credsweeper 1.12.1__py3-none-any.whl → 1.13.0__py3-none-any.whl

credsweeper/rules/config.yaml

@@ -3,7 +3,7 @@
   confidence: weak
   type: pattern
   values:
-    - (?P<variable>(\w*(?i:비밀번호|비번|패스워드|키|암호화?|토큰|(?<!by)pass(?!ed|ing|ion|es|age)|\bpwd?\b|token|secret|key|cred)\w*)\s*(설정은|[=:!]{1,3}))?\s*([._0-9A-Za-z\[\]]*get(env)?\s*\(\s*(?(variable)[^,]+|[\"'\\]*(\\*([\"']|&(quot|apos|#3[49]);)){0,4}(\w*(?i:(?<!by)pass(?!ed|ing|ion|es|age|\s+[a-z]{3,80})|\bpwd?\b|token|secret|key|cred)\w*))(\\*([\"']|&(quot|apos|#3[49]);)){0,4})\s*,\s*(default\s*=\s*)?([brufl@]{1,2}(?=\\*[\"'&]))?(?P<lq>(\\*([\"']|&(quot|apos|#3[49]);)){1,4})(?P<value>(.(?!(?P=lq))){4,80}.?)
+    - (?P<variable>(\w*(?i:비밀번호|비번|패스워드|키|암호화?|토큰|(?<!by)pass(?!e[dns]|ing|ion|age)|\bpwd?\b|token|secret|key|cred)\w*)\s*(설정은|[=:!]{1,3}))?\s*([._0-9A-Za-z\[\]]*get(env)?\s*\(\s*(?(variable)[^,]+|[\"'\\]*(\\*([\"']|&(quot|apos|#3[49]);)){0,4}(\w*(?i:(?<!by)pass(?!e[dns]|ing|ion|age|\s+[a-z]{3,80})|\bpwd?\b|token|secret|key|cred)\w*))(\\*([\"']|&(quot|apos|#3[49]);)){0,4})\s*,\s*(default\s*=\s*)?([brufl@]{1,2}(?=\\*[\"'&]))?(?P<lq>(\\*([\"']|&(quot|apos|#3[49]);)){1,4})(?P<value>(.(?!(?P=lq))){4,80}.?)
   filter_type:
     - ValueAllowlistCheck
     - LineGitBinaryCheck
@@ -34,7 +34,7 @@
   confidence: weak
   type: pattern
   values:
-    - (?P<wrap>[\"'`(])?\s*(?P<variable>(\w*(?i:(?<!by)passw?o?r?d?s?(?!ed|ing|ion|es|age)|pwd?\b|\bp/w\b|token|secret|key|credential)\w*|비밀번호|비번|패스워드|키|암호화?|토큰))[\"'`]*(\s+(?i:is|are|was|were)(\s*[:-])?\s+|\s*(설정은|[=:!]{1,3})\s*)(?P<quote>[\"'`]{1,6})?(?P<value>(?(quote)(?(wrap)[^\"'`)]{4,80}|[^\"'`]{4,80})|(?(wrap)[^\"'`)]{4,80}|\S{4,80})))
+    - (?P<wrap>[\"'`(])?\s*(?P<variable>(\w*(?i:(?<!by)passw?o?r?d?s?(?!e[dns]|ing|ion|age)|pwd?\b|\bp/w\b|token|secret|key|credential)\w*|비밀번호|비번|패스워드|키|암호화?|토큰))[\"'`]*(\s+(?i:is|are|was|were)(\s*[:-])?\s+|\s*(설정은|[=:!]{1,3})\s*)(?P<quote>[\"'`]{1,6})?(?P<value>(?(quote)(?(wrap)[^\"'`)]{4,80}|[^\"'`]{4,80})|(?(wrap)[^\"'`)]{4,80}|\S{4,80})))
   filter_type:
     - ValueAllowlistCheck
     - LineGitBinaryCheck
@@ -73,7 +73,7 @@
     - ValueAllowlistCheck
     - ValuePatternCheck(4)
     - ValueEntropyBase64Check
-    - ValueCoupleKeywordCheck
+    - ValueMorphemesCheck
   min_line_len: 16
   required_substrings:
     - token
@@ -90,7 +90,7 @@
   confidence: moderate
   type: pattern
   values:
-    - (?P<variable>[\"'`]?(?i:(?<!id[ :/])pa[as]swo?r?ds?|pwd?|p/w|비밀번호|비번|패스워드|암호)[\"'`]?)((\s)*[=:](\s)*)(?P<quote>[\"'`(])?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){8,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)[)\"'`])
+    - (?P<variable>[\"'`]?(?i:(?<!id[ :/])pa[as]swo?r?ds?|pwd?|p/w|비밀번호|비번|패스워드|암호)[\"'`]?)((\s)*[=:](\s)*)(?P<quote>[\"'`(])?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){8,64}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)[)\"'`])
   filter_type:
     - ValueAllowlistCheck
     - ValuePatternCheck(4)
@@ -118,7 +118,7 @@
   confidence: moderate
   type: pattern
   values:
-    - (^|\s|(?P<variable>(?i:\bip[\s/]{1,80}id[\s/]{1,80}pw[\s/:]{0,80}))|(?P<url>://))(?P<ip>(?<![0-9.])[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}(?![0-9.]))((\s*[(])?|(?(variable)[\s,/]{1,80}|(?(url)[,]|[,/])))\s*\w[\w.-]{3,80}[\s,/]{1,80}(?P<value>(?(url)(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9_+=~!@#$%^&*;?-])){7,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)|(?-i:(?P<e>[A-Z])|(?P<f>[a-z])|(?P<g>[0-9/_+=~!@#$%^&*;?-])){7,31}(?(e)(?(f)(?(g)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)))(?:\s|[^/]|$)
+    - (^|\s|(?P<variable>(?i:\bip[\s/]{1,80}id[\s/]{1,80}pw[\s/:]{0,80}))|(?P<url>://))(?P<ip>(?<![0-9.])[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}\.[0-2]?[0-9]{1,2}(?![0-9.]))((\s*[(])?|(?(variable)[\s,/]{1,80}|(?(url)[,]|[,/])))\s*\w[\w.-]{3,80}[\s,/]{1,80}(?P<value>(?(url)(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9_+=~!@#$%^&*;?-])){7,64}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)|(?-i:(?P<e>[A-Z])|(?P<f>[a-z])|(?P<g>[0-9/_+=~!@#$%^&*;?-])){7,64}(?(e)(?(f)(?(g)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x)))(?:\s|[^/]|$)
   filter_type:
     - ValueAllowlistCheck
     - ValuePatternCheck(4)
@@ -134,7 +134,7 @@
   confidence: moderate
   type: pattern
   values:
-    - (?P<ddash>--)?(?P<variable>\w*(?i:pa[as]swords?|passwd?|pwd|\bp/w|\bpw|비밀번호|비번|패스워드|암호))\s*?(?(ddash)[ =]|[:=/>-]{1,2})\s*(?P<quote>[\"'`]{1,8})?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)(?P=quote)|(\s|$))
+    - (?P<ddash>--)?(?P<variable>\w*(?i:pa[as]swords?|passwd?|pwd|\bp/w|\bpw|비밀번호|비번|패스워드|암호))\s*?(?(ddash)[ =]|[:=/>-]{1,2})\s*(?P<quote>[\"'`]{1,8})?(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,64}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))(?(quote)(?P=quote)|(\s|$))
     - (?P<ddash>--)?(?P<variable>(?i:user\s*)?(?i:id|login|account|root|admin|user|name|wifi|role|host|default|계정|아이디))\s*?(?(ddash)[ =]|[ :=])\s*?(?P<value>\S+)
   filter_type:
     - ValueAllowlistCheck
@@ -157,7 +157,7 @@
   confidence: moderate
   type: pattern
   values:
-    - (?P<variable>[\w.-]{0,80}(?i:(?P<id>\bid\b)|id\b|user|name|계정|아이디)[\w.-]{0,80}(?(id)[ :(/]{1,80}|[:(/]{1,80})(?i:pa[as]swo?r?ds?|pwd?|비밀번호|비번|패스워드|암호))\)?(\s*->\s*|[ =:)(/]{1,80}|\s+is\s+|\s+are\s+|\s*는\s*|\s*은\s*|\s*설정은\s*)\(?(?P<id_value>[\w.-]{2,31})[ :\(/\"',]{1,80}(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,31}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))
+    - (?P<variable>[\w.-]{0,80}(?i:(?P<id>\bid\b)|id\b|user|name|계정|아이디)[\w.-]{0,80}(?(id)[ :(/]{1,80}|[:(/]{1,80})(?i:pa[as]swo?r?ds?|pwd?|비밀번호|비번|패스워드|암호))\)?(\s*->\s*|[ =:)(/]{1,80}|\s+is\s+|\s+are\s+|\s*는\s*|\s*은\s*|\s*설정은\s*)\(?(?P<id_value>[\w.-]{2,64})[ :\(/\"',]{1,80}(?P<value>(?-i:(?P<a>[A-Z])|(?P<b>[a-z])|(?P<c>[0-9/_+=~!@#$%^&*;:?-])){4,64}(?(a)(?(b)(?(c)(\S|$)|(?!x)x)|(?!x)x)|(?!x)x))
   filter_type:
     - ValueAllowlistCheck
     - ValuePatternCheck(4)
@@ -174,24 +174,6 @@
   target:
     - doc
 
-- name: SQL Password
-  severity: medium
-  confidence: weak
-  type: pattern
-  values:
-    - (\\[nrt]|\b)(?i:(?P<variable>(CREATE|ALTER|SET\s{1,8}PASSWORD|INSERT(\s{1,8}IGNORE)?|UPDATE\s{1,8}[^\s;]{1,80})\s{1,8}(LOGIN|USER|ROLE|FOR|INTO|SET)\s{1,8}([^\s;]{1,80}\s{1,8}|VALUES\s*\(){1,8}(IDENTIFIED((\s{1,8}WITH\s{1,8}\S{1,80})?\s{1,8}(BY|AS))|(=|WITH)?\s*PASSWORD\b(\s*=)?)))\s*(?P<wrap>[(]\s*)?(?P<value_leftquote>((?P<esq>\\{1,8})?([\"'`]|&(quot|apos|#3[49]);)){1,4})?(?P<value>(?(value_leftquote)((?!(?P=value_leftquote))(?(esq)((?!(?P=esq)([\"'`]|&(quot|apos|#3[49]);)).)|((?!(?P=value_leftquote)).)))|(?!&(quot|apos|#3[49]);)(\\+([ tnr]|[^\s\"'`])|[^\s\"'`,;\\])){3,80})(?(value_leftquote)(?P<value_rightquote>(?<!\\)(?P=value_leftquote))|(?(wrap)[)]|[\s\"'`,;]))
-  filter_type:
-    - ValueAllowlistCheck
-    - ValuePatternCheck
-  min_line_len: 8
-  required_substrings:
-    - password
-    - identified
-  target:
-    - doc
-    - code
-  use_ml: true
-
 - name: UUID
   severity: info
   confidence: strong
@@ -249,7 +231,7 @@
     - LineSpecificKeyCheck
     - ValuePatternCheck
     - ValueBase64PartCheck
-    - ValueCoupleKeywordCheck(3)
+    - ValueMorphemesCheck
   required_substrings:
     - A
   min_line_len: 20
@@ -278,7 +260,7 @@
   type: pattern
   values:
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>dt0[A-Za-z]{1}[0-9]{2}\.[0-9A-Z]{24}\.[0-9A-Z]{64})(?![0-9A-Za-z_-])
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - dt0
   min_line_len: 90
@@ -308,7 +290,7 @@
   type: pattern
   values:
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[0-9]{12,18}\|[0-9A-Za-z_-]{24,28})(?![0-9A-Za-z_+-])
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - "|"
   required_regex: "[0-9A-Za-z_/+-]{15}"
@@ -317,28 +299,13 @@
     - code
     - doc
 
-- name: Github Old Token
-  severity: high
-  confidence: moderate
-  type: pattern
-  values:
-    - (?i)((git)[0-9A-Za-z_-]{0,80}(token|key|api)[0-9A-Za-z_-]{0,80}(\s)*(=|:|:=)(\s)*(["']?)(?P<value>[0-9a-z]{40})(["']?))
-  filter_type: GeneralPattern
-  use_ml: true
-  required_substrings:
-    - git
-  min_line_len: 47
-  target:
-    - code
-    - doc
-
 - name: Google API Key
   severity: high
   confidence: moderate
   type: pattern
   values:
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>AIza[0-9A-Za-z_-]{35})
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - AIza
   min_line_len: 39
@@ -367,7 +334,7 @@
   type: pattern
   values:
     - (?P<value>GOCSPX-[0-9A-Za-z_-]{28})(?![0-9A-Za-z_-])
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - GOCSPX-
   min_line_len: 40
@@ -381,7 +348,7 @@
   type: pattern
   values:
     - (?P<value>ya29\.[0-9A-Za-z_-]{22,8000})
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - ya29.
   min_line_len: 27
@@ -395,7 +362,7 @@
   type: pattern
   values:
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>1//0[0-9A-Za-z_-]{80,8000})
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - 1//0
   min_line_len: 84
@@ -409,7 +376,7 @@
   type: pattern
   values:
     - (?P<value>HRKU-([0-9A-Za-z_-]{60}|[0-9A-Fa-f]{8}(-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12}))
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - HRKU-
   min_line_len: 41
@@ -423,7 +390,7 @@
   type: pattern
   values:
     - (?P<value>IGQVJ[=0-9A-Za-z_-]{100,8000})(?![=0-9A-Za-z_-])
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - IGQVJ
   min_line_len: 105
@@ -480,7 +447,7 @@
     - (?P<variable>\b[dk])[^0-9A-Za-z_-]{1,8}(?P<value>[0-9A-Za-z_-]{22,8000})(?![=0-9A-Za-z_-])
   filter_type:
     - ValuePatternCheck
-    - ValueCoupleKeywordCheck(3)
+    - ValueMorphemesCheck
   required_substrings:
     - kty
   min_line_len: 8
@@ -494,7 +461,7 @@
   type: pattern
   values:
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[0-9A-Za-z_-]{32}-us[0-9]{1,2})(?![0-9A-Za-z_-])
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - -us
   min_line_len: 35
@@ -507,10 +474,9 @@
   confidence: moderate
   type: pattern
   values:
-    - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>key-[0-9A-Za-z_-]{32})(?![0-9A-Za-z_-])
-  filter_type: GeneralPattern
-  required_substrings:
-    - key-
+    - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>key-[0-9a-f]{32}|[0-9a-f]{32}-[0-9a-f]{8}-[0-9a-f]{8})(?![0-9A-Za-z_-])
+  filter_type: TokenPattern
+  required_regex: "[0-9A-Za-z_/+-]{15}"
   min_line_len: 36
   target:
     - code
@@ -593,7 +559,7 @@
   type: pattern
   values:
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>SG\.[0-9A-Za-z_-]{16,32}\.[0-9A-Za-z_-]{16,64})
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - SG.
   min_line_len: 34
@@ -620,10 +586,11 @@
   confidence: strong
   type: pattern
   values:
-    - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>xox[a-z]\-[0-9A-Za-z-]{10,250})(?![0-9A-Za-z_-])
-  filter_type: GeneralPattern
+    - (?P<value>(xapp|xox[a-z])\-[0-9A-Za-z-]{10,250})(?![0-9A-Za-z_-])
+  filter_type: TokenPattern
   required_substrings:
     - xox
+    - xapp
   min_line_len: 15
   target:
     - code
@@ -681,7 +648,7 @@
   type: pattern
   values:
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>sq0[a-z]{3}-[0-9A-Za-z_-]{22}([0-9A-Za-z_-]{21})?)(?![0-9A-Za-z_-])
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - sq0
   min_line_len: 29
@@ -727,83 +694,13 @@
     - code
     - doc
 
-- name: CMD ConvertTo-SecureString
-  severity: high
-  confidence: moderate
-  type: pattern
-  values:
-    - (?P<variable>ConvertTo-SecureString(\s\s*-(String|AsPlainText|Force))*)\s\s*(?P<value_leftquote>(\\?[\"']){1,3})?(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,800})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
-  filter_type: GeneralKeyword
-  use_ml: true
-  required_substrings:
-    - convertto-securestring
-  min_line_len: 27
-  target:
-    - code
-
-- name: CMD Password
-  severity: high
-  confidence: moderate
-  type: pattern
-  values:
-    - (^|\W|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<variable>-[A-Za-z_-]*(?i:pass(in|out|word|phrase)))(\s|\\?[\"'],)\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,80})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
-  filter_type: GeneralKeyword
-  use_ml: true
-  required_substrings:
-    - pass
-  min_line_len: 12
-  target:
-    - code
-
-- name: CMD Token
-  severity: high
-  confidence: moderate
-  type: pattern
-  values:
-    - (^|\W|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<variable>-[A-Za-z_-]*(?i:token))(\s|\\?[\"'],)\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
-  filter_type: GeneralKeyword
-  use_ml: true
-  required_substrings:
-    - token
-  min_line_len: 12
-  target:
-    - code
-
-- name: CMD Secret
-  severity: high
-  confidence: moderate
-  type: pattern
-  values:
-    - (^|\W|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<variable>-[A-Za-z_-]*(?i:secret)[A-Za-z_-]*)(\s|\\?[\"'],)\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
-  filter_type: GeneralKeyword
-  use_ml: true
-  required_substrings:
-    - secret
-  min_line_len: 12
-  target:
-    - code
-
-- name: URL Credentials
-  severity: high
-  confidence: moderate
-  type: pattern
-  values:
-    - (?P<value_leftquote>[\"'])?(?P<variable>[+0-9A-Za-z-]{2,80}://)([^\s\'"<>\[\]^~`{|}:/]{0,80}:){1,3}(?P<value>[^\s\'"<>\[\]^~`{|}@:/]{3,80})@[^\s\'"<>\[\]^~`{|}@:/]{1,800}\\{0,8}(?P<value_rightquote>[\"'])?
-  filter_type: UrlCredentialsGroup
-  use_ml: true
-  required_substrings:
-    - ://
-  min_line_len: 10
-  target:
-    - code
-
 - name: Telegram Bot API Token
   severity: high
   confidence: moderate
   type: pattern
   values:
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>[0-9]{8,10}:[0-9A-Za-z_-]{35})(?![0-9A-Za-z_-])
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - :AA
   min_line_len: 45
@@ -817,7 +714,7 @@
   type: pattern
   values:
     - (?P<value>pypi-[0-9A-Za-z_-]{150,255})
-  filter_type: GeneralPattern
+  filter_type: TokenPattern
   required_substrings:
     - pypi-
   min_line_len: 155
@@ -825,6 +722,21 @@
     - code
     - doc
 
+- name: NPM Token
+  severity: high
+  confidence: strong
+  type: pattern
+  values:
+    - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>npm_[0-9A-Za-z_-]{36,255})
+  filter_type:
+    - ValueGitHubCheck
+  required_substrings:
+    - npm_
+  min_line_len: 40
+  target:
+    - code
+    - doc
+
 - name: Github Classic Token
   severity: high
   confidence: strong
@@ -1071,12 +983,13 @@
   confidence: strong
   type: pattern
   values:
-    - (?P<value>do[op]_v1_[a-f0-9]{64})(?![0-9A-Za-z_-])
+    - (?P<value>do[opr]_v1_[a-f0-9]{64})(?![0-9A-Za-z_-])
   filter_type: TokenPattern
   min_line_len: 71
   required_substrings:
     - doo_v1_
     - dop_v1_
+    - dor_v1_
   target:
     - code
     - doc
@@ -1260,7 +1173,7 @@
     - (?P<value>[0-9A-Za-z_-]{14}\.atlasv1\.[0-9A-Za-z_-]{67})(?![0-9A-Za-z_-])
   filter_type:
     - ValuePatternCheck
-    - ValueCoupleKeywordCheck(3)
+    - ValueMorphemesCheck
   min_line_len: 90
   required_substrings:
     - .atlasv1.
@@ -1276,7 +1189,7 @@
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>S[ACNOPUX][A-Z2-7]{40,200})(?![=0-9A-Za-z_+-])
   min_line_len: 42
   filter_type:
-    - ValueCoupleKeywordCheck
+    - ValueMorphemesCheck
     - ValuePatternCheck
     - ValueEntropyBase32Check
     - ValueBase32DataCheck
@@ -1301,7 +1214,7 @@
   values:
     - (?:^|[^0-9A-Za-z_+-]|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<value>([A-Z2-7]{16}){1,2})(?![=0-9A-Za-z_+-])
   filter_type:
-    - ValueCoupleKeywordCheck
+    - ValueMorphemesCheck
     - ValuePatternCheck
     - ValueEntropyBase32Check
     - ValueBase32DataCheck
@@ -1322,7 +1235,7 @@
   min_line_len: 51
   filter_type:
     - ValuePatternCheck
-    - ValueCoupleKeywordCheck
+    - ValueMorphemesCheck
   required_substrings:
     - T3BlbkFJ
     - 9wZW5BS
@@ -1340,7 +1253,7 @@
   min_line_len: 36
   filter_type:
     - ValuePatternCheck
-    - ValueCoupleKeywordCheck
+    - ValueMorphemesCheck
   required_substrings:
     - dckr_pat_
     - dckr_oat_
@@ -1357,7 +1270,7 @@
   min_line_len: 85
   filter_type:
     - ValuePatternCheck
-    - ValueCoupleKeywordCheck
+    - ValueMorphemesCheck
   required_substrings:
     - SWMTKN-1-
   target:
@@ -1373,7 +1286,7 @@
   min_line_len: 52
   filter_type:
     - ValuePatternCheck
-    - ValueCoupleKeywordCheck(3)
+    - ValueMorphemesCheck
   required_substrings:
     - SWMKEY-1-
   target:
@@ -1389,7 +1302,7 @@
   min_line_len: 56
   filter_type:
     - ValuePatternCheck
-    - ValueCoupleKeywordCheck
+    - ValueMorphemesCheck
   required_substrings:
     - WGdyb3FY
     - hncm9xW
@@ -1500,7 +1413,7 @@
   values:
     - (?P<variable>discord(?:app)?\.com/api/webhooks)(?P<value>/[0-9]{16,22}/[0-9A-Za-z_-]{40,100})
   filter_type:
-    - ValueCoupleKeywordCheck(3)
+    - ValueMorphemesCheck
   required_substrings:
     - discordapp.com/api/webhooks
     - discord.com/api/webhooks
@@ -1541,6 +1454,22 @@
     - code
     - doc
 
+- name: Postman Credentials
+  severity: medium
+  confidence: moderate
+  type: pattern
+  values:
+    - (?P<value>(PMAK-[0-9a-f]{24}-[0-9a-f]{34}|PMAT-[0-9A-Z]{26}))
+  min_line_len: 29
+  filter_type:
+    - ValuePatternCheck
+  required_substrings:
+    - PMAK-
+    - PMAT-
+  target:
+    - code
+    - doc
+
 - name: Basic Authorization
   severity: medium
   confidence: strong
@@ -1571,6 +1500,109 @@
     - code
     - doc
 
+- name: SQL Password
+  severity: medium
+  confidence: weak
+  type: pattern
+  values:
+    - (\\[nrt]|\b)(?i:(?P<variable>(CREATE|ALTER|SET\s{1,8}PASSWORD|INSERT(\s{1,8}IGNORE)?|UPDATE\s{1,8}[^\s;]{1,80})\s{1,8}(LOGIN|USER|ROLE|FOR|INTO|SET)\s{1,8}([^\s;]{1,80}\s{1,8}|VALUES\s*\(){1,8}(IDENTIFIED((\s{1,8}WITH\s{1,8}\S{1,80})?\s{1,8}(BY|AS))|(=|WITH)?\s*PASSWORD\b(\s*=)?)))\s*(?P<wrap>[(]\s*)?(?P<value_leftquote>((?P<esq>\\{1,8})?([\"'`]|&(quot|apos|#3[49]);)){1,4})?(?P<value>(?(value_leftquote)((?!(?P=value_leftquote))(?(esq)((?!(?P=esq)([\"'`]|&(quot|apos|#3[49]);)).)|((?!(?P=value_leftquote)).)))|(?!&(quot|apos|#3[49]);)(\\+([ tnr]|[^\s\"'`])|[^\s\"'`,;\\])){3,80})(?(value_leftquote)(?P<value_rightquote>(?<!\\)(?P=value_leftquote))|(?(wrap)[)]|[\s\"'`,;]))
+  filter_type:
+    - ValueAllowlistCheck
+    - ValuePatternCheck
+  use_ml: true
+  min_line_len: 8
+  required_substrings:
+    - password
+    - identified
+  target:
+    - doc
+    - code
+
+- name: CURL User Password
+  severity: high
+  confidence: moderate
+  type: pattern
+  values:
+    - (?P<variable>curl)\s.*(-[uU]|--(proxy-)?user)\s\s*(?P<value_leftquote>(\\*[\"']){1,3})?(?(value_leftquote)[^\"'\\:]|[^\s\"'\\:]){0,64}:(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,64})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
+  filter_type: GeneralKeyword
+  use_ml: true
+  required_substrings:
+    - curl
+  min_line_len: 16
+  target:
+    - code
+
+- name: CMD ConvertTo-SecureString
+  severity: high
+  confidence: moderate
+  type: pattern
+  values:
+    - (?P<variable>ConvertTo-SecureString(\s\s*-(String|AsPlainText|Force))*)\s\s*(?P<value_leftquote>(\\?[\"']){1,3})?(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,800})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
+  filter_type: GeneralKeyword
+  use_ml: true
+  required_substrings:
+    - convertto-securestring
+  min_line_len: 27
+  target:
+    - code
+
+- name: CMD Password
+  severity: high
+  confidence: moderate
+  type: pattern
+  values:
+    - (^|\W|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<variable>-[A-Za-z_-]*(?i:pass(in|out|word|phrase)))(\s|\\?[\"'],)\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,80})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
+  filter_type: GeneralKeyword
+  use_ml: true
+  required_substrings:
+    - pass
+  min_line_len: 12
+  target:
+    - code
+
+- name: CMD Token
+  severity: high
+  confidence: moderate
+  type: pattern
+  values:
+    - (^|\W|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<variable>-[A-Za-z_-]*(?i:token|oauth2-bearer))(\s|\\?[\"'],)\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
+  filter_type: GeneralKeyword
+  use_ml: true
+  required_substrings:
+    - token
+    - oauth2-bearer
+  min_line_len: 12
+  target:
+    - code
+
+- name: CMD Secret
+  severity: high
+  confidence: moderate
+  type: pattern
+  values:
+    - (^|\W|\\[0abfnrtv]|(?:%|\\x)[0-9A-Fa-f]{2}|\\[0-7]{3}|\\[Uu][0-9A-Fa-f]{4}|\x1B\[[0-9;]{0,80}m)(?P<variable>-[A-Za-z_-]*(?i:secret)[A-Za-z_-]*)(\s|\\?[\"'],)\s*(?!-)(?P<value_leftquote>(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P<value>(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P<value_rightquote>(\\?[\"']){1,3}))
+  filter_type: GeneralKeyword
+  use_ml: true
+  required_substrings:
+    - secret
+  min_line_len: 12
+  target:
+    - code
+
+- name: URL Credentials
+  severity: high
+  confidence: moderate
+  type: pattern
+  values:
+    - (?P<value_leftquote>[\"'])?(?P<variable>[+0-9A-Za-z-]{2,80}://)([^\s\'"<>\[\]^~`{|}:/]{0,80}:){1,3}(?P<value>[^\s\'"<>\[\]^~`{|}@:/]{3,80})@[^\s\'"<>\[\]^~`{|}@:/]{1,800}\\{0,8}(?P<value_rightquote>[\"'])?
+  filter_type: UrlCredentialsGroup
+  use_ml: true
+  required_substrings:
+    - ://
+  min_line_len: 10
+  target:
+    - code
+
 - name: API
   severity: low
   confidence: moderate
@@ -1646,7 +1678,7 @@
   confidence: moderate
   type: keyword
   values:
-    - (?<!by)pass(?!ed|ing|ion|es|age|\s+[a-z]{3,80})|pw(d|\b)
+    - (?<!by)pass(?!e[dns]|ing|ion|age|\s+[a-z]{3,80})|pw(d|\b)
   filter_type: PasswordKeyword
   use_ml: true
   min_line_len: 10

credsweeper/scanner/scanner.py

@@ -19,6 +19,8 @@ from credsweeper.utils.util import Util
 
 logger = logging.getLogger(__name__)
 
+RULES_PATH = APP_PATH / "rules" / "config.yaml"
+
 
 class Scanner:
     """Advanced Credential Scanner base class.
@@ -66,11 +68,11 @@ class Scanner:
                 return True
         return False
 
-    def _set_rules_scanners(self, rule_path: Union[None, str, Path]) -> None:
+    def _set_rules_scanners(self, rules_path: Union[None, str, Path]) -> None:
         """Auxiliary method to fill rules, determine min_pattern_len and set scanners"""
-        if rule_path is None:
-            rule_path = APP_PATH / "rules" / "config.yaml"
-        rule_templates = Util.yaml_load(rule_path)
+        if rules_path is None:
+            rules_path = RULES_PATH
+        rule_templates = Util.yaml_load(rules_path)
         if rule_templates and isinstance(rule_templates, list):
             rule_names = set()
             for rule_template in rule_templates:
@@ -98,7 +100,7 @@ class Scanner:
                         logger.warning(f"Unknown rule type:{rule.rule_type}")
                 self.rules_scanners.append((rule, self.get_scanner(rule)))
         else:
-            raise RuntimeError(f"Wrong rules '{rule_templates}' were read from '{rule_path}'")
+            raise RuntimeError(f"Wrong rules '{rule_templates}' were read from '{rules_path}'")
 
     def _is_available(self, rule: Rule) -> bool:
         """separate the method to reduce complexity"""
@@ -153,8 +155,11 @@ class Scanner:
                 target_line_stripped_len >= self.min_keyword_len and (  #
                         '=' in target_line_stripped
                         or ':' in target_line_stripped
-                        or "#define" in target_line_stripped
-                        or "%define" in target_line_stripped
+                        or ("define" in target_line_stripped
+                            and ('(' in target_line_stripped and ',' in target_line_stripped
+                                 or "#define" in target_line_stripped
+                                 or "%define" in target_line_stripped)
+                            )
                         or "%global" in target_line_stripped
                         or "set" in target_line_stripped_lower
                         or "%3d" in target_line_stripped_lower