Cloud Providers

high

AWS Access Key ID

An AWS access key identifier that can be used with a secret key to authenticate API requests.

RiskGrants access to AWS services. Attackers can provision resources, access data, or escalate privileges.

RemediationRotate the key immediately in the AWS IAM console and audit CloudTrail logs for unauthorized usage.

AKIA[0-9A-Z]{16}

high

AWS Secret Access Key

An AWS secret key paired with an access key ID for authenticating API calls.

RiskFull API access to the associated AWS account. Can lead to data exfiltration or resource abuse.

RemediationDeactivate and delete the key pair in IAM, then rotate all affected credentials.

aws(.{0,20})?(secret|access).{0,20}["'][0-9a-zA-Z/+]{40}["']

high

Google API Key

A Google Cloud API key used to authenticate requests to Google services (Maps, Firebase, etc.).

RiskCan incur billing charges or access restricted APIs depending on key restrictions.

RemediationDelete the key in Google Cloud Console and create a new one with proper API and referrer restrictions.

AIza[0-9A-Za-z_\-]{35}

high

Google OAuth Client Secret

A Google OAuth 2.0 client secret used for server-side authentication flows.

RiskCan be used to impersonate your app and gain access to user data via OAuth consent.

RemediationReset the client secret in the Google Cloud Console and update your application configuration.

GOCSPX-[A-Za-z0-9_\-]{28}

critical

GCP Service Account Key

A Google Cloud service account JSON key file that grants programmatic access to GCP resources.

RiskFull access to GCP resources the service account is authorized for. Often has broad permissions.

RemediationDelete the key in GCP IAM, create a new one, and prefer Workload Identity Federation over key files.

"type"\s*:\s*"service_account"

critical

Azure Storage Account Key

An Azure Storage account connection string with embedded access key for blob, queue, and table storage.

RiskFull read/write access to all data in the storage account including blobs, queues, and tables.

RemediationRotate the storage account key in the Azure portal and update all consuming applications.

DefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[A-Za-z0-9+/=]{88}

high

Azure AD Client Secret

An Azure Active Directory app registration client secret used for OAuth authentication.

RiskCan authenticate as the application and access any resources the app registration is authorized for.

RemediationDelete the client secret in Azure AD, create a new one, and prefer managed identities where possible.

azure(.{0,20})?(client_secret|clientSecret).{0,10}["'][0-9a-zA-Z~._\-]{34,}["']

AI / LLM

high

OpenAI API Key

An OpenAI API key (sk-...) that grants access to GPT models, DALL-E, embeddings, and other OpenAI services.

RiskAttackers can run inference at your expense, potentially incurring significant API charges.

RemediationRevoke the key at platform.openai.com/api-keys and generate a new one. Review usage logs for abuse.

sk-[A-Za-z0-9]{48}

high

OpenAI Project Key

An OpenAI project-scoped API key (sk-proj-...) with access limited to a specific project.

RiskCan access all models and resources within the scoped project, incurring usage costs.

RemediationRevoke at platform.openai.com/api-keys, regenerate, and ensure project-level billing limits are set.

sk-proj-[A-Za-z0-9_\-]{40,}

high

Anthropic API Key

An Anthropic API key (sk-ant-...) that grants access to Claude models and the Messages API.

RiskUnauthorized model usage at your expense. Can access any capabilities available to your account tier.

RemediationRevoke the key at console.anthropic.com/settings/keys and generate a new one.

sk-ant-[A-Za-z0-9_\-]{40,}

Source Control

high

GitHub Token (classic)

A GitHub personal access token (classic) that grants API access to repositories and account actions.

RiskCan read/write repos, manage issues, and access private data depending on granted scopes.

RemediationRevoke the token at github.com/settings/tokens and generate a new one with minimal scopes.

(?:ghp|gho|ghu|ghs|ghr)_[0-9A-Za-z]{36}

high

GitHub Token (fine-grained)

A GitHub fine-grained personal access token with specific repository and permission scoping.

RiskAccess depends on configured permissions — can range from read-only to full admin on specific repos.

RemediationRevoke at github.com/settings/tokens and regenerate with the minimum required permissions.

github_pat_[0-9A-Za-z_]{50,255}

high

GitLab Token

A GitLab personal access token (glpat-...) for API and Git operations.

RiskCan access repositories, CI/CD pipelines, and project settings depending on token scopes.

RemediationRevoke at gitlab.com/-/user_settings/personal_access_tokens and generate a new token.

glpat-[0-9A-Za-z_\-]{20,}

high

Bitbucket App Password

A Bitbucket app password used for API authentication and Git operations over HTTPS.

RiskCan clone repos, push code, and access Bitbucket APIs with the permissions of the associated account.

RemediationRevoke the app password in Bitbucket settings and create a new one with limited scopes.

ATBB[A-Za-z0-9]{32,}

Messaging

high

Slack Token

A Slack API token (bot, user, or app) that grants access to workspace messaging and data.

RiskCan read messages, post as users, access files, and exfiltrate workspace data.

RemediationRevoke the token in Slack workspace settings and rotate the app credentials.

xox[baprs]-[0-9A-Za-z-]{10,48}

high

Slack Webhook

A Slack incoming webhook URL that allows posting messages to a specific channel.

RiskAttackers can send phishing or spam messages to your Slack channel.

RemediationDelete the webhook in Slack app settings and create a new one if still needed.

https://hooks\.slack\.com/services/[A-Za-z0-9/]{20,}

high

Discord Bot Token

A Discord bot authentication token that grants full control of the bot account.

RiskFull control of the bot: read/send messages, manage channels, kick/ban members on authorized servers.

RemediationRegenerate the token at discord.com/developers/applications and update your bot configuration.

[MN][A-Za-z0-9]{23,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}

medium

Discord Webhook

A Discord webhook URL that allows posting messages to a specific channel.

RiskAttackers can post spam, phishing, or malicious content to your Discord channel.

RemediationDelete the webhook in Discord channel settings and create a new one.

https://discord(?:app)?\.com/api/webhooks/[0-9]+/[A-Za-z0-9_\-]+

high

Telegram Bot Token

A Telegram Bot API token issued by BotFather for controlling a Telegram bot.

RiskFull control of the bot: send/read messages, manage groups, and access user data.

RemediationRevoke the token via BotFather (/revoke command) and generate a new one.

[0-9]{8,10}:[A-Za-z0-9_-]{35}

Payments

critical

Stripe Secret Key

A Stripe live-mode secret key (sk_live_) that authenticates server-side API requests.

RiskFull access to Stripe account: create charges, issue refunds, access customer payment data.

RemediationRoll the key immediately at dashboard.stripe.com/apikeys. Review recent transactions for fraud.

sk_live_[0-9a-zA-Z]{24,}

medium

Stripe Publishable Key

A Stripe live-mode publishable key (pk_live_) used client-side for tokenizing payment info.

RiskLow direct risk (designed for client use), but confirms a live Stripe integration and can be used for recon.

RemediationRoll the key at dashboard.stripe.com/apikeys if paired with an exposed secret key.

pk_live_[0-9a-zA-Z]{24,}

high

Stripe Restricted Key

A Stripe restricted key (rk_live_) with limited permissions for specific API operations.

RiskAccess limited to configured permissions, but can still perform authorized financial operations.

RemediationDelete and recreate the restricted key with minimum required permissions.

rk_live_[0-9a-zA-Z]{24,}

high

Square Access Token

A Square access token (sq0atp-) for authenticating API calls to Square payment services.

RiskCan process payments, access transaction history, manage inventory, and view customer data.

RemediationRevoke the token in the Square Developer Dashboard and rotate credentials.

sq0atp-[0-9A-Za-z_\-]{22,}

high

Square OAuth Secret

A Square OAuth client secret (sq0csp-) used for server-side OAuth flows.

RiskCan be used to generate access tokens and impersonate your application with Square.

RemediationRegenerate the OAuth secret in Square Developer Dashboard and update your application.

sq0csp-[0-9A-Za-z_\-]{40,}

high

PayPal Client Secret

A PayPal REST API client secret used with a client ID for OAuth authentication.

RiskCan process payments, issue refunds, and access transaction data through the PayPal API.

RemediationRegenerate the secret in the PayPal Developer Dashboard and update your integration.

paypal(.{0,20})?(secret|client).{0,10}["'][A-Za-z0-9_\-]{30,}["']

E-Commerce

high

Shopify Access Token

A Shopify Admin API access token (shpat_) for programmatic store management.

RiskCan read/write products, orders, customers, and other store data depending on scopes.

RemediationUninstall and reinstall the app to rotate tokens, or regenerate in the Shopify Partners dashboard.

shpat_[A-Fa-f0-9]{32}

high

Shopify Shared Secret

A Shopify app shared secret (shpss_) used for verifying webhook signatures and OAuth.

RiskCan forge webhook payloads and bypass signature verification for your Shopify app.

RemediationRegenerate the shared secret in the Shopify Partners dashboard.

shpss_[A-Fa-f0-9]{32}

high

Shopify Custom App Token

A Shopify custom app access token (shpca_) for store-specific integrations.

RiskDirect access to the store's Admin API with the permissions granted to the custom app.

RemediationRegenerate the token in Shopify admin under Apps > Custom apps.

shpca_[A-Fa-f0-9]{32}

high

Shopify Private App Token

A Shopify private app access token (shppa_) for legacy store integrations.

RiskFull API access to the store with the permissions configured for the private app.

RemediationDelete the private app and create a new one, or migrate to a custom app.

shppa_[A-Fa-f0-9]{32}

Email / Comms

high

SendGrid API Key

A SendGrid API key (SG.) for sending transactional and marketing emails.

RiskCan send emails from your domain, potentially for phishing. Can access contact lists and templates.

RemediationDelete the key at app.sendgrid.com/settings/api_keys and create a new one with restricted scopes.

SG\.[A-Za-z0-9_\-]{22}\.[A-Za-z0-9_\-]{43}

high

Mailgun API Key

A Mailgun API key (key-) for sending and tracking emails via the Mailgun service.

RiskCan send emails from your verified domains and access email logs, routes, and mailing lists.

RemediationRotate the key in the Mailgun dashboard under Security > API Security.

key-[0-9a-zA-Z]{32}

high

Mailchimp API Key

A Mailchimp API key for managing audiences, campaigns, and email automations.

RiskCan access subscriber lists, send campaigns, and export audience data.

RemediationDelete the key in Mailchimp Account > Extras > API keys and generate a new one.

[0-9a-f]{32}-us[0-9]{1,2}

high

Twilio API Key

A Twilio API key (SK...) for authenticating Twilio REST API requests.

RiskCan send SMS/calls, access call logs, and manage phone numbers, potentially incurring charges.

RemediationDelete the API key in the Twilio Console and create a new one.

SK[0-9a-fA-F]{32}

medium

Twilio Account SID

A Twilio Account SID (AC...) — the account identifier used alongside auth tokens.

RiskNot a secret by itself, but combined with an auth token grants full account access.

RemediationIf paired with an exposed auth token, rotate the auth token in the Twilio Console.

AC[0-9a-fA-F]{32}

DevOps / Infra

medium

Heroku API Key

A Heroku API key (UUID format) for managing Heroku apps, add-ons, and deployments.

RiskCan deploy code, access environment variables containing secrets, and manage billing.

RemediationRegenerate the API key at dashboard.heroku.com/account and update CLI/CI configurations.

(?:heroku|HEROKU).{0,20}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}

high

Datadog API Key

A Datadog API or application key for submitting metrics, logs, and managing monitors.

RiskCan submit fake metrics, read dashboards, and access sensitive operational data.

RemediationRevoke the key in Datadog Organization Settings > API Keys and create a new one.

dd(.{0,10})?(api|app).{0,10}["'][0-9a-f]{32,40}["']

high

npm Token

An npm access token (npm_) for publishing packages and accessing private registries.

RiskCan publish malicious versions of your packages (supply chain attack) or access private packages.

RemediationRevoke at npmjs.com/settings/tokens and generate a new token with minimal permissions.

npm_[A-Za-z0-9]{36}

high

PyPI Token

A PyPI API token (pypi-) for publishing Python packages to the Python Package Index.

RiskCan publish malicious package versions, enabling supply chain attacks on downstream users.

RemediationDelete the token at pypi.org/manage/account/token and create a new project-scoped token.

pypi-[A-Za-z0-9_\-]{50,}

high

NuGet API Key

A NuGet API key for publishing .NET packages to nuget.org.

RiskCan publish malicious package updates to nuget.org, affecting downstream .NET projects.

RemediationRegenerate the key at nuget.org/account/apikeys.

oy2[a-z0-9]{43}

high

Docker Hub Token

A Docker Hub personal access token (dckr_pat_) for pushing/pulling container images.

RiskCan push malicious images to your repositories or access private container images.

RemediationRevoke the token at hub.docker.com/settings/security and generate a new one.

dckr_pat_[A-Za-z0-9_\-]{20,}

Databases

critical

Database Connection String

A database connection URI (MongoDB, PostgreSQL, MySQL, Redis, or AMQP) with embedded credentials.

RiskDirect database access: read, modify, or delete data. May contain admin credentials.

RemediationRotate the database password immediately, restrict network access, and move the URI to a secrets manager.

(?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|redis|amqp)://[^\s"']{10,}

Crypto / Keys

critical

Private Key

A PEM-encoded private key (RSA, EC, DSA, OpenSSH, or PGP) used for encryption or authentication.

RiskCompromises TLS/SSH authentication. Can impersonate servers, sign code, or decrypt traffic.

RemediationRevoke associated certificates, regenerate the key pair, and update all systems using it.

-----BEGIN (?:EC|RSA|OPENSSH|DSA|PGP) PRIVATE KEY-----

Generic

medium

Generic Secret Assignment

A hardcoded password, secret, or token value assigned directly in source code.

RiskExposes credentials that may grant access to databases, APIs, or internal services.

RemediationMove the secret to an environment variable or secrets manager and rotate the credential.

\b(password|passwd|pwd|secret|token|api_key|apikey|api_secret|auth_token|access_token|secret_key)\b\s*[:=]\s*["'][^"'\n]{6,}["']

medium

Generic Bearer Token

An Authorization header with a Bearer token, typically used for API authentication.

RiskA valid bearer token grants authenticated access to the API it was issued for.

RemediationInvalidate the token server-side and ensure tokens are not hardcoded in source.

(?:Authorization|authorization).{0,10}Bearer\s+[A-Za-z0-9_\-\.]{20,}

medium

JWT

A JSON Web Token containing encoded claims, typically used for authentication sessions.

RiskMay contain valid session tokens that grant authenticated access to APIs or user accounts.

RemediationInvalidate the token server-side, rotate the signing key if it was exposed, and review session management.

eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}

built byKyle

Detection Rules

Cloud Providers

AI / LLM

Source Control

Messaging

Payments

E-Commerce

Email / Comms

DevOps / Infra

Databases

Crypto / Keys

Generic