# Secret-scan pattern catalogue (T-1844).
# Format: <name><TAB><extended-regex>
# Read by agents/git/lib/secret-scan.sh. Patterns are tried in order.
#
# When adding a pattern: prefer specific (e.g. AKIA prefix) over generic
# (e.g. base64 entropy). Generic entropy checks belong in gitleaks; this
# catalogue is the always-on baseline.
#
# Comments (lines starting with #) and empty lines are ignored.
Azure DevOps PAT	[a-z2-7]{52}
AWS Access Key	AKIA[0-9A-Z]{16}
AWS Secret Key	aws_secret_access_key[[:space:]]*[:=][[:space:]]*[A-Za-z0-9/+=]{40}
GitHub PAT	gh[pousr]_[A-Za-z0-9]{36,}
SSH Private Key	-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----
JWT Bearer	eyJ[A-Za-z0-9_=-]{10,}\.eyJ[A-Za-z0-9_=-]{10,}\.[A-Za-z0-9_.+/=-]{10,}
Slack Token	xox[abprs]-[A-Za-z0-9-]{10,}
Google API Key	AIza[0-9A-Za-z_-]{35}
Stripe Key	sk_(live|test)_[A-Za-z0-9]{24,}
Anthropic API Key	sk-ant-[A-Za-z0-9_-]{20,}
OpenAI API Key	sk-[A-Za-z0-9]{48}
