# Settlin secret scan patterns
# Used by CI (grep -Ef secrets-patterns.txt) and the pre-commit-checks Claude skill.
# Each line is a regex matched against git diff output.

# AWS
AKIA[0-9A-Z]{16}

# OpenAI
sk-[A-Za-z0-9]{20,}

# GitHub tokens
ghp_[A-Za-z0-9]{36}
gho_[A-Za-z0-9]{36}
github_pat_[A-Za-z0-9_]{82}

# Slack
xox[baprs]-[A-Za-z0-9-]{10,}

# Private keys
-----BEGIN (RSA |EC |OPENSSH |DSA |PGP )?PRIVATE KEY

# JWT (3-part base64url)
eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}

# Google API keys
AIza[0-9A-Za-z_-]{35}

# Google OAuth client ID
[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com

# Generic credential assignments (password/secret/key = "value")
(password|passwd|pwd|secret|api_key|apikey|api-key|auth_token|access_token|client_secret|private_key|encryption_key)\s*[:=]\s*["'][^"']{8,}["']
