// Package engine provides a mode-agnostic scan engine that can be used // independently of any UI layer. This file defines the default credential // exposure indicators - paths and patterns that suggest sensitive data leaks. // // These are the default paths and patterns used by the scanner. Custom paths // can be added via configuration in future versions. package engine import ( "regexp" ) // CredentialPaths contains URL paths commonly associated with credential // exposure, misconfigurations, or sensitive file leaks. The scanner checks // each of these paths against target domains. var CredentialPaths = []string{ // ========================================================================= // ENVIRONMENT FILES — the #1 source of leaked creds // ========================================================================= "/.env", "/.env.bak", "/.env.old", "/.env.local", "/.env.production", "/.env.staging", "/.env.dev", "/.env.development", "/.env.example", "/.env.backup", "/.env.test", "/.env.testing", "/.env.prod", "/.env.live", "/.env.save", "/.env.orig", "/.env.dist", "/.env.sample", "/.env.docker", "/.env.swp", "/.env~", "/.env.production.local", "/.env.development.local", "/.env.test.local", "/env", "/env.js", "/env.json", "/env.yaml", "/env.yml", "/env.toml", "/env.ini", "/env.cfg", "/env.conf", "/.flaskenv", // ========================================================================= // GIT EXPOSURE — full source code + history // ========================================================================= "/.git/config", "/.git/HEAD", "/.git/index", "/.git/logs/HEAD", "/.git/logs/refs/heads/main", "/.git/logs/refs/heads/master", "/.git/refs/heads/main", "/.git/refs/heads/master", "/.git/COMMIT_EDITMSG", "/.git/description", "/.git/info/exclude", "/.git/packed-refs", "/.git/objects/info/packs", "/.gitconfig", "/.gitignore", "/.gitmodules", "/.gitattributes", // SVN / Mercurial "/.svn/entries", "/.svn/wc.db", "/.hg/hgrc", "/.hg/store/data", "/.bzr/README", // ========================================================================= // NEXT.JS / REACT / VERCEL — vibe coder favorites // ========================================================================= "/next.config.js", "/next.config.mjs", "/next.config.ts", "/.next/build-manifest.json", "/.next/routes-manifest.json", "/.next/prerender-manifest.json", "/.next/server/pages-manifest.json", "/.next/server/middleware-manifest.json", "/.next/static/chunks/main.js", "/_next/data/", "/_next/static/chunks/app/layout.js", "/_next/static/chunks/webpack.js", "/.next/server/app/api/", "/.next/BUILD_ID", "/.next/package.json", "/vercel.json", "/.vercel/project.json", "/.vercel/README.txt", "/next-env.d.ts", // React / CRA / Vite "/static/js/main.js", "/static/js/bundle.js", "/static/js/main.chunk.js", "/static/js/0.chunk.js", "/static/js/vendors.js", "/build/static/js/main.js", "/dist/assets/index.js", "/assets/index.js", // Source maps — leak full source code "/main.js.map", "/bundle.js.map", "/app.js.map", "/static/js/main.js.map", "/static/js/bundle.js.map", "/static/js/main.chunk.js.map", "/build/static/js/main.js.map", "/dist/assets/index.js.map", "/assets/index.js.map", "/sourcemaps/", "/.map", // Vue.js "/vue.config.js", "/dist/js/app.js", "/dist/js/app.js.map", "/dist/js/chunk-vendors.js.map", // Angular "/angular.json", "/environment.ts", "/environment.prod.ts", "/assets/config.json", "/ngsw.json", // Nuxt.js "/nuxt.config.js", "/nuxt.config.ts", "/.nuxt/", "/_nuxt/", // SvelteKit "/svelte.config.js", "/.svelte-kit/", // Remix "/remix.config.js", // Astro "/astro.config.mjs", // ========================================================================= // FIREBASE / SUPABASE / APPWRITE — BaaS configs // ========================================================================= "/firebase.json", "/.firebaserc", "/firebaseConfig.js", "/firebaseConfig.json", "/firebase-config.js", "/firebase-config.json", "/firebase-adminsdk.json", "/service-account.json", "/serviceAccountKey.json", "/google-services.json", "/firebase-debug.log", "/firestore.rules", "/storage.rules", "/database.rules.json", "/supabase/config.toml", "/.supabase/", "/supabase/.env", "/lib/supabase.ts", "/lib/supabase.js", "/src/lib/supabase.ts", "/src/lib/supabase.js", "/utils/supabase.ts", "/src/config/firebase.js", "/src/config/firebase.ts", "/appwrite.json", // ========================================================================= // AUTH PROVIDERS — Clerk, Auth0, Okta, Cognito // ========================================================================= "/.clerk/", "/auth.config.js", "/auth.config.ts", "/auth.ts", "/auth.js", "/middleware.ts", "/middleware.js", "/auth0-config.json", "/.auth0", // ========================================================================= // PAYMENT / STRIPE / PAYPAL // ========================================================================= "/stripe-config.json", "/stripe-webhook-secret", "/payment-config.json", "/paypal.json", // ========================================================================= // DATABASE CONFIGS & ORM // ========================================================================= "/prisma/schema.prisma", "/prisma/.env", "/drizzle.config.ts", "/drizzle.config.js", "/knexfile.js", "/knexfile.ts", "/ormconfig.json", "/ormconfig.js", "/ormconfig.ts", "/typeorm.config.ts", "/sequelize.config.js", "/config/database.json", "/config/database.yml", "/config/database.php", "/config/db.js", "/config/db.json", "/database.json", "/database.yml", "/database.yaml", "/db.json", "/db.yaml", "/db.yml", "/config/config.json", "/config/default.json", "/config/production.json", "/config/development.json", "/mongoid.yml", "/mongorc.js", // ========================================================================= // DATABASE DUMPS & BACKUPS // ========================================================================= "/dump.sql", "/database.sql", "/db.sql", "/backup.sql", "/data.sql", "/dump.sql.gz", "/dump.sql.bz2", "/dump.sql.zip", "/backup.zip", "/backup.tar.gz", "/backup.tar.bz2", "/backup.rar", "/backup.7z", "/site.sql", "/mysql.sql", "/postgres.sql", "/pg_dump.sql", "/export.sql", "/db_backup.sql", "/database_backup.sql", "/db.sqlite", "/db.sqlite3", "/database.sqlite", "/database.sqlite3", "/data.db", "/app.db", "/production.sqlite3", "/development.sqlite3", "/users.sql", "/users.csv", "/customers.csv", "/clients.csv", "/accounts.csv", "/members.sql", // ========================================================================= // WORDPRESS — still everywhere // ========================================================================= "/wp-config.php", "/wp-config.php.bak", "/wp-config.php.old", "/wp-config.php~", "/wp-config.php.save", "/wp-config.php.swp", "/wp-config.php.orig", "/wp-config.php.txt", "/wp-config.txt", "/wp-config-sample.php", "/wp-content/debug.log", "/wp-content/uploads/", "/wp-includes/version.php", "/wp-login.php", "/wp-admin/install.php", "/wp-json/wp/v2/users", "/xmlrpc.php", "/wp-cron.php", "/readme.html", // ========================================================================= // PHP / LARAVEL / SYMFONY / CODEIGNITER / MAGENTO // ========================================================================= "/config.php", "/configuration.php", "/config.php.bak", "/config.php.old", "/config.php.save", "/config.php~", "/config.inc.php", "/config.inc", "/conf.php", "/db.php", "/database.php", "/connect.php", "/connection.php", "/conn.php", "/settings.php", "/setup.php", "/install.php", "/install/", "/installer/", "/config/app.php", "/config/database.php", "/config/mail.php", "/config/services.php", "/config/auth.php", "/config/filesystems.php", "/storage/logs/laravel.log", "/storage/framework/sessions/", "/storage/framework/cache/", "/bootstrap/cache/config.php", "/app/etc/local.xml", "/app/etc/env.php", "/parameters.yml", "/parameters.ini", "/var/log/system.log", "/var/log/debug.log", "/var/log/exception.log", "/vendor/composer/installed.json", // ========================================================================= // PYTHON / DJANGO / FLASK / FASTAPI // ========================================================================= "/settings.py", "/local_settings.py", "/config.py", "/config.cfg", "/config.ini", "/config.yaml", "/config.yml", "/config.toml", "/app/config.py", "/instance/config.py", "/instance/application.cfg", "/requirements.txt", "/Pipfile", "/Pipfile.lock", "/pyproject.toml", "/poetry.lock", "/.python-version", "/manage.py", "/wsgi.py", "/asgi.py", "/celeryconfig.py", "/alembic.ini", "/alembic/env.py", "/pytest.ini", "/.pytest_cache/", "/django_secret_key", // ========================================================================= // RUBY / RAILS // ========================================================================= "/config/secrets.yml", "/config/master.key", "/config/credentials.yml.enc", "/config/database.yml", "/config/storage.yml", "/config/cable.yml", "/config/environments/production.rb", "/config/initializers/devise.rb", "/config/initializers/secret_token.rb", "/Gemfile", "/Gemfile.lock", "/db/seeds.rb", "/db/schema.rb", "/tmp/cache/", "/log/production.log", "/log/development.log", // ========================================================================= // JAVA / SPRING / TOMCAT / JBOSS // ========================================================================= "/application.properties", "/application.yml", "/application.yaml", "/application-prod.properties", "/application-prod.yml", "/application-dev.properties", "/application-dev.yml", "/application-local.properties", "/bootstrap.properties", "/bootstrap.yml", "/WEB-INF/web.xml", "/WEB-INF/classes/application.properties", "/WEB-INF/classes/application.yml", "/META-INF/context.xml", "/META-INF/maven/", "/actuator", "/actuator/env", "/actuator/configprops", "/actuator/beans", "/actuator/health", "/actuator/info", "/actuator/mappings", "/actuator/heapdump", "/actuator/threaddump", "/actuator/logfile", "/jolokia/", "/console", "/h2-console", // ========================================================================= // .NET / ASP.NET / C# // ========================================================================= "/web.config", "/web.config.bak", "/web.config.old", "/web.config.txt", "/appsettings.json", "/appsettings.Development.json", "/appsettings.Production.json", "/appsettings.Staging.json", "/connectionstrings.config", "/machine.config", "/elmah.axd", "/trace.axd", "/global.asax", // ========================================================================= // GO // ========================================================================= "/go.mod", "/go.sum", "/config.go", "/.air.toml", "/cmd/", // ========================================================================= // RUST // ========================================================================= "/Cargo.toml", "/Cargo.lock", "/Rocket.toml", "/.cargo/config.toml", // ========================================================================= // NODE.JS / NPM / YARN / BUN / DENO // ========================================================================= "/package.json", "/package-lock.json", "/yarn.lock", "/pnpm-lock.yaml", "/bun.lockb", "/.npmrc", "/.yarnrc", "/.yarnrc.yml", "/node_modules/.package-lock.json", "/tsconfig.json", "/jsconfig.json", "/turbo.json", "/lerna.json", "/nx.json", "/deno.json", "/deno.jsonc", "/deno.lock", "/import_map.json", "/nest-cli.json", "/nodemon.json", "/.node-version", "/.nvmrc", "/ecosystem.config.js", "/pm2.config.js", "/wrangler.toml", // ========================================================================= // API DOCUMENTATION — exposes endpoints + auth details // ========================================================================= "/swagger.json", "/swagger.yaml", "/swagger.yml", "/swagger-ui/", "/swagger-ui.html", "/openapi.json", "/openapi.yaml", "/openapi.yml", "/api-docs", "/api-docs.json", "/api/docs", "/api/swagger", "/api/openapi", "/api/v1/docs", "/api/v2/docs", "/api/v3/docs", "/docs/api", "/redoc", "/graphql", "/graphiql", "/playground", "/altair", "/__graphql", "/graphql/console", "/graphql/schema", "/api/graphql", "/v1/graphql", "/api/config", "/api/v1/config", "/api/v2/config", "/api/settings", "/api/v1/settings", "/api/debug", "/api/test", "/api/health", "/api/status", "/api/info", "/api/version", "/api/env", "/api/admin", "/api/internal", "/api/private", "/api/keys", "/api/tokens", "/api/users", "/api/v1/users", "/api/v1/admin", "/api/me", // ========================================================================= // CLOUD PROVIDERS — AWS / GCP / AZURE / DO // ========================================================================= "/.aws/credentials", "/.aws/config", "/.aws/", "/aws.json", "/aws.yml", "/.boto", "/.s3cfg", "/gcloud/credentials.db", "/gcloud/application_default_credentials.json", "/google-cloud-sdk/properties", "/service-account-key.json", "/gcp-key.json", "/gcs-key.json", "/.azure/", "/azure.json", "/.digitalocean/config", // ========================================================================= // INFRASTRUCTURE AS CODE — Terraform / Pulumi / Ansible / Vagrant // ========================================================================= "/terraform.tfstate", "/terraform.tfstate.backup", "/terraform.tfvars", "/.terraform/", "/main.tf", "/variables.tf", "/outputs.tf", "/backend.tf", "/provider.tf", "/Pulumi.yaml", "/Pulumi.dev.yaml", "/Pulumi.prod.yaml", "/pulumi.json", "/ansible.cfg", "/playbook.yml", "/inventory", "/group_vars/all.yml", "/host_vars/", "/vault.yml", "/ansible-vault", "/Vagrantfile", "/vagrant.yml", // ========================================================================= // CONTAINERS & ORCHESTRATION // ========================================================================= "/Dockerfile", "/Dockerfile.prod", "/Dockerfile.dev", "/docker-compose.yml", "/docker-compose.yaml", "/docker-compose.prod.yml", "/docker-compose.dev.yml", "/docker-compose.override.yml", "/.docker/config.json", "/.dockerenv", "/kubernetes.yml", "/k8s/", "/.kube/config", "/kustomization.yml", "/kustomization.yaml", "/skaffold.yaml", "/helm/", "/Chart.yaml", "/values.yaml", "/values-prod.yaml", // ========================================================================= // CI/CD PIPELINES // ========================================================================= "/.travis.yml", "/.circleci/config.yml", "/.github/workflows", "/.github/workflows/ci.yml", "/.github/workflows/cd.yml", "/.github/workflows/deploy.yml", "/.github/workflows/build.yml", "/.github/workflows/test.yml", "/.github/workflows/release.yml", "/.gitlab-ci.yml", "/Jenkinsfile", "/bitbucket-pipelines.yml", "/.drone.yml", "/azure-pipelines.yml", "/buildspec.yml", "/cloudbuild.yaml", "/appveyor.yml", "/wercker.yml", "/.buildkite/pipeline.yml", "/netlify.toml", "/fly.toml", "/render.yaml", "/railway.json", "/railway.toml", "/Procfile", "/heroku.yml", "/app.yaml", "/app.yml", "/cdk.json", "/sam.yaml", "/serverless.yml", "/serverless.yaml", "/amplify.yml", // ========================================================================= // HOSTING / DEPLOYMENT CONFIGS // ========================================================================= "/vercel.json", "/firebase.json", "/now.json", "/rewrite.config.js", "/rewrites.json", "/redirects.json", "/render.yaml", "/Procfile", // ========================================================================= // SSH / CERTIFICATES / PRIVATE KEYS // ========================================================================= "/.ssh/id_rsa", "/.ssh/id_rsa.pub", "/.ssh/id_ed25519", "/.ssh/id_ed25519.pub", "/.ssh/id_dsa", "/.ssh/authorized_keys", "/.ssh/known_hosts", "/.ssh/config", "/id_rsa", "/id_rsa.pub", "/id_ed25519", "/server.key", "/server.pem", "/server.crt", "/private.key", "/private.pem", "/cert.pem", "/cert.key", "/fullchain.pem", "/privkey.pem", "/ssl/private.key", "/ssl/server.key", "/ssl/cert.pem", "/tls.key", "/tls.crt", "/.pem", "/jwt.key", "/jwt-key.pem", "/jwtRS256.key", "/jwtRS256.key.pub", "/signing.key", "/encryption.key", "/oauth-private.key", "/oauth-public.key", "/saml.pem", "/saml.key", // ========================================================================= // IDE / EDITOR FILES — may contain creds in run configs // ========================================================================= "/.vscode/settings.json", "/.vscode/launch.json", "/.vscode/tasks.json", "/.vscode/extensions.json", "/.vscode/.env", "/.idea/workspace.xml", "/.idea/dataSources.xml", "/.idea/dataSources.local.xml", "/.idea/webServers.xml", "/.idea/deployment.xml", "/.idea/modules.xml", "/.idea/vcs.xml", "/.idea/", "/.project", "/.classpath", "/.settings/", "/.sublime-project", "/.sublime-workspace", "/nbproject/project.properties", "/.editorconfig", // ========================================================================= // DEBUG / INFO / STATUS PAGES // ========================================================================= "/phpinfo.php", "/info.php", "/test.php", "/debug", "/debug/", "/debug.log", "/debug.txt", "/error.log", "/error_log", "/errors.log", "/access.log", "/access_log", "/app.log", "/application.log", "/server.log", "/output.log", "/console.log", "/npm-debug.log", "/yarn-debug.log", "/yarn-error.log", "/crash.log", "/server-status", "/server-info", "/_debug", "/__debug__/", "/debug/default/view", "/debug/pprof/", "/health", "/healthcheck", "/healthz", "/readyz", "/livez", "/status", "/ping", "/version", "/build-info", "/metrics", "/prometheus", "/_status", "/_health", "/_info", "/trace", "/trace.log", // ========================================================================= // ADMIN PANELS & MANAGEMENT // ========================================================================= "/admin", "/admin/", "/admin/login", "/admin/config", "/admin/dashboard", "/admin/settings", "/admin/users", "/administrator", "/administrator/", "/cpanel", "/cpanel/", "/phpmyadmin", "/phpmyadmin/", "/pma", "/pma/", "/adminer.php", "/adminer", "/myadmin", "/myadmin/", "/dbadmin", "/dbadmin/", "/sqladmin", "/sqladmin/", "/mysql", "/mysql/", "/pgadmin", "/pgadmin/", "/mongo-express", "/mongo-express/", "/redis-commander", "/kibana", "/grafana", "/portainer", "/traefik", "/consul", "/vault/ui", "/jenkins", "/jenkins/", "/hudson", "/bamboo", "/sonarqube", "/_admin", "/_admin/", "/manage", "/manage/", "/management", "/management/", "/panel", "/panel/", "/dashboard", "/dashboard/", "/control", "/controlpanel", "/sysadmin", "/webadmin", "/filemanager", "/wp-admin/", "/cms/admin", "/cms/login", "/strapi", "/strapi/admin", "/directus/admin", "/sanity/", // ========================================================================= // SECRETS / CREDENTIALS / TOKEN FILES // ========================================================================= "/credentials.json", "/credentials.yml", "/credentials.yaml", "/credentials.xml", "/secrets.json", "/secrets.yml", "/secrets.yaml", "/secrets.xml", "/secrets.txt", "/secret", "/secret.key", "/secret.txt", "/token.json", "/tokens.json", "/auth.json", "/auth.yml", "/keys.json", "/keys.yml", "/apikeys.json", "/api-keys.json", "/api_keys.json", "/api-key.txt", "/passwords.txt", "/passwords.csv", "/passwd", "/shadow", "/master.key", "/encryption.key", "/keyfile", "/keystore", "/keystore.jks", "/truststore.jks", "/.keystore", "/.truststore", "/vault-keys.json", "/.vault-token", "/.netrc", "/.wgetrc", "/.curlrc", "/.wget-hsts", // ========================================================================= // ACCESS CONTROL & SERVER CONFIG // ========================================================================= "/.htpasswd", "/.htaccess", "/.htaccess.bak", "/.htaccess.old", "/.htaccess~", "/.htpasswd.bak", "/nginx.conf", "/nginx/nginx.conf", "/etc/nginx/nginx.conf", "/conf/nginx.conf", "/apache2.conf", "/httpd.conf", "/lighttpd.conf", "/crossdomain.xml", "/clientaccesspolicy.xml", "/robots.txt", "/sitemap.xml", "/security.txt", "/.well-known/security.txt", "/.well-known/openid-configuration", "/.well-known/jwks.json", "/.well-known/assetlinks.json", "/.well-known/apple-app-site-association", // ========================================================================= // CMS SYSTEMS — Drupal / Joomla / Magento / Ghost etc // ========================================================================= "/sites/default/settings.php", "/sites/default/files/", "/core/install.php", "/CHANGELOG.txt", "/UPDATE.txt", "/INSTALL.txt", "/configuration.php", "/configuration.php.bak", "/joomla.xml", "/administrator/manifests/files/joomla.xml", "/app/etc/env.php", "/app/etc/local.xml", "/var/log/system.log", "/var/log/exception.log", "/downloader/", "/ghost/api/v3/admin/", "/ghost/api/content/", "/content/config.json", // ========================================================================= // MOBILE / REACT NATIVE / FLUTTER / EXPO // ========================================================================= "/app.json", "/expo-constants.json", "/google-services.json", "/GoogleService-Info.plist", "/Info.plist", "/config.xml", "/build.gradle", "/local.properties", "/gradle.properties", // ========================================================================= // MESSAGING / EMAIL / NOTIFICATION SERVICES // ========================================================================= "/mailgun.json", "/sendgrid.json", "/smtp-config.json", "/email-config.json", "/twilio.json", "/pusher.json", "/sentry.properties", "/.sentryclirc", // ========================================================================= // MONITORING / ANALYTICS / LOGGING // ========================================================================= "/newrelic.yml", "/newrelic.js", "/datadog.yaml", "/bugsnag.json", "/rollbar.json", "/loggly.json", "/splunk.conf", "/elastic.yml", "/logstash.conf", "/filebeat.yml", // ========================================================================= // PACKAGE MANAGER CONFIGS — can leak registries / tokens // ========================================================================= "/.npmrc", "/.yarnrc", "/.yarnrc.yml", "/.pip/pip.conf", "/.pypirc", "/pip.conf", "/.gemrc", "/.bundler/config", "/composer.json", "/composer.lock", "/cargo-config.toml", "/.m2/settings.xml", "/gradle/wrapper/gradle-wrapper.properties", "/nuget.config", "/.nuget/NuGet.Config", "/paket.dependencies", // ========================================================================= // BACKUP / ARCHIVE FILES // ========================================================================= "/backup/", "/backups/", "/bak/", "/old/", "/temp/", "/tmp/", "/archive/", "/archives/", "/index.php.bak", "/index.php~", "/index.php.old", "/index.html.bak", "/index.html~", "/app.bak", "/site.bak", "/main.bak", "/www.zip", "/www.tar.gz", "/web.zip", "/web.tar.gz", "/site.zip", "/site.tar.gz", "/html.zip", "/html.tar.gz", "/public.zip", "/src.zip", "/source.zip", "/code.zip", "/deploy.zip", "/release.zip", "/latest.zip", "/latest.tar.gz", // ========================================================================= // TEMP / SWAP / EDITOR BACKUP FILES // ========================================================================= "/.DS_Store", "/Thumbs.db", "/desktop.ini", "/.directory", "/.bash_history", "/.zsh_history", "/.mysql_history", "/.psql_history", "/.python_history", "/.node_repl_history", "/.irb_history", "/.lesshst", "/.viminfo", "/.swp", "/~", "/._", "/.bak", "/.tmp", "/.old", "/.orig", "/.save", "/.copy", // ========================================================================= // VIBE CODER HARDCODED SECRETS — files where keys get pasted directly // ========================================================================= "/constants.js", "/constants.ts", "/src/constants.js", "/src/constants.ts", "/src/config.js", "/src/config.ts", "/src/config/index.js", "/src/config/index.ts", "/lib/config.js", "/lib/config.ts", "/utils/config.js", "/utils/config.ts", "/src/utils/api.js", "/src/utils/api.ts", "/src/services/api.js", "/src/services/api.ts", // ========================================================================= // DOCKER RUNTIME SECRETS — mounted at /run/secrets/ // ========================================================================= "/run/secrets/", "/run/secrets/db_password", "/run/secrets/db_root_password", // ========================================================================= // MISCELLANEOUS / CATCH-ALL // ========================================================================= "/LICENSE", "/README.md", "/README.txt", "/CHANGELOG.md", "/CHANGELOG.txt", "/TODO.md", "/TODO.txt", "/NOTES.md", "/INSTALL.md", "/.dockerignore", "/.eslintrc", "/.eslintrc.json", "/.prettierrc", "/.babelrc", "/tailwind.config.js", "/tailwind.config.ts", "/postcss.config.js", "/webpack.config.js", "/webpack.config.ts", "/rollup.config.js", "/vite.config.js", "/vite.config.ts", "/esbuild.config.js", "/wrangler.toml", "/workers-site/", "/manifest.json", "/site.webmanifest", "/.well-known/", "/humans.txt", "/ads.txt", "/app-ads.txt", "/browserconfig.xml", // ========================================================================= // COMMON SENSITIVE DIRECTORIES // ========================================================================= "/private/", "/internal/", "/secret/", "/hidden/", "/confidential/", "/restricted/", "/uploads/", "/upload/", "/files/", "/documents/", "/docs/", "/data/", "/export/", "/exports/", "/import/", "/imports/", "/reports/", "/logs/", "/log/", "/debug/", "/test/", "/tests/", "/staging/", "/dev/", "/development/", "/sandbox/", "/demo/", "/sample/", "/examples/", "/migration/", "/migrations/", "/seeds/", "/fixtures/", "/sql/", "/scripts/", "/bin/", "/cgi-bin/", // ========================================================================= // AI CODING TOOLS — Replit / Cursor / Claude Code / Bolt / v0 / Lovable // ========================================================================= // Replit "/.replit", "/replit.nix", "/.replit.env", "/.replit/", "/replit.toml", "/.config/replit/", // Cursor "/.cursorrules", "/.cursorignore", "/.cursorindexingignore", "/.cursor/", "/.cursor/settings.json", "/.cursor/mcp.json", // Claude Code / Anthropic "/CLAUDE.md", "/.claude/settings.json", "/.claude/", "/.claudeignore", "/.anthropic/config.json", "/claude_desktop_config.json", "/AGENTS.md", "/.agents/local.json", // Bolt.new / StackBlitz "/.bolt/config", "/.bolt/", "/.bolt/config.json", "/.bolt/ignore", "/.boltignore", "/bolt.yaml", "/bolt.service.yaml", "/.stackblitz/", "/.stackblitz.json", // Lovable / GPT Engineer "/.lovable/", "/.lovable/config.json", // Windsurf / Codeium "/.windsurf/", "/.windsurfrules", "/.codeium/", // GitHub Copilot "/.copilot/", "/.copilot/config", "/.copilot/mcp-config.json", "/.github/copilot/", "/.github/copilot-setup-steps.yml", // Base44 "/.base44/", "/.base44/config.json", "/base44.config.js", "/base44.config.json", // v0 (Vercel) "/.v0/", "/.v0/config.json", // Devin AI "/.envrc", "/.devin/", "/.devin/config.json", // Amazon Q Developer "/.aws/amazonq/mcp.json", // OpenAI Codex CLI "/.codex/", "/.codex/config.toml", // Tempo Labs "/.tempo/", "/.tempo/config.json", // Softgen "/firebase.config.js", "/firebase.config.ts", // MCP (Model Context Protocol) — shared across many AI tools "/mcp.json", "/.mcp/", "/.mcp/config.json", "/mcp-config.json", "/mcp-servers.json", // General AI coding "/.aider/", "/.aider.conf.yml", "/.continue/", "/.continue/config.json", "/.tabby/", "/.cody/", "/.tabnine/", "/.kiro/", "/.roo/", "/.roo/config.json", "/.zed/", "/.zed/settings.json", // ========================================================================= // VIBE CODER SPECIFIC — common leaks from rapid prototyping // ========================================================================= // Dev vars / secrets files "/.dev.vars", "/.env.vault", "/DOTENV_PRIVATE_KEY", // Doppler / Infisical (secret managers) "/.doppler/", "/.doppler/config.json", "/.infisical/", "/.infisical.json", "/doppler.yaml", "/infisical.json", // Convex "/convex/_generated/", "/convex/serviceAccountKey.json", "/convex.json", "/convex/convex.config.ts", // Wasp "/main.wasp", "/.env.server", "/.env.client", // Amplication "/.amplication/", // No-code/low-code platforms "/retool.json", "/appsmith.json", "/budibase.json", "/tooljet.json", // Jupyter Notebooks — major leak vector for API keys "/notebook.ipynb", "/main.ipynb", "/app.ipynb", "/index.ipynb", "/test.ipynb", "/demo.ipynb", "/config.ipynb", "/setup.ipynb", "/Untitled.ipynb", "/.ipynb_checkpoints/", // Turso / PlanetScale "/.turso/", "/turso.json", "/.planetscale/", // Neon "/neon.json", "/.neon/", // Upstash "/upstash.json", // tRPC "/trpc-config.ts", // Hono "/hono.config.ts", // Elixir / Phoenix "/prod.exs", "/dev.exs", "/config.exs", "/runtime.exs", "/prod.secret.exs", // ========================================================================= // SHELL / SYSTEM HISTORY — can contain pasted creds // ========================================================================= "/.bash_history", "/.bashrc", "/.bash_profile", "/.profile", "/.zsh_history", "/.zshrc", "/.mysql_history", "/.psql_history", "/.python_history", "/.node_repl_history", "/.irb_history", "/.lesshst", "/.viminfo", "/.wget-hsts", // ========================================================================= // DATABASE CLIENT CONFIGS — may contain passwords // ========================================================================= "/.pgpass", "/.my.cnf", "/mongodb.conf", "/redis.conf", "/redis.yaml", "/mongod.conf", "/pg_hba.conf", "/my.ini", "/my.cnf", // ========================================================================= // CRYPTOCURRENCY / WEB3 // ========================================================================= "/hardhat.config.js", "/hardhat.config.ts", "/truffle-config.js", "/foundry.toml", "/.secret", "/mnemonic.txt", "/wallet.json", "/keystore.json", "/.openzeppelin/", } // CredentialPatterns contains strings that indicate credential exposure when // found in HTTP response bodies. These are matched case-insensitively. var CredentialPatterns = []string{ // Database credentials "DB_PASSWORD", "DB_USERNAME", "DB_HOST", "DB_DATABASE", "DB_PORT", "DB_CONNECTION", "DATABASE_URL", "DATABASE_HOST", "DATABASE_PASSWORD", "DATABASE_USERNAME", "MYSQL_PASSWORD", "MYSQL_ROOT_PASSWORD", "MYSQL_USER", "POSTGRES_PASSWORD", "POSTGRES_USER", "PGPASSWORD", "PGUSER", "MONGO_URI", "MONGODB_URI", "MONGO_URL", "REDIS_URL", "REDIS_PASSWORD", "REDIS_HOST", "SQLITE_PATH", "POSTGRES_URL", "POSTGRESQL_URL", "MYSQL_URL", "MYSQL_HOST", "MYSQL_DATABASE", "SUPABASE_URL", "SUPABASE_KEY", "SUPABASE_ANON_KEY", "SUPABASE_SERVICE_ROLE_KEY", "SUPABASE_JWT_SECRET", // AWS "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "AWS_DEFAULT_REGION", "AWS_ACCOUNT_ID", "AWS_LAMBDA_FUNCTION", "S3_BUCKET", "S3_KEY", "S3_SECRET", "S3_REGION", "S3_ENDPOINT", "CLOUDFRONT_URL", // GCP "GOOGLE_APPLICATION_CREDENTIALS", "GOOGLE_CLOUD_PROJECT", "GOOGLE_PRIVATE_KEY", "GOOGLE_CLIENT_EMAIL", "GOOGLE_CLIENT_ID", "GCP_PROJECT", "GCS_BUCKET", "FIREBASE_API_KEY", "FIREBASE_AUTH_DOMAIN", "FIREBASE_PROJECT_ID", "FIREBASE_STORAGE_BUCKET", "FIREBASE_MESSAGING_SENDER_ID", "FIREBASE_APP_ID", "FIREBASE_PRIVATE_KEY", "FIREBASE_CLIENT_EMAIL", "FIREBASE_TOKEN", "FIREBASE_DATABASE_URL", // Azure "AZURE_CLIENT_ID", "AZURE_CLIENT_SECRET", "AZURE_TENANT_ID", "AZURE_SUBSCRIPTION_ID", "AZURE_STORAGE_KEY", "AZURE_STORAGE_CONNECTION_STRING", // Generic API keys "API_KEY", "API_SECRET", "API_TOKEN", "APIKEY", "APP_KEY", "APP_SECRET", "APPLICATION_KEY", "SECRET_KEY", "SECRET_TOKEN", "PRIVATE_KEY", "PUBLIC_KEY", "ACCESS_KEY", "ACCESS_TOKEN", "ACCESS_SECRET", "AUTH_TOKEN", "AUTH_SECRET", "AUTH_KEY", "BEARER_TOKEN", "JWT_SECRET", "JWT_KEY", "JWT_PRIVATE_KEY", "JWT_SIGNING_KEY", "TOKEN_SECRET", "ACCESS_TOKEN_SECRET", "REFRESH_TOKEN_SECRET", "ENCRYPTION_KEY", "SIGNING_KEY", "MASTER_KEY", "APP_SECRET_KEY", "SESSION_SECRET", "COOKIE_SECRET", "CSRF_SECRET", "HASH_SALT", "SALT", // Payment "STRIPE_SECRET", "STRIPE_SECRET_KEY", "STRIPE_PUBLISHABLE_KEY", "STRIPE_WEBHOOK_SECRET", "STRIPE_API_KEY", "PAYPAL_CLIENT_ID", "PAYPAL_CLIENT_SECRET", "PAYPAL_SECRET", "RAZORPAY_KEY", "RAZORPAY_SECRET", "SQUARE_ACCESS_TOKEN", "BRAINTREE_PRIVATE_KEY", "BRAINTREE_MERCHANT_ID", "COINBASE_API_KEY", // Email / SMS / Communication "SENDGRID_API_KEY", "SENDGRID_KEY", "MAILGUN_API_KEY", "MAILGUN_SECRET", "MAILGUN_DOMAIN", "MAILCHIMP_API_KEY", "POSTMARK_API_KEY", "POSTMARK_TOKEN", "SES_ACCESS_KEY", "SMTP_PASSWORD", "SMTP_USERNAME", "SMTP_HOST", "MAIL_PASSWORD", "MAIL_USERNAME", "EMAIL_PASSWORD", "TWILIO_AUTH_TOKEN", "TWILIO_ACCOUNT_SID", "TWILIO_API_KEY", "TWILIO_API_SECRET", "VONAGE_API_KEY", "NEXMO_API_KEY", "NEXMO_API_SECRET", "PUSHER_APP_ID", "PUSHER_KEY", "PUSHER_SECRET", "PUSHER_APP_KEY", // Auth providers "CLERK_SECRET_KEY", "CLERK_API_KEY", "CLERK_PUBLISHABLE_KEY", "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY", "AUTH0_SECRET", "AUTH0_CLIENT_ID", "AUTH0_CLIENT_SECRET", "AUTH0_DOMAIN", "OKTA_CLIENT_SECRET", "OKTA_API_TOKEN", "COGNITO_USER_POOL_ID", "COGNITO_CLIENT_SECRET", "NEXTAUTH_SECRET", "NEXTAUTH_URL", "NEXT_AUTH_SECRET", "OAUTH_CLIENT_SECRET", "OAUTH_CLIENT_ID", "GOOGLE_CLIENT_SECRET", "FACEBOOK_APP_SECRET", "FACEBOOK_CLIENT_SECRET", "TWITTER_API_KEY", "TWITTER_API_SECRET", "TWITTER_BEARER_TOKEN", "DISCORD_CLIENT_SECRET", "DISCORD_BOT_TOKEN", "DISCORD_TOKEN", // Source control / CI "GITHUB_TOKEN", "GITHUB_SECRET", "GITHUB_CLIENT_SECRET", "GITHUB_APP_PRIVATE_KEY", "GH_TOKEN", "GITLAB_TOKEN", "GITLAB_PRIVATE_TOKEN", "BITBUCKET_SECRET", "BITBUCKET_TOKEN", "CIRCLECI_TOKEN", "TRAVIS_TOKEN", "JENKINS_TOKEN", "JENKINS_PASSWORD", "NPM_TOKEN", "NPM_AUTH_TOKEN", "PYPI_TOKEN", "PYPI_PASSWORD", "DOCKER_PASSWORD", "DOCKER_TOKEN", "DOCKERHUB_TOKEN", "REGISTRY_PASSWORD", // Messaging / Collaboration "SLACK_TOKEN", "SLACK_WEBHOOK", "SLACK_WEBHOOK_URL", "SLACK_BOT_TOKEN", "SLACK_SIGNING_SECRET", "SLACK_API_TOKEN", "TELEGRAM_BOT_TOKEN", "TELEGRAM_TOKEN", "TEAMS_WEBHOOK", // CDN / Storage / Media "CLOUDINARY_URL", "CLOUDINARY_API_KEY", "CLOUDINARY_API_SECRET", "CLOUDFLARE_API_KEY", "CLOUDFLARE_API_TOKEN", "CLOUDFLARE_ZONE_ID", "IMGIX_TOKEN", "UPLOADTHING_SECRET", "UPLOADTHING_TOKEN", // Search / AI / ML "OPENAI_API_KEY", "OPENAI_KEY", "ANTHROPIC_API_KEY", "COHERE_API_KEY", "GEMINI_API_KEY", "GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_KEY", "HUGGINGFACE_TOKEN", "REPLICATE_API_TOKEN", "GROQ_API_KEY", "MISTRAL_API_KEY", "TOGETHER_API_KEY", "PERPLEXITY_API_KEY", "DEEPSEEK_API_KEY", "BASE44_API_KEY", "REPLIT_TOKEN", "REPLIT_DB_URL", "PINECONE_API_KEY", "PINECONE_ENVIRONMENT", "WEAVIATE_API_KEY", "QDRANT_API_KEY", "ALGOLIA_API_KEY", "ALGOLIA_APP_ID", "ALGOLIA_ADMIN_KEY", "ALGOLIA_SEARCH_KEY", "ELASTICSEARCH_URL", "ELASTICSEARCH_PASSWORD", "MEILISEARCH_KEY", "TYPESENSE_API_KEY", // Monitoring / Analytics / Error tracking "SENTRY_DSN", "SENTRY_AUTH_TOKEN", "DATADOG_API_KEY", "DATADOG_APP_KEY", "NEW_RELIC_LICENSE_KEY", "NEWRELIC_KEY", "BUGSNAG_API_KEY", "ROLLBAR_ACCESS_TOKEN", "LOGROCKET_APP_ID", "MIXPANEL_TOKEN", "AMPLITUDE_API_KEY", "SEGMENT_WRITE_KEY", "HEAP_API_KEY", "POSTHOG_API_KEY", "PLAUSIBLE_API_KEY", "GOOGLE_ANALYTICS_ID", "GA_TRACKING_ID", "GTM_ID", // Maps / Location "GOOGLE_MAPS_API_KEY", "GOOGLE_MAPS_KEY", "MAPBOX_ACCESS_TOKEN", "MAPBOX_TOKEN", "HERE_API_KEY", // Vercel / Netlify / Hosting "VERCEL_TOKEN", "VERCEL_ORG_ID", "VERCEL_PROJECT_ID", "NETLIFY_AUTH_TOKEN", "NETLIFY_SITE_ID", "HEROKU_API_KEY", "HEROKU_APP_NAME", "FLY_API_TOKEN", "RAILWAY_TOKEN", "RENDER_API_KEY", "DIGITAL_OCEAN_TOKEN", // CMS "CONTENTFUL_ACCESS_TOKEN", "CONTENTFUL_SPACE_ID", "CONTENTFUL_MANAGEMENT_TOKEN", "STRAPI_TOKEN", "SANITY_TOKEN", "SANITY_PROJECT_ID", "PRISMIC_ACCESS_TOKEN", "GHOST_API_KEY", "GHOST_ADMIN_API_KEY", "DIRECTUS_TOKEN", "WORDPRESS_AUTH_KEY", "WORDPRESS_SECURE_AUTH_KEY", // Crypto / Blockchain "ALCHEMY_API_KEY", "INFURA_API_KEY", "INFURA_PROJECT_SECRET", "ETHERSCAN_API_KEY", "MORALIS_API_KEY", "WALLET_PRIVATE_KEY", "MNEMONIC", "SEED_PHRASE", // AI coding tools / MCP "MCP_SERVER_TOKEN", "MCP_API_KEY", "DEVIN_API_KEY", "CURSOR_API_KEY", "REPLIT_API_KEY", "BOLT_API_KEY", "LOVABLE_API_KEY", "V0_API_KEY", "TEMPO_API_KEY", "SOFTGEN_API_KEY", "WINDSURF_TOKEN", "CODEIUM_API_KEY", "TABNINE_API_KEY", "AMAZON_Q_API_KEY", "CODEX_API_KEY", // Generic sensitive terms "password", "passwd", "pwd", "secret", "credential", "token", "apikey", "api_key", "private_key", "secret_key", "access_key", "client_secret", "auth_token", "bearer", "authorization", // Connection strings "mongodb://", "mongodb+srv://", "postgres://", "postgresql://", "mysql://", "redis://", "rediss://", "amqp://", "amqps://", "smtp://", "ftp://", "sftp://", "ssh://", "Server=", "Data Source=", "jdbc:", // Git config indicators "[core]", "repositoryformatversion", "[remote \"origin\"]", // Key format indicators "-----BEGIN RSA PRIVATE KEY-----", "-----BEGIN PRIVATE KEY-----", "-----BEGIN EC PRIVATE KEY-----", "-----BEGIN OPENSSH PRIVATE KEY-----", "-----BEGIN DSA PRIVATE KEY-----", "-----BEGIN PGP PRIVATE KEY BLOCK-----", "-----BEGIN CERTIFICATE-----", // Common framework secrets "APP_KEY=base64:", "LARAVEL_KEY", "DJANGO_SECRET_KEY", "FLASK_SECRET_KEY", "RAILS_MASTER_KEY", "RAILS_SECRET_KEY_BASE", "SECRET_KEY_BASE", "DEVISE_SECRET_KEY", "SPRING_DATASOURCE_PASSWORD", "SPRING_SECURITY_SECRET", } // Context-aware pattern matching regex patterns // These are compiled once at package initialization for performance. // envKeyValuePattern matches environment variable assignments in KEY=VALUE format. // Requires uppercase key starting with letter or underscore, followed by alphanumeric/underscore. // Used by matchPatternsContextAware to detect .env files (requires 3+ matches). var envKeyValuePattern = regexp.MustCompile(`(?m)^[A-Z_][A-Z0-9_]*=.+$`) // gitConfigPattern matches git configuration file sections. // Detects [core], [remote], [branch], or [user] sections which are specific to git. // Handles both simple sections like [core] and named sections like [remote "origin"]. // Used by matchPatternsContextAware to distinguish git configs from generic INI files. var gitConfigPattern = regexp.MustCompile(`(?m)^\[(core|remote|branch|user)(\s|])`)