role-Based Access Control (RBAC). A malicious actor with access to this token could\nperform any actions permitted by the service account, including accessing sensitive data, deploying malicious\nworkloads, modifying cluster resources, or escalating privileges within the cluster."
+title = 'Kubernetes Service Account Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your Kubernetes Service Account Token:\n\n1. Access your Kubernetes cluster using kubectl or the Kubernetes Dashboard\n2. Identify the compromised service account by name and namespace\n3. Delete the compromised service account to immediately invalidate all associated tokens:\n   `kubectl delete serviceaccount <service-account-name> -n <namespace>`\n4. Recreate the service account with the same name (this generates a new UID and invalidates old tokens):\n   `kubectl create serviceaccount <service-account-name> -n <namespace>`\n5. Reapply any RBAC roles and role bindings that were associated with the service account\n6. Restart all pods using this service account to mount the new token:\n   `kubectl rollout restart deployment/<deployment-name> -n <namespace>`\n7. Verify pods are running successfully and can authenticate to the API server by checking pod logs\n8. If using long-lived token Secrets (legacy method), delete the Secret containing the compromised token:\n   `kubectl delete secret <secret-name> -n <namespace>`\n\nFor detailed information on managing Kubernetes Service Account Tokens, please see the official\n[Service Accounts documentation](https://kubernetes.io/docs/concepts/security/service-accounts/) and\n[Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)."
+tags = ['gitlab_blocking']
+keywords = ['c3lzdGVtOnNlcnZpY2VhY2NvdW50', 'N5c3RlbTpzZXJ2aWNlYWNjb3VudD', 'zeXN0ZW06c2VydmljZWFjY291bnQ']
+
+[[rules]]
+id = 'LangChainAPIKey'
+regex = 'lsv2_(?:pt|sk)_[a-f0-9]{32}_[a-f0-9]{10}\b'
+description = "A LangChain API Key (also known as a LangSmith API Key) provides authentication to LangSmith, which is\nLangChain's observability and evaluation platform for LLM applications. These keys enable access to tracing,\nmonitoring, evaluation tools, and usage analytics for applications built with LangChain. A malicious actor with\naccess to this key could view sensitive trace data, access evaluation datasets, monitor application usage and\nperformance metrics, and potentially incur costs on your account through API usage."
+title = 'LangChain API Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your LangChain API Key:\n\n1. Log in to the LangSmith platform at <https://smith.langchain.com>\n2. Navigate to the Settings page by clicking on your profile menu in the top right corner and selecting \"Settings\"\n3. Scroll down to the \"API Keys\" section\n4. Locate the compromised API key in the list (you may identify it by creation date, last used date, or key name)\n5. Click on the delete or revoke option next to the compromised key to remove it\n6. Create a new API key by clicking \"Create API Key\" and selecting the appropriate key type (Service Key or\n   Personal Access Token)\n7. Update all applications and systems that use this credential by replacing the old `LANGSMITH_API_KEY` or\n   `LANGCHAIN_API_KEY` environment variable with the new key\n8. Verify the change was successful by confirming that your applications can still authenticate and traces are\n   being logged to LangSmith\n\nFor detailed information on managing LangChain API Keys, please see the\n[official LangSmith documentation](https://docs.smith.langchain.com/administration/how_to_guides/organization_management/create_account_api_key)."
+tags = ['gitlab_blocking']
+keywords = ['lsv2']
+
+[[rules]]
+id = 'Linear API token'
+regex = '\blin_api_[a-zA-Z0-9]{40}\b'
+description = "A Linear API token was identified. Personal API tokens can be used to access Linear's GraphQL API. A malicious actor\nwith access to this token can read or write issues, projects and teams to Linear and any systems the account has been\nintegrated with."
+title = 'Linear API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Linear API token:\n\n- Sign in to your account at <https://linear.app/>\n- Select your organization in the top left corner and select \"Preferences\"\n- In the left-hand menu, select \"API\" under \"My Account\"\n- Find the identified API key in the \"Personal API Keys\" section of the page\n- Select \"Revoke\" next to the identified key\n- When prompted, select \"Revoke\" in the \"Revoke access?\" dialog\n\nFor more information, please see [Linear's documentation on using personal API keys](https://developers.linear.app/docs/graphql/working-with-the-graphql-api#personal-api-keys)."
+tags = ['gitlab_blocking']
+keywords = ['lin_api_']
+
+[[rules]]
+id = 'Mailchimp API key'
+regex = "(?i:mailchimp)[a-zA-Z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-f0-9]{32}-us20)['\\\"]"
+description = "A Mailchimp API key was identified. API keys can be used send emails, create and send marketing campaigns, access\ncustomer lists and email addresses. A malicious actor with access to this key can perform any API request to Mailchimp\nwithout restriction."
+title = 'Mailchimp API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API key:\n\n- Sign in to your Mailchimp account at <https://login.mailchimp.com/>\n- Select your profile icon then select Profile\n- Select the Extras dropdown list then choose \"API keys\"\n- Find the identified key and select \"Revoke\"\n- When prompted, type \"REVOKE\" to confirm and select \"Revoke\" in the \"Revoke API Key\" dialog\n\nFor more information, please see [Mailchimp's documentation on API key security](https://mailchimp.com/help/about-api-keys/#api+key+security)."
+tags = ['gitlab_blocking']
+keywords = ['mailchimp']
+
+[[rules]]
+id = 'Mailgun private API token'
+regex = "(?i:mailgun)[a-zA-Z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"](key-[a-f0-9]{32})['\\\"]"
+description = "A Mailgun private API token was identified. This key allows you to perform read, write, and delete operations through\nvarious API endpoints and for any of your sending domains. A malicious actor with access to this key can perform any API\nrequest to Mailgun without restriction."
+title = 'Mailgun private API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a private API token:\n\n- Sign in to your Mailgun account and access the dashboard at <https://app.mailgun.com/>\n- On the top right-hand side, select your account profile and then select \"API Security\"\n- Find the identified key and select the trash icon\n  - If you cannot select the trash icon, you must first generate a new key by selecting \"Add new key\"\n- When prompted, select \"Delete\" in the \"Delete API Key\" dialog\n\nFor more information, please see [Mailgun's documentation on API keys](https://documentation.mailgun.com/docs/mailgun/user-manual/get-started/#primary-account-api-key)."
+tags = ['gitlab_blocking']
+keywords = ['mailgun']
+
+[[rules]]
+id = 'Mailgun webhook signing key'
+regex = "(?i:mailgun)[a-zA-Z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})['\\\"]"
+description = "A Mailgun webhook signing key was identified. This key is used by Mailgun to sign all incoming webhook message payloads.\nA malicious actor with access to this key can potentially sign fake webhook events and send it to your service to pass\nvalidation and be processed."
+title = 'Mailgun webhook signing key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your HTTP webhook signing key:\n\n- Sign in to your Mailgun account and access the dashboard at <https://app.mailgun.com/>\n- On the top right-hand side, select your account profile and select \"API Security\"\n- In the \"HTTP webhook signing key\" section, select the rotate arrow icon in the right hand side\n- When prompted, select \"Reset Key\" in the \"Reset HTTP webhook signing key\" dialog\n\nFor more information, please see [Mailgun's documentation on webhooks](https://documentation.mailgun.com/docs/mailgun/user-manual/tracking-messages/#securing-webhooks)."
+tags = ['gitlab_blocking']
+keywords = ['mailgun']
+
+[[rules]]
+id = 'MaxMind License Key'
+regex = '\b([a-zA-Z0-9]{6}_[a-zA-Z0-9]{29}_mmk)\b'
+description = 'MaxMind License Key'
+title = 'MaxMind License Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['_mmk']
+
+[[rules]]
+id = 'New Relic user API Key'
+regex = '\bNRAK-[0-9A-Z]{27}\b'
+description = "A New Relic user API key was identified. User keys are used for querying data and managing configurations (Alerts,\nSynthetics, dashboards, etc.). A malicious actor with access to this key can execute API requests as the user who\ncreated it."
+title = 'New Relic user API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [New Relic's documentation on rotating API keys](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#rotate-keys)."
+tags = ['gitlab_blocking']
+keywords = ['NRAK-']
+
+[[rules]]
+id = 'New Relic user API ID'
+regex = "(?i:newrelic)[a-zA-Z0-9_ .\\-,]{0,25}(?:=|>|:=|\\|\\|:|<=|=>|:).{0,5}['\\\"]([a-zA-Z0-9]{64})['\\\"]"
+description = 'New Relic user API ID'
+title = 'New Relic user API ID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [New Relic's documentation on rotating API keys](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#rotate-keys)."
+tags = ['gitlab_blocking']
+keywords = ['newrelic']
+
+[[rules]]
+id = 'npm access token'
+regex = "['\\\"](npm_[a-zA-Z0-9]{36})['\\\"]"
+description = "An npm access token was identified. Access tokens can either be classic or granular, both of which allow customization\nof permissions. Depending on the permissions, a malicious actor with access to this token can read packages and package\ninformation, or create new packages and publish them under the account that created them."
+title = 'npm access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an access token from the UI:\n\n- Sign in to your npm account at <https://www.npmjs.com/login>\n- In the top right corner, select your profile picture and then select \"Access Tokens\"\n- Find the token that was identified and select \"x\" in the \"Delete\" column\n- When prompted, select \"OK\" in the dialog\n\nFor more information, please see [npm's documentation on revoking access tokens](https://docs.npmjs.com/revoking-access-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['npm_']
+
+[[rules]]
+id = 'OktaAPITokenHeader'
+regex = '\bSSWS (00[A-Za-z0-9_-]{40})\b'
+description = "An Okta API Token is a credential used to authenticate API requests to an Okta organization. This token provides\nprogrammatic access to Okta's management APIs, allowing operations such as user management, group administration,\nand configuration changes. A malicious actor with access to this token could read sensitive user data, modify\nsecurity policies, create backdoor accounts, or disrupt authentication services for the entire organization."
+title = 'Okta API Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your Okta API Token:\n\n- Log in to your Okta Admin Console at `https://[your-domain].okta.com/admin`\n- Navigate to **Security** > **API** from the main menu\n- Select the **Tokens** tab to view all API tokens\n- Locate the compromised token by its name, creation date, or last used timestamp\n- Click the **Revoke** button next to the compromised token and confirm the revocation\n- Generate a new API token if needed and update all applications or scripts that use this credential\n- Review API access logs under **Reports** > **System Log** to identify any unauthorized activity\n\nFor detailed information on managing Okta API Tokens, please see the\n[Okta API Token Management Documentation](https://developer.okta.com/docs/guides/create-an-api-token/main/)."
+tags = ['gitlab_blocking']
+keywords = ['SSWS 00']
+
+[[rules]]
+id = 'Onfido Live API Token'
+regex = '\bapi_live(?:_[a-z]{2})?\.[_a-zA-Z0-9]{11}\.[-_a-zA-Z0-9]{32}\b'
+description = 'Onfido Live API Token'
+title = 'Onfido Live API Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['api_live']
+
+[[rules]]
+id = 'OpenAiProjectKey'
+regex = '\bsk-proj-[a-zA-Z0-9_-]{40,190}\b'
+description = "An OpenAI project API key was identified. A project key can be used for programmatic access to OpenAI's API. A malicious\nactor with access to this key can execute functionality on behalf of the user who created the key."
+title = 'OpenAI project key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke Open AI project API key:\n\n- Sign in to your OpenAI account and visit <https://platform.openai.com/settings/>\n- On the left-hand side menu, select \"API Keys\" under \"Project\"\n- Find the key that was identified, and select the red trash icon on the right-hand side.\n- When prompted, select \"Revoke key\" in the \"Revoke secret key\" dialog\n\nFor more information, please see [OpenAI's documentation on project API keys](https://platform.openai.com/docs/api-reference/project-api-keys)."
+tags = ['gitlab_blocking']
+keywords = ['sk-proj-']
+
+[[rules]]
+id = 'OpenAiServiceAccountKey'
+regex = '\bsk-svcacct-[a-zA-Z0-9_-]{40,190}\b'
+description = "An OpenAI service account key was identified. A service account key can be used for programmatic access to OpenAI's API.\nA malicious actor with access to this key can execute functionality on behalf of the user who created the key."
+title = 'OpenAI service account key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\n- Sign in to your OpenAI account and visit <https://platform.openai.com/settings/>\n- On the left-hand side menu, select \"API Keys\" under \"Organization\"\n- Find the key that was identified, and select the red trash icon on the right-hand side.\n- When prompted, select \"Revoke key\" in the \"Revoke secret key\" dialog\n\nFor more information, please see [OpenAI's documentation on project service accounts](https://platform.openai.com/docs/api-reference/project-service-accounts)."
+tags = ['gitlab_blocking']
+keywords = ['sk-svcacct-']
+
+[[rules]]
+id = 'OpenAiServiceAdminKey'
+regex = '\bsk-admin-[a-zA-Z0-9_-]{124}'
+description = "An OpenAI admin key was identified. Admin keys are for programmatic administration of your account. Admin keys grant\naccess to endpoints detailed in the [API Reference for Organizations](https://platform.openai.com/docs/api-reference/administration).\nA malicious actor with access to this key can take over the administration of the organization."
+title = 'OpenAI admin key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an OpenAI admin key:\n\n- Sign in to your OpenAI account and visit <https://platform.openai.com/settings/>\n- On the left-hand side menu, select \"Admin Keys\" under \"Organization\"\n- Find the key that was identified, and select the red trash icon in the right-hand side\n- When prompted, select \"Revoke key\" in the \"Revoke secret key\" dialog\n\nFor more information, please see [OpenAI's documentation on administration](https://platform.openai.com/docs/api-reference/administration)."
+tags = ['gitlab_blocking']
+keywords = ['sk-admin-']
+
+[[rules]]
+id = 'Planetscale password'
+regex = '\bpscale_pw_[a-zA-Z0-9]{43}\b'
+description = "A PlanetScale password was identified. PlanetScale passwords are used to connect to database instances. A malicious\nactor with access to this password can access PlanetScale managed databases."
+title = 'PlanetScale password'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nFor more information, please see [PlanetScale's documentation on database connection strings](https://planetscale.com/docs/concepts/connection-strings)."
+tags = ['gitlab_blocking']
+keywords = ['pscale_pw_']
+
+[[rules]]
+id = 'Planetscale API token'
+regex = '\bpscale_tkn_[a-zA-Z0-9\-_]{43}\b'
+description = "A PlanetScale API service token was identified. Service tokens are created and assigned permissions depending on the\nallowed scope. A malicious actor with access to the service token is granted the same permissions that were assigned to\nthis service token."
+title = 'PlanetScale API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a service token:\n\n- Sign in to your PlanetScale account and access <https://app.planetscale.com/>.\n- From the menu on the left-hand side, select \"Settings\"\n- Under \"Settings\", select \"Service tokens\"\n- Find the identified security token and select its name\n- Take note of its organization access, permissions and scope\n- Select \"Delete service token\" in the top right corner\n- When prompted, select \"Delete\" in the \"Delete service token\" dialog\n\nFor more information, please see [PlanetScale's documentation on service tokens](https://planetscale.com/docs/concepts/service-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['pscale_tkn_']
+
+[[rules]]
+id = 'PlanetscaleAppSecret'
+regex = '\bpscale_app_secret_[0-9A-Za-z_-]{43}\b'
+description = "A PlanetScale App secret was identified. App secrets are used when allowing users to sign in to your application.\nDepending on the scopes assigned, a malicious actor with access to this secret can impersonate the service to access\nusers details."
+title = 'PlanetScale App secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate an OAuth secret:\n\n- Sign in to your PlanetScale account and access <https://app.planetscale.com/>.\n- From the menu on the left-hand side, select \"Settings\"\n- Under \"Settings\", select \"OAuth applications\"\n- Find the application that uses the identified token and select its name\n- Take note of the OAuth application's permissions and scope\n- Select \"Generate secret\"\n\nFor more information, please see [PlanetScale's documentation on OAuth applications](https://planetscale.com/docs/concepts/planetscale-api-oauth-applications#oauth-applications)."
+tags = ['gitlab_blocking']
+keywords = ['pscale_app_secret_']
+
+[[rules]]
+id = 'PlanetscaleOAuthSecret'
+regex = '\bpscale_oauth_[0-9A-Za-z]{32,64}\b'
+description = 'PlanetScale OAuth secret'
+title = 'PlanetScale OAuth secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['pscale_oauth_']
+
+[[rules]]
+id = 'PostHogPersonalAPIkey'
+regex = '\bphx_[0-9A-Za-z]{43}\b'
+description = 'A PostHog Personal API key was identified. API keys can enable full access to your account.'
+title = 'Posthog Personal API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API Key, sign in to your PostHog account and access your\n[Personal API keys](https://us.posthog.com/settings/user-api-keys).\n\nFor more information, please see [PostHog's API Overview documentation](https://posthog.com/docs/api)."
+tags = ['gitlab_blocking']
+keywords = ['phx_']
+
+[[rules]]
+id = 'Postman API token'
+regex = '\bPMAK-[a-f0-9]{24}-[a-f0-9]{34}\b'
+description = "A Postman API token was identified. An API key provides access to any Postman data the account has permissions to.\nA malicious actor with access to this token can access all data stored in the Postman service that the user who created\nthe API key has access to."
+title = 'Postman API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo regenerate an API token:\n\n- Sign in to your Postman account at <https://www.postman.com/>\n- Select the profile picture in the top right-hand side, and select \"Settings\"\n- Select \"API keys\" in the left-hand menu\n- Find the key that was identified, and select the ellipsis next to the status column in the \"API keys\" section\n- Select \"Regenerate\"\n- When prompted, select \"Regenerate API Key\" in the \"Regenerate API key\" dialog\n\nFor more information, please see [Postman's documentation on API keys](https://learning.postman.com/docs/developer/postman-api/authentication/)."
+tags = ['gitlab_blocking']
+keywords = ['PMAK-']
+
+[[rules]]
+id = 'PostmanCollectionAccessKey'
+regex = '\bPMAT-[A-Z0-9]{26}\b'
+description = "A Postman collection access key was identified. Collection access keys allow read-only access to a single collection.\nA malicious actor with access to this token can read all data stored in the collection this key is associated with."
+title = 'Postman collection access key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo delete a collection access key:\n\n- Sign in to your Postman account at <https://www.postman.com/>\n- Select the profile picture in the top right-hand side, and select \"Settings\"\n- Select \"API keys\" in the left-hand menu\n- Find the key that was identified in the \"Collection access keys\" section\n- Select \"Delete\"\n\nFor more information, please see [Postman's documentation on generating collection access keys](https://learning.postman.com/docs/developer/postman-api/authentication/#generate-a-collection-access-key)."
+tags = ['gitlab_blocking']
+keywords = ['PMAT-']
+
+[[rules]]
+id = 'PyPI upload token'
+regex = 'pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}'
+description = "A PyPi upload token was identified. Upload tokens are used for uploading packages for publishing Python packages.\nA malicious actor with access to this token can upload potentially malicious artifacts."
+title = 'PyPi upload token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nIt is strongly recommended to switch to OIDC Connect instead of using PyPi upload tokens.\nPlease see [PyPi's documentation on trusted publishers](https://docs.pypi.org/trusted-publishers/).\n\nTo delete a PyPi upload token:\n\n- Sign in to your PyPi account and visit <https://pypi.org/manage/account/>\n- Scroll down to the \"API tokens\" section\n- Find the identified token and select the \"Options\" dropdown list\n- Select \"Remove token\"\n- When prompted, enter your password and select \"Remove API Token\"\n\nFor more information, please see [PyPi's documentation on upload tokens](https://pypi.org/help/#apitoken)."
+tags = ['pypi', 'revocation_type', 'gitlab_blocking']
+keywords = ['pypi-AgEIcHlwaS5vcmc']
+
+[[rules]]
+id = 'Rubygem API token'
+regex = 'rubygems_[a-f0-9]{48}'
+description = "A RubyGems API token was identified. RubyGems tokens are used for accessing the API or publishing packages. RubyGems\ntokens can be created with specific permissions or scopes. Depending on the permissions and scope, a malicious actor\nwith access to this token can add or remove packages, add or remove owners, or view the dashboard."
+title = 'RubyGems API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke the API token:\n\n- Sign in to your RubyGems account and access <https://rubygems.org/settings/edit>\n- Scroll down to and select \"API Keys\" or go to <https://rubygems.org/profile/api_keys>\n- Find the identified token and select \"Delete\"\n- When prompted, select \"OK\" in the dialog.\n\nFor more information, please see the [RubyGems documentation on API tokens](https://guides.rubygems.org/api-key-scopes/)."
+tags = ['gitlab_blocking']
+keywords = ['rubygems_']
+
+[[rules]]
+id = 'Segment Public API token'
+regex = 'sgp_[a-zA-Z0-9]{64}'
+description = "A Segment Public API token was identified. The Segment Public API is used to manage your Segment workspaces and its\nresources. Two types of tokens match this pattern, a workspace owner token and a limited role token. In general these\ntokens allow callers of the API to perform read, write, and delete operations. A malicious actor with access to a\nworkspace owner token can access all workspace data. A limited role token can access the data it was granted access to\non creation."
+title = 'Segment public API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate a Public API token:\n\n- Sign in to your Segment account and access your workspace from <https://app.segment.com/>\n- From the left-hand menu, select \"Settings\" and go to \"Workspace settings\"\n- Select the \"Access Management\" tab in the \"Workspace settings\" page\n- Select the \"Tokens\" tab under \"Access Management\"\n- Find the key that was identified, and select it\n- In the right hand side, select \"Edit token\" in the \"Token Permissions\" section\n- Select \"Remove token\" in the top right corner\n- When prompted, select \"Remove Token\" in the dialog\n\nFor more information, please see [Segment's documentation on their public API](https://segment.com/docs/api/public-api/)."
+tags = ['gitlab_blocking']
+keywords = ['sgp_']
+
+[[rules]]
+id = 'Sendgrid API token'
+regex = 'SG\.[a-zA-Z0-9_\-\.]{66}'
+description = 'SendGrid API token'
+title = 'SendGrid API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['SG.']
+
+[[rules]]
+id = 'Sendinblue API token'
+regex = '\bxkeysib-[a-f0-9]{64}-[a-zA-Z0-9]{16}\b'
+description = 'Brevo API token'
+title = 'Brevo API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['xkeysib-']
+
+[[rules]]
+id = 'Sendinblue SMTP token'
+regex = '\bxsmtpsib-[a-f0-9]{64}-[a-zA-Z0-9]{16}\b'
+description = 'Brevo SMTP token'
+title = 'Brevo SMTP token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['xsmtpsib-']
+
+[[rules]]
+id = 'Shippo API token'
+regex = '\bshippo_live_[a-f0-9]{40}\b'
+description = "A live Shippo API token was identified. API tokens can be used to access the Shippo API which is used for shipping services.\nA malicious actor with access to this token can access billing and order information and modify shipping data."
+title = 'Shippo API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke an API token:\n\n- Sign in to your Shippo account and access <https://apps.goshippo.com/>\n- In the top right-hand side, select the \"gear\" icon to go to the \"Settings\" page\n- Scroll down in the left hand menu to \"Advanced\" and select \"API\"\n- Under the \"Token\" section, select \"Manage your token\"\n- Find the identified token and select the trash icon\n- When prompted, select \"Yes, remove token\" in the \"Manage Your Tokens\" dialog\n\nFor more information, please see [Shippo's documentation on API keys](https://portal.goshippo.com/api-config/api)."
+tags = ['gitlab_blocking']
+keywords = ['shippo_live_']
+
+[[rules]]
+id = 'Shopify shared secret'
+regex = 'shpss_[a-fA-F0-9]{32}'
+description = 'Shopify shared secret'
+title = 'Shopify shared secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['shpss_']
+
+[[rules]]
+id = 'Shopify access token'
+regex = 'shpat_[a-fA-F0-9]{32}'
+description = "A Shopify personal access token was identified. Access tokens can be given\nrestricted scopes or be given full access to all store data. A malicious actor who gained\naccess to this token could be able to read or modify store data."
+title = 'Shopify personal access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nAccess tokens cannot be revoked, you must uninstall and reinstall the application.\n\nPlease see [Shopify's documentation for more details](https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/generate-app-access-tokens-admin#rotating-api-credentials-for-admin-created-apps)."
+tags = ['gitlab_blocking']
+keywords = ['shpat_']
+
+[[rules]]
+id = 'Shopify custom app access token'
+regex = 'shpca_[a-fA-F0-9]{32}'
+description = 'Shopify custom app access token'
+title = 'Shopify custom app access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['shpca_']
+
+[[rules]]
+id = 'Shopify private app access token'
+regex = 'shppa_[a-fA-F0-9]{32}'
+description = 'Shopify private app access token'
+title = 'Shopify private app access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['shppa_']
+
+[[rules]]
+id = 'ShopifyPartnerAPIToken'
+regex = '\bprtapi_[a-f0-9]{32}\b'
+description = "A Shopify partner API token was identified. Partner API tokens can be restricted to only allowing access to the\nfollowing:\n\n- View financials: This permission is required to access Transaction resources. These resources represent all of the\n  transactions that impact your Partner earnings.\n- Manage apps: This permission is required to access App resources, including all app-related events such as installs,\n  uninstalls, and charges. This resource represents all of the public and private apps managed by your organization.\n- Manage themes: This permission is required to access the Theme resource. This resource represents all of the Shopify\n  themes managed by your organization.\n- Manage jobs: This permission is required to access Conversation and Job resources. These resources represent Experts\n  Marketplace conversations and jobs owned by your organization.\n\nA malicious actor with access to this token can access one or more of these functions."
+title = 'Shopify Partner API token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Shopify partner API token:\n\n- Sign in to your Shopify partner account and access <https://partners.shopify.com/>\n- In the left-hand menu, select \"Settings\"\n- Scroll down to \"Partner API clients\" and select \"Manage Partner API clients\"\n- Select the client that uses the identified token\n- Select \"Generate secondary token\"\n- Select the trash icon next to the identified token\n- When prompted, select \"Delete token\" in the \"Delete access token?\" dialog\n\nPlease see [Shopify's documentation for more details](https://shopify.dev/docs/api/partner#authentication)."
+tags = ['gitlab_blocking']
+keywords = ['prtapi_']
+
+[[rules]]
+id = 'Slack token'
+regex = 'xox[baprs]-([0-9a-zA-Z]{10,48})'
+description = "A Slack bot user OAuth token was identified. A Slack app's capabilities and permissions are governed by the scopes it\nrequests. A full list of permissions can be found [in Slack's scopes documentation](https://api.slack.com/scopes).\nA malicious actor with access to this token can execute functionality that was assigned to it."
+title = 'Slack bot user OAuth token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Slack bot user OAuth token (Note: This requires all users to re-authorize your application):\n\n- Sign in to Slack and access <https://api.slack.com/apps>\n- Find the application with the identified token and select the name\n- In the left-hand menu, select \"OAuth & Permissions\"\n- Scroll down to \"Revoke All OAuth Tokens\" and select \"Revoke tokens\"\n- When prompted, select \"Yes, I'm sure\" in the \"Are you sure?\" dialog\n- After some time, scroll back up to the \"OAuth Tokens\" section and select \"Reinstall to XXX\", where XXX is your\n  workspace name\n\nFor more information, please see [Slack's documentation on OAuth](https://api.slack.com/authentication/oauth-v2)"
+tags = ['gitlab_blocking']
+keywords = ['xoxb', 'xoxa', 'xoxp', 'xoxr', 'xoxs']
+
+[[rules]]
+id = 'SlackAppLevelToken'
+regex = '\bxapp-1-[A-Z0-9]{11}-[0-9]{13}-[a-f0-9]{64}\b'
+description = "A Slack app level token was identified. App level tokens are for use with Slack apps but only with specific APIs, which\nare related to the app across all organizations where the app is installed. Three scope levels can be assigned:\n\n- connections:write: Route your app's interactions and event payloads over WebSockets\n- authorizations:read: View information about your app's authorizations on installed teams\n- app_configurations:write: Configure your application\n\nA malicious actor with access to this token is granted one or more of the above permissions to access the API with for\na specific application."
+title = 'Slack app level token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Slack app level token:\n\n- Sign in to Slack and access <https://api.slack.com/apps>\n- Find the application with the identified token and select the name\n- In the left-hand menu, select \"Basic Information\"\n- Scroll down to the \"App-Level Tokens\" section and select the token name of the identified token\n- In the token dialog, select \"Revoke\"\n- When prompted, select \"Yes, I'm sure\" in the \"Are you sure?\" dialog"
+tags = ['gitlab_blocking']
+keywords = ['xapp-1-']
+
+[[rules]]
+id = 'SlackAppConfigurationToken'
+regex = '\bxoxe\.xoxp-1-[A-Za-z0-9]{166}\b'
+description = "A Slack app configuration token was identified. Configuration tokens are per-workspace tokens used with App Manifest\nAPIs to create and configure your apps. A malicious actor with access to this token can take over configuration of all\napplications of the user who created it, however these tokens are rotated every 12 hours and give a malicious actor a\nlimited opportunity to use it."
+title = 'Slack app configuration token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Slack app configuration token:\n\n- Sign in to Slack and access <https://api.slack.com/apps>\n- Find the token in the \"Access Token\" column in the \"Your App Configuration Tokens\" table and select the trash icon in\n  the \"Delete\" column\n- When prompted, select \"Revoke Token\" in the \"Revoke this token?\" dialog\n\nFor more information, please see [Slack's documentation on managing configuration tokens](https://api.slack.com/reference/manifests#config-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['xoxe.xoxp-1-']
+
+[[rules]]
+id = 'SlackAppConfigurationRefreshToken'
+regex = '\bxoxe-1-[A-Za-z0-9]{147}\b'
+description = "A Slack app configuration refresh token was identified. Configuration tokens are per-workspace tokens used with App\nManifest APIs to create and configure your apps. A malicious actor with access to this token can take over configuration\nof all applications of the user who created it. Refresh tokens are more dangerous than configuration tokens as they can\nbe used to create new configuration tokens, allowing a malicious actor perpetual access to all applications."
+title = 'Slack app configuration refresh token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Slack app configuration refresh token:\n\n- Sign in to Slack and access <https://api.slack.com/apps>\n- Find the token in the \"Refresh Token\" column in the \"Your App Configuration Tokens\" table and select the trash icon\n  in the \"Delete\" column\n- When prompted, select \"Revoke Token\" from the \"Revoke this token?\" dialog\n\nFor more information, please see [Slack's documentation on managing configuration tokens](https://api.slack.com/reference/manifests#config-tokens)."
+tags = ['gitlab_blocking']
+keywords = ['xoxe-1-']
+
+[[rules]]
+id = 'SonarQubeUserToken'
+regex = '\bsqu_[0-9a-f]{40}\b'
+description = 'SonarQube User Token'
+title = 'SonarQube User Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['squ_']
+
+[[rules]]
+id = 'SonarQubeGlobalAnalysisToken'
+regex = '\bsqa_[0-9a-f]{40}\b'
+description = 'SonarQube Global Analysis Token'
+title = 'SonarQube Global Analysis Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sqa_']
+
+[[rules]]
+id = 'SonarQubeProjectAnalysisToken'
+regex = '\bsqp_[0-9a-f]{40}\b'
+description = 'SonarQube Project Analysis Token'
+title = 'SonarQube Project Analysis Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['sqp_']
+
+[[rules]]
+id = 'SplunkAuthToken'
+regex = 'eyJraWQiOiJzcGx1bmsuc2VjcmV0[A-Za-z0-9_-]{20,180}\.[A-Za-z0-9_-]{20,600}\.[A-Za-z0-9_-]{20,200}\b'
+description = "A Splunk Authentication Token is a credential used to authenticate API requests and integrate external\napplications with Splunk Enterprise or Splunk Cloud Platform. This token provides programmatic access to\nSplunk's search, indexing, and administrative capabilities. A malicious actor with access to this token\ncould query sensitive data, modify configurations, or disrupt monitoring operations depending on the\nassociated user's permissions."
+title = 'Splunk Authentication Token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab\ndocumentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke your Splunk Authentication Token:\n\n1. Log in to your Splunk instance at `https://your-splunk-instance:8000` (Splunk Enterprise) or your\n   Splunk Cloud Platform URL\n2. Navigate to **Settings** > **Tokens** (or **Settings** > **Users and Authentication** > **Tokens**)\n3. Locate the compromised token in the token list by checking the token description, creation date,\n   or last used timestamp\n4. Click **Delete** next to the compromised token and confirm the deletion\n5. Generate a new authentication token by clicking **New Token**, providing a description, and setting\n   appropriate permissions\n6. Update all applications, scripts, and integrations that were using the old token with the new token\n   value\n7. Verify connectivity by testing API requests with the new token and monitoring audit logs for successful\n   authentication events\n\nFor detailed information on managing Splunk Authentication Tokens, please see the\n[Splunk documentation on securing Splunk Enterprise](https://docs.splunk.com/Documentation/Splunk/latest/Security/Setupauthenticationwithtokens)\nand\n[token management](https://docs.splunk.com/Documentation/Splunk/latest/Security/UseAuthTokens)."
+tags = ['gitlab_blocking']
+keywords = ['eyJraWQiOiJzcGx1bmsuc2VjcmV0']
+
+[[rules]]
+id = 'StripeLiveSecretKey'
+regex = '\bsk_live_[A-Za-z0-9]{99}\b'
+description = "A Stripe live secret key was identified. Live secret keys authenticate requests on your server when in\nlive mode. By default, you can use this key to perform any API request without restriction. A malicious actor who gained\naccess to this key could gain read/write access to all data in Stripe for this account."
+title = 'Stripe live secret key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Stripe live secret key:\n\n- Sign in to your Stripe account and access <https://dashboard.stripe.com/apikeys>\n- Ensure \"Test mode\" is disabled\n- In the \"Standard keys\" section, find the key that was identified and select the ellipsis in the right-hand side\n- Select \"Roll key...\"\n- In the \"Roll API key\" dialog, select an expiration date, for example \"now\"\n- Select \"Roll API Key\"\n\nFor more information, please see [Stripe's documentation on rotating API keys](https://docs.stripe.com/keys#rolling-keys)."
+tags = ['gitlab_blocking']
+keywords = ['sk_live_']
+
+[[rules]]
+id = 'StripeLiveRestrictedKey'
+regex = '\brk_live_[A-Za-z0-9]{99}\b'
+description = "A Stripe live restricted key was identified. Restricted keys offer greater security by only allowing read or write\naccess to specific API resources. A malicious actor with access to this key is limited by the scope defined for the key."
+title = 'Stripe live restricted key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Stripe live restricted key:\n\n- Sign in to your Stripe account and access <https://dashboard.stripe.com/apikeys>\n- Ensure \"Test mode\" is disabled\n- In the \"Restricted keys\" section, find the key that was identified and select the ellipsis in the right-hand side\n- Select \"Roll key...\"\n- In the \"Roll API key\" dialog, select an expiration date, for example \"now\"\n- Select \"Roll API Key\"\n\nFor more information, please see [Stripe's documentation on rotating API keys](https://docs.stripe.com/keys#rolling-keys)."
+tags = ['gitlab_blocking']
+keywords = ['rk_live_']
+
+[[rules]]
+id = 'StripeLiveShortSecretKey'
+regex = '\bsk_live_[A-Za-z0-9]{24}\b'
+description = "A Stripe live secret key was identified. Live secret keys authenticate requests on your server when in\nlive mode. By default, you can use this key to perform any API request without restriction. A malicious actor who gained\naccess to this key could gain read/write access to all data in Stripe for this account."
+title = 'Stripe live secret key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo rotate your Stripe live secret key:\n\n- Sign in to your Stripe account and access <https://dashboard.stripe.com/apikeys>\n- Ensure \"Test mode\" is disabled\n- In the \"Standard keys\" section, find the key that was identified and select the ellipsis in the right-hand side\n- Select \"Roll key...\"\n- In the \"Roll API key\" dialog, select an expiration date, for example \"now\"\n- Select \"Roll API Key\"\n\nFor more information, please see [Stripe's documentation on rotating API keys](https://docs.stripe.com/keys#rolling-keys)."
+tags = ['gitlab_blocking']
+keywords = ['sk_live_']
+
+[[rules]]
+id = 'TailscalePersonalAuthKey'
+regex = '\btskey-auth-[A-Za-z0-9]{12}CNTRL-[A-Za-z0-9]{32,33}\b'
+description = "A Tailscale personal authentication key was identified. Pre-authentication keys (called auth keys) let you register new\nnodes without needing to sign in using a web browser. An auth key authenticates a device as the user who generated the\nkey. A malicious actor with access to this key can register nodes under the account that owns it."
+title = 'Tailscale personal authentication key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Tailscale auth key:\n\n- Sign in to your Tailscale account and go to <https://login.tailscale.com/admin/settings/general>\n- On the \"Settings\" page in the left-hand menu select \"Keys\" under \"Personal Settings\"\n- Find the key that was identified in the \"Auth keys\" section and select the \"Revoke...\" text next to the \"Type\" column\n- When prompted, select \"Revoke key\" in the \"Revoke\" dialog\n\nFor more information, please see [Tailscale's documentation on personal auth keys](https://tailscale.com/kb/1085/auth-keys)."
+tags = ['gitlab_blocking']
+keywords = ['tskey-auth-']
+
+[[rules]]
+id = 'TailscaleApiAccessToken'
+regex = '\btskey-api-[A-Za-z0-9]{12}CNTRL-[A-Za-z0-9]{32,33}\b'
+description = "A Tailscale API access token was identified. API access tokens give full access to the Tailscaled API. A malicious actor\nwith access to this token can gain full access to the Tailscale networks."
+title = 'Tailscale API access token'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Tailscale API access token:\n\n- Sign in to your Tailscale account and go to <https://login.tailscale.com/admin/settings/general>\n- On the \"Settings\" page in the left-hand menu select \"Keys\" under \"Personal Settings\"\n- Find the key that was identified in the \"API access tokens\" section and select the \"Revoke...\" text next to the \"Type\"\n  column\n- When prompted, select \"Revoke key\" in the \"Revoke\" dialog\n\nFor more information, please see [Tailscale's documentation on their API](https://tailscale.com/kb/1101/api)"
+tags = ['gitlab_blocking']
+keywords = ['tskey-api-']
+
+[[rules]]
+id = 'TailscaleOauthClientSecret'
+regex = '\btskey-client-[a-zA-Z0-9]{17}-[a-zA-Z0-9]{30,36}\b'
+description = "A Tailscale OAuth client secret was identified. OAuth clients provide a framework for\ndelegated and scoped access to the Tailscale API. An OAuth client creates access tokens for scoped API\naccess. More details on [scopes can be found in Tailscale's documentation](https://tailscale.com/kb/1215/oauth-clients?q=OAuth#scopes).\nA malicious actor with access to this secret can access the API with the privileges the client was given."
+title = 'Tailscale OAuth client secret'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nTo revoke a Tailscale OAuth client secret:\n\n- Sign in to your Tailscale account and go to <https://login.tailscale.com/admin/settings/general>\n- On the \"Settings\" page in the left-hand menu select \"OAuth clients\"\n- Find the key that was identified and select the \"Revoke...\" text next to the \"Scopes\" column\n- When prompted, select \"Revoke OAuth client\" in the \"Revoke\" dialog\n\nFor more information, please see [Tailscale's documentation on OAuth clients](https://tailscale.com/kb/1215/oauth-clients)."
+tags = ['gitlab_blocking']
+keywords = ['tskey-client-']
+
+[[rules]]
+id = 'TencentCloudSecretID'
+regex = '\bAKID[0-9A-Za-z]{32}\b'
+description = 'Tencent Cloud Secret ID'
+title = 'Tencent Cloud Secret ID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AKID']
+
+[[rules]]
+id = 'Twilio API Key'
+regex = '\bSK[0-9a-fA-F]{32}\b'
+description = 'Twilio API Key'
+title = 'Twilio API key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['SK']
+
+[[rules]]
+id = 'Twilio Account SID'
+regex = '\bAC[0-9a-f]{32}\b'
+description = 'Twilio Account SID'
+title = 'Twilio Account SID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AC']
+
+[[rules]]
+id = 'VolcengineAccessKeyID'
+regex = '\bAKLT[0-9A-Za-z]{30,44}\b'
+description = 'Volcengine Access Key ID'
+title = 'Volcengine Access Key ID'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AKLT']
+
+[[rules]]
+id = 'WakaTimeAPIKey'
+regex = '\bwaka_[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b'
+description = 'WakaTime API Key'
+title = 'WakaTime API Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['waka_']
+
+[[rules]]
+id = 'Yandex.Cloud API Key'
+regex = '\bAQVN[0123wxyz][0-9A-Za-z_-]{35}\b'
+description = 'Yandex.Cloud API Key'
+title = 'Yandex.Cloud API Key'
+remediation = "For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet)."
+tags = ['gitlab_blocking']
+keywords = ['AQVN']