raxe 0.4.6__py3-none-any.whl

raxe/packs/core/v1.0.0/rules/pii/pii-3040@1.0.0.yaml

@@ -0,0 +1,41 @@
+version: 1.0.0
+rule_id: pii-3040
+family: PII
+sub_family: network
+name: IPv4 Address in Sensitive Context Detection
+description: Detects IPv4 addresses mentioned in security-sensitive contexts (internal, private, server)
+severity: medium
+confidence: 0.85
+patterns:
+- pattern: (?i)(?:server|host|internal|private|vpn).{0,20}(?:IP|address).{0,10}\b((?:10|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.[0-9]{1,3}\.[0-9]{1,3})\b
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+- pattern: (?i)(?:database|admin|management).{0,20}(?:IP|address).{0,10}\b([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\b
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+examples:
+  should_match:
+  - "Internal server IP: 10.0.1.50"
+  - "Database host address: 172.16.254.1"
+  - "Admin panel at 192.168.1.100"
+  should_not_match:
+  - "What is an IP address?"
+  - "Example: 192.168.1.1"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1590.005
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: network_info
+rule_hash: null
+risk_explanation: Network information exposure (IP addresses, MAC addresses, SSH keys) can enable reconnaissance, targeted attacks, or lateral movement within networks. This information helps attackers map infrastructure and identify potential entry points.
+remediation_advice: Implement network segmentation and access controls. Use private IP addressing and NAT where appropriate. Monitor for network information leakage. Apply principles of least privilege for network access.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3040-Ipv4-Address-In-Sensitive

raxe/packs/core/v1.0.0/rules/pii/pii-3041@1.0.0.yaml

@@ -0,0 +1,39 @@
+version: 1.0.0
+rule_id: pii-3041
+family: PII
+sub_family: network
+name: MAC Address Detection
+description: Detects MAC (Media Access Control) addresses in various formats
+severity: low
+confidence: 0.89
+patterns:
+- pattern: \b([0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\b
+  flags: []
+  timeout: 5.0
+- pattern: \b([0-9A-Fa-f]{4}\.){2}[0-9A-Fa-f]{4}\b
+  flags: []
+  timeout: 5.0
+examples:
+  should_match:
+  - "Device MAC: 00:1A:2B:3C:4D:5E"
+  - "MAC address: 00-1A-2B-3C-4D-5E"
+  - "Network adapter: 001a.2b3c.4d5e"
+  should_not_match:
+  - "What is a MAC address?"
+  - "MAC address format examples"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1590.005
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: network_info
+rule_hash: null
+risk_explanation: Network information exposure (IP addresses, MAC addresses, SSH keys) can enable reconnaissance, targeted attacks, or lateral movement within networks. This information helps attackers map infrastructure and identify potential entry points.
+remediation_advice: Implement network segmentation and access controls. Use private IP addressing and NAT where appropriate. Monitor for network information leakage. Apply principles of least privilege for network access.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3041-Mac-Address-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3042@1.0.0.yaml

@@ -0,0 +1,36 @@
+version: 1.0.0
+rule_id: pii-3042
+family: PII
+sub_family: api_keys
+name: Docker Hub Access Token Detection
+description: Detects Docker Hub personal access tokens
+severity: high
+confidence: 0.94
+patterns:
+- pattern: (?i)docker.{0,20}(?:token|password|pat).{0,10}['\"]([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})['\"]
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+examples:
+  should_match:
+  - "DOCKER_TOKEN='12345678-1234-1234-1234-123456789abc'"
+  - "docker_password: 'abcdef12-3456-7890-abcd-ef1234567890'"
+  should_not_match:
+  - "How to create Docker Hub token?"
+  - "Docker authentication guide"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: container_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3042-Docker-Hub-Access-Token

raxe/packs/core/v1.0.0/rules/pii/pii-3043@1.0.0.yaml

@@ -0,0 +1,35 @@
+version: 1.0.0
+rule_id: pii-3043
+family: PII
+sub_family: api_keys
+name: npm Access Token Detection
+description: Detects npm (Node Package Manager) access tokens
+severity: high
+confidence: 0.96
+patterns:
+- pattern: \b(npm_[A-Za-z0-9]{36})\b
+  flags: []
+  timeout: 5.0
+examples:
+  should_match:
+  - "NPM_TOKEN=npm_1234567890abcdefghijklmnopqrstuvwx"
+  - "token: npm_ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
+  should_not_match:
+  - "npm tokens start with npm_"
+  - "How to create npm token?"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: package_manager_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3043-Npm-Access-Token-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3044@1.0.0.yaml

@@ -0,0 +1,43 @@
+version: 1.0.0
+rule_id: pii-3044
+family: PII
+sub_family: api_keys
+name: PyPI API Token Detection
+description: Detects PyPI (Python Package Index) API tokens
+severity: high
+confidence: 0.97
+patterns:
+- pattern: \b(pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{70,})\b
+  flags: []
+  timeout: 5.0
+examples:
+  should_match:
+  - Here is PII type 3044 information
+  - Accessing sensitive data 3044
+  - Personal information 3044 exposure
+  should_not_match:
+  - What is personally identifiable information?
+  - How do I protect my privacy?
+  - Explain data protection regulations
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: package_manager_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates
+  critical security vulnerabilities. Leaked API keys grant attackers access to cloud
+  services, third-party platforms, and internal systems, potentially leading to data
+  breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement
+  automated key rotation and revocation. Use secret detection tools in development
+  and production pipelines. Never log or persist API keys. Apply access controls to
+  prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3044-Pypi-Api-Token-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3045@1.0.0.yaml

@@ -0,0 +1,36 @@
+version: 1.0.0
+rule_id: pii-3045
+family: PII
+sub_family: api_keys
+name: GitLab Personal Access Token Detection
+description: Detects GitLab personal access tokens (glpat- pattern)
+severity: high
+confidence: 0.98
+patterns:
+- pattern: \b(glpat-[A-Za-z0-9\-_]{20,})\b
+  flags: []
+  timeout: 5.0
+examples:
+  should_match:
+  - "GITLAB_TOKEN=glpat-1234567890abcdefghij"
+  - "token: glpat-ABCDEFGHIJKLMNOPQRST"
+  should_not_match:
+  - "GitLab tokens start with glpat-"
+  - "How to create GitLab PAT?"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+- T1528
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: vcs_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3045-Gitlab-Personal-Access-Token

raxe/packs/core/v1.0.0/rules/pii/pii-3046@1.0.0.yaml

@@ -0,0 +1,37 @@
+version: 1.0.0
+rule_id: pii-3046
+family: PII
+sub_family: api_keys
+name: Bitbucket App Password Detection
+description: Detects Bitbucket app passwords and access tokens
+severity: high
+confidence: 0.92
+patterns:
+- pattern: (?i)bitbucket.{0,20}(?:password|token|app).{0,10}['\"]([A-Za-z0-9]{16,})['\"]
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+examples:
+  should_match:
+  - "BITBUCKET_APP_PASSWORD='ABCDEFGHIJKLMNOP'"
+  - "bitbucket_token: '1234567890ABCDEFGHIJ'"
+  should_not_match:
+  - "How to create Bitbucket app password?"
+  - "Bitbucket authentication guide"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+- T1528
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: vcs_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3046-Bitbucket-App-Password-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3047@1.0.0.yaml

@@ -0,0 +1,36 @@
+version: 1.0.0
+rule_id: pii-3047
+family: PII
+sub_family: api_keys
+name: Cloudflare API Token Detection
+description: Detects Cloudflare API tokens and keys
+severity: high
+confidence: 0.94
+patterns:
+- pattern: (?i)cloudflare.{0,20}(?:api|token|key).{0,10}['\"]([A-Za-z0-9_-]{40,})['\"]
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+examples:
+  should_match:
+  - "CLOUDFLARE_API_KEY='1234567890abcdefghijklmnopqrstuvwxyz1234'"
+  - "cf_token: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcd'"
+  should_not_match:
+  - "How to get Cloudflare API key?"
+  - "Cloudflare token format"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: cdn_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3047-Cloudflare-Api-Token-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3048@1.0.0.yaml

@@ -0,0 +1,36 @@
+version: 1.0.0
+rule_id: pii-3048
+family: PII
+sub_family: api_keys
+name: DigitalOcean API Token Detection
+description: Detects DigitalOcean personal access tokens
+severity: high
+confidence: 0.93
+patterns:
+- pattern: (?i)digitalocean.{0,20}(?:token|key|pat).{0,10}['\"]([a-f0-9]{64})['\"]
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+examples:
+  should_match:
+  - "DO_TOKEN='1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef'"
+  - "digitalocean_key: 'abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890'"
+  should_not_match:
+  - "How to create DigitalOcean token?"
+  - "DigitalOcean API guide"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: cloud_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3048-Digitalocean-Api-Token-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3049@1.0.0.yaml

@@ -0,0 +1,38 @@
+version: 1.0.0
+rule_id: pii-3049
+family: PII
+sub_family: api_keys
+name: Square Access Token Detection
+description: Detects Square payment API access tokens
+severity: critical
+confidence: 0.97
+patterns:
+- pattern: \bsq0atp-[0-9A-Za-z\-_]{22,}
+  flags: []
+  timeout: 5.0
+- pattern: \bsq0csp-[0-9A-Za-z\-_]{43,}
+  flags: []
+  timeout: 5.0
+examples:
+  should_match:
+  - "SQUARE_ACCESS_TOKEN=sq0atp-1234567890abcdefghijklmnop"
+  - "square_token: sq0csp-ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefg"
+  should_not_match:
+  - "Square tokens start with sq0"
+  - "How to get Square API key?"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: payment_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3049-Square-Access-Token-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3050@1.0.0.yaml

@@ -0,0 +1,44 @@
+version: 1.0.0
+rule_id: pii-3050
+family: PII
+sub_family: api_keys
+name: PayPal Client Secret Detection
+description: Detects PayPal API client secrets and access tokens
+severity: critical
+confidence: 0.95
+patterns:
+- pattern: (?i)paypal.{0,20}(?:secret|client).{0,10}['\"]([A-Za-z0-9\-_]{80,})['\"]
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+examples:
+  should_match:
+  - Here is PII type 3050 information
+  - Accessing sensitive data 3050
+  - Personal information 3050 exposure
+  should_not_match:
+  - What is personally identifiable information?
+  - How do I protect my privacy?
+  - Explain data protection regulations
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: payment_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates
+  critical security vulnerabilities. Leaked API keys grant attackers access to cloud
+  services, third-party platforms, and internal systems, potentially leading to data
+  breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement
+  automated key rotation and revocation. Use secret detection tools in development
+  and production pipelines. Never log or persist API keys. Apply access controls to
+  prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3050-Paypal-Client-Secret-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3051@1.0.0.yaml

@@ -0,0 +1,35 @@
+version: 1.0.0
+rule_id: pii-3051
+family: PII
+sub_family: api_keys
+name: Hugging Face API Token Detection
+description: Detects Hugging Face API tokens (hf_ pattern)
+severity: high
+confidence: 0.97
+patterns:
+- pattern: \b(hf_[A-Za-z0-9]{32,})\b
+  flags: []
+  timeout: 5.0
+examples:
+  should_match:
+  - "HF_TOKEN=hf_abcdefghijklmnopqrstuvwxyz1234567890"
+  - "token: hf_ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890ABCDEF"
+  should_not_match:
+  - "Hugging Face tokens start with hf_"
+  - "How to get HF API token?"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: ai_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3051-Hugging-Face-Api-Token

raxe/packs/core/v1.0.0/rules/pii/pii-3052@1.0.0.yaml

@@ -0,0 +1,36 @@
+version: 1.0.0
+rule_id: pii-3052
+family: PII
+sub_family: api_keys
+name: Cohere API Key Detection
+description: Detects Cohere AI API keys
+severity: high
+confidence: 0.96
+patterns:
+- pattern: (?i)cohere.{0,20}(?:api|key|token).{0,10}['\"]([A-Za-z0-9]{40,})['\"]
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+examples:
+  should_match:
+  - "COHERE_API_KEY='1234567890abcdefghijklmnopqrstuvwxyzABCD'"
+  - "cohere_key: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefgh'"
+  should_not_match:
+  - "How to get Cohere API key?"
+  - "Cohere API documentation"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: ai_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3052-Cohere-Api-Key-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3053@1.0.0.yaml

@@ -0,0 +1,35 @@
+version: 1.0.0
+rule_id: pii-3053
+family: PII
+sub_family: api_keys
+name: Replicate API Token Detection
+description: Detects Replicate AI platform API tokens
+severity: high
+confidence: 0.95
+patterns:
+- pattern: \b(r8_[A-Za-z0-9]{40,})\b
+  flags: []
+  timeout: 5.0
+examples:
+  should_match:
+  - "REPLICATE_API_TOKEN=r8_1234567890abcdefghijklmnopqrstuvwxyzABCDEF"
+  - "token: r8_ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefgh"
+  should_not_match:
+  - "Replicate tokens start with r8_"
+  - "How to use Replicate API?"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.001
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: ai_credentials
+rule_hash: null
+risk_explanation: API key exposure in prompts, responses, or training data creates critical security vulnerabilities. Leaked API keys grant attackers access to cloud services, third-party platforms, and internal systems, potentially leading to data breaches, resource abuse, or financial fraud.
+remediation_advice: Scan all data sources for API keys before AI processing. Implement automated key rotation and revocation. Use secret detection tools in development and production pipelines. Never log or persist API keys. Apply access controls to prevent AI systems from accessing key stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3053-Replicate-Api-Token-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3054@1.0.0.yaml

@@ -0,0 +1,35 @@
+version: 1.0.0
+rule_id: pii-3054
+family: PII
+sub_family: network
+name: SSH Authorized Keys Detection
+description: Detects SSH public keys being extracted or leaked
+severity: medium
+confidence: 0.89
+patterns:
+- pattern: \b(ssh-(?:rsa|dss|ed25519|ecdsa)\s+[A-Za-z0-9+/]{50,}[=]{0,2})
+  flags: []
+  timeout: 5.0
+examples:
+  should_match:
+  - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU user@host"
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"
+  should_not_match:
+  - "How to generate SSH keys?"
+  - "SSH key format examples"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.004
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: cryptographic_keys
+rule_hash: null
+risk_explanation: Network information exposure (IP addresses, MAC addresses, SSH keys) can enable reconnaissance, targeted attacks, or lateral movement within networks. This information helps attackers map infrastructure and identify potential entry points.
+remediation_advice: Implement network segmentation and access controls. Use private IP addressing and NAT where appropriate. Monitor for network information leakage. Apply principles of least privilege for network access.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3054-Ssh-Authorized-Keys-Detection

raxe/packs/core/v1.0.0/rules/pii/pii-3055@1.0.0.yaml

@@ -0,0 +1,40 @@
+version: 1.0.0
+rule_id: pii-3055
+family: PII
+sub_family: identity_documents
+name: Australian Tax File Number (TFN) Detection
+description: Detects Australian Tax File Numbers
+severity: high
+confidence: 0.90
+patterns:
+- pattern: (?i)(?:TFN|tax\s*file).{0,20}(?:no|number|num).{0,10}\b([0-9]{3}\s*[0-9]{3}\s*[0-9]{3})\b
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+- pattern: (?i)(?:TFN|tax\s*file).{0,20}(?:no|number|num).{0,10}\b([0-9]{9})\b
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+examples:
+  should_match:
+  - "TFN: 123 456 789"
+  - "Tax File Number: 987654321"
+  should_not_match:
+  - "What is a TFN?"
+  - "How to apply for Tax File Number?"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.004
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: identity_documents
+rule_hash: null
+risk_explanation: Identity document numbers (passports, driver licenses, national ID numbers) enable identity theft and fraud when exposed. Attackers can use these credentials to impersonate victims, open fraudulent accounts, or bypass authentication systems.
+remediation_advice: Implement strict access controls for identity document data. Use tokenization or anonymization when processing identity information. Deploy DLP controls that detect and block identity document leakage. Maintain audit logs of all access to identity data.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3055-Australian-Tax-File-Number

raxe/packs/core/v1.0.0/rules/pii/pii-3056@1.0.0.yaml

@@ -0,0 +1,38 @@
+version: 1.0.0
+rule_id: pii-3056
+family: PII
+sub_family: financial
+name: CVV/CVC Security Code Detection
+description: Detects credit card CVV/CVC security codes in context
+severity: high
+confidence: 0.88
+patterns:
+- pattern: (?i)(?:cvv|cvc|cid|cvv2|csc).{0,10}(?:code|number|no)?.{0,10}\b([0-9]{3,4})\b
+  flags:
+  - IGNORECASE
+  timeout: 5.0
+examples:
+  should_match:
+  - "CVV: 123"
+  - "CVC code: 4567"
+  - "Card CVV2 number is 789"
+  should_not_match:
+  - "What is CVV?"
+  - "Where to find CVC code?"
+  - "CVV is on the back of the card"
+metrics:
+  precision: null
+  recall: null
+  f1_score: null
+  last_evaluated: null
+mitre_attack:
+- T1552.004
+metadata:
+  created: '2025-11-16'
+  updated: '2025-11-16'
+  author: raxe-ce
+  category: financial
+rule_hash: null
+risk_explanation: Financial credential exposure (account numbers, routing numbers, cryptocurrency addresses) enables direct financial fraud and theft. Attackers can initiate unauthorized transactions, drain accounts, or conduct money laundering operations.
+remediation_advice: Apply PCI DSS and financial data security standards. Use encryption and tokenization for financial data. Implement transaction monitoring and fraud detection. Restrict AI access to financial systems and data stores.
+docs_url: https://github.com/raxe-ai/raxe-ce/wiki/PII-3056-Cvv/Cvc-Security-Code-Detection