Awesome project. Here are a bunch of high-signal patterns you can add to your collection. I’ve grouped them and tried to keep them specific enough to cut down on false positives.
We could use case-insensitive (i) where noted, and wrap many with \b boundaries when scanning plaintext. I am expanding some that you already had and many others that are new.
Cloud & major platforms
- GitHub classic PATs
Examples: ghp_…, gho_…, ghu_…, ghs_…, ghr_…
Regex: \bgh[opusr]_[0-9a-zA-Z]{36}\b
- GitHub fine-grained PATs
Example: github_pat_11AABBCCDDEEFF001122334455667788AABBCCDDEEFF
Regex: \bgithub_pat_[0-9A-Za-z_]{22,}?[0-9A-Za-z]{20,}\b
- GitLab PAT
Example: glpat-abc123…
Regex: \bglpat-[0-9a-zA-Z_-]{20,}\b
- Bitbucket App Password
Often 20–40 chars alnum with : in HTTPS URL.
Regex (URL form): https?:\/\/[^:\s\/]+:[0-9A-Za-z_\-]{20,40}@bitbucket\.org\/
- Azure Storage Connection String
Regex: \bDefaultEndpointsProtocol=https;AccountName=[a-z0-9]{3,24};AccountKey=[A-Za-z0-9+\/=]{80,}(\;EndpointSuffix=core\.windows\.net)?\b
- Azure SAS Token (blob/table/queue/file)
Regex: \bsv=\d{4}-\d{2}-\d{2}&ss=[bqtfsr]+&srt=[sc]\w*&sp=[rwdlacupx\-]+&se=\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z&st=\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z&spr=https?&sig=[A-Za-z0-9%]+
- AWS Secret Access Key (pair with Access Key ID hit)
Regex: \b(?i:aws)?_?secret(_|)access(_|)key"?\s*[:=]\s*['"][A-Za-z0-9\/+=]{40}['"]
- AWS Session Token (STS)
Often begins IQoJ and is long base64url.
Regex: \bIQoJ[A-Za-z0-9\/+=]{200,}\b
- GCP Service Account JSON (structural)
Regex (key fields): \{\s*"type"\s*:\s*"service_account"\s*,\s*"project_id"\s*:\s*".+?"\s*,\s*"private_key_id"\s*:\s*"[0-9a-f]{40}"\s*,\s*"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----[\s\S]+?-----END PRIVATE KEY-----"\s*,\s*"client_email"\s*:\s*".+?\.gserviceaccount\.com"
- Firebase/Google Web API key (same as YouTube/GCP)
Regex: \bAIza[0-9A-Za-z\-_]{35}\b
- Slack tokens
Bot/User/Legacy: xox[baprs]-
Regex: \bxox[baprs]-[0-9A-Za-z-]{10,100}\b
- Slack Webhook
Regex: \bhttps://hooks\.slack\.com/services/[A-Z0-9]{9}/[A-Z0-9]{9,}/[A-Za-z0-9]{24,}\b
- Discord Bot Token
Format: \d{18,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}
Regex: \b\d{18,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}\b
- Discord Webhook
Regex: \bhttps://discord(?:app)?\.com/api/webhooks/\d{16,20}/[A-Za-z0-9_-]{30,}\b
- Telegram Bot Token
Regex: \b\d{8,10}:[A-Za-z0-9_-]{35}\b
- PagerDuty Integration/Route Key
Regex: \b(routing|integration)_key\s*[:=]\s*['"]?[0-9a-f]{32}['"]?\b
- Sentry DSN
Regex: \bhttps?:\/\/[0-9a-f]{32}@[a-z0-9\.-]+\/\d+\b
- Datadog API Key
Regex: \bdatadog(?:_api)?_key\s*[:=]\s*['"]?[0-9a-f]{32}['"]?\b
- New Relic API Key
Examples: NRAK-... (ingest), NRII-... (insights)
Regex: \bNR(AK|II|RA)-[A-Za-z0-9]{27}\b
- SendGrid API Key
Regex: \bSG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}\b
- Mapbox Token
Regex: \bsk\.[A-Za-z0-9]{64}\b|\bpk\.[A-Za-z0-9]{60,}\b
- Okta API Token
Often 40 chars, many start with 00.
Regex: \b00[0-9a-zA-Z]{38}\b
Payments & commerce
-
Stripe Secret/Publishable/Webhook
Secret: sk_live_[0-9A-Za-z]{24}
Publishable: pk_live_[0-9A-Za-z]{24}
Webhook Secret: whsec_[0-9A-Za-z]{28,}
Regex:
\bsk_(?:live|test)_[0-9A-Za-z]{24}\b\bpk_(?:live|test)_[0-9A-Za-z]{24}\b\bwhsec_[0-9A-Za-z]{28,}\b
-
Braintree Access Token
Regex: \baccess_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}\b
-
Shopify Shared Secret
Regex (hex 32): \bshpss_[0-9a-f]{32}\b
Admin API token: \bshpat_[0-9a-f]{32}\b
CI/CD & Dev tooling
- CircleCI Token
Regex: \bCIRCLECI_TOKEN[=:]\s*['"]?[0-9a-f]{40}['"]?\b
- Travis/JWT-ish Env Secrets
Regex: \b(travis|CI)_TOKEN[=:]\s*['"]?[A-Za-z0-9_\-]{20,}['"]?\b
- Heroku API Key
Regex: \bheroku[a-z0-9]{6,}-[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}\b|\b(?i:heroku).*apikey.*['"][0-9a-f]{32}['"]
- Snyk Token
Regex: \b(?i:snyk)_?token\s*[:=]\s*['"]?[a-f0-9]{8}(?:-[a-f0-9]{4}){3}-[a-f0-9]{12}['"]?\b
Social & comms
- Trello API Key/Token
Regex: \b[0-9a-f]{32}\b(?=.*\bTRELLO\b)|\bTRELLO_?(KEY|TOKEN)\s*=\s*[0-9a-zA-Z]{32,64}\b
- Zoom JWT App Secret
Regex: \b(?i:zoom).*(secret|token)\s*[:=]\s*['"][A-Za-z0-9\-_]{32,}['"]
- WhatsApp Business (Meta) Token
Regex: \bEAA[A-Za-z0-9]{20,}\b (similar to Facebook tokens but broader match)
Databases & connection strings
- PostgreSQL URL
Regex: \bpostgres(?:ql)?:\/\/[^:\s\/]+:[^@\s\/]+@[^:\s\/]+:\d+\/[^\s'"]+\b
- MySQL URL
Regex: \bmysql:\/\/[^:\s\/]+:[^@\s\/]+@[^:\s\/]+:\d+\/[^\s'"]+\b
- MongoDB SRV URL
Regex: \bmongodb\+srv:\/\/[^:\s\/]+:[^@\s\/]+@[^\/\s]+\/[^\s'"]+\b
- Redis URL
Regex: \bredis:\/\/:[^@\s]+@[^:\s\/]+:\d+\b
OAuth, JWTs & generic credentials
- JWT
Regex: \beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b
- Basic Auth in URLs
Regex: \bhttps?:\/\/[^:\s\/]+:[^@\s\/]+@[^\/\s]+
- Generic “password/secret/api_key” assignment (use with path/filename allowlists to reduce noise)
Regex: (?i)\b(pass(word)?|secret|api[_-]?key|token)\b\s*[:=]\s*['"][^'"]{8,}['"]
- PEM Private Keys
RSA: -----BEGIN RSA PRIVATE KEY-----[\s\S]+?-----END RSA PRIVATE KEY-----
PKCS8: -----BEGIN PRIVATE KEY-----[\s\S]+?-----END PRIVATE KEY-----
EC: -----BEGIN EC PRIVATE KEY-----[\s\S]+?-----END EC PRIVATE KEY-----
- SSH Private Key
Regex: -----BEGIN OPENSSH PRIVATE KEY-----[\s\S]+?-----END OPENSSH PRIVATE KEY-----
- PGP Private Key
Regex: -----BEGIN PGP PRIVATE KEY BLOCK-----[\s\S]+?-----END PGP PRIVATE KEY BLOCK-----
More provider-specific API tokens
- Dropbox Access Token
Regex: \b[A-Za-z0-9_-]{15}AAAAAA[A-Za-z0-9_-]{43}\b
- DigitalOcean Personal Access Token
Regex: \bdo(pat|_token)?[_-]?[A-Za-z0-9]{30,}\b|\b(?i:digitalocean).*(token|key)\s*[:=]\s*['"][A-Za-z0-9]{30,}['"]
- Linode Token
Regex: \b(?i:linode).*(token|key)\s*[:=]\s*['"][A-Za-z0-9_-]{40,}['"]
- Toggl API Token
Regex: \b[0-9a-f]{32}\b(?=.*\bTOGGL\b)
- Twilio Auth Token
Regex: \b(?i:twilio).*?(auth[_-]?token)\s*[:=]\s*['"]?[0-9a-f]{32}['"]?\b
- Atlassian API Token (email:token)
Regex: \b[a-z0-9._%+-]+@(?:atlassian|jira|confluence)[^:]*:[A-Za-z0-9]{24}\b
- Zendesk API Token
Regex: \b(?i:zendesk).*(api[_-]?token)\s*[:=]\s*['"][A-Za-z0-9]{40}['"]
- Auth0 Client Secret
Regex: \b(?i:auth0).*(client[_-]?secret)\s*[:=]\s*['"][A-Za-z0-9\-_]{32,}['"]
Awesome project. Here are a bunch of high-signal patterns you can add to your collection. I’ve grouped them and tried to keep them specific enough to cut down on false positives.
We could use case-insensitive (
i) where noted, and wrap many with\bboundaries when scanning plaintext. I am expanding some that you already had and many others that are new.Cloud & major platforms
Examples:
ghp_…,gho_…,ghu_…,ghs_…,ghr_…Regex:
\bgh[opusr]_[0-9a-zA-Z]{36}\bExample:
github_pat_11AABBCCDDEEFF001122334455667788AABBCCDDEEFFRegex:
\bgithub_pat_[0-9A-Za-z_]{22,}?[0-9A-Za-z]{20,}\bExample:
glpat-abc123…Regex:
\bglpat-[0-9a-zA-Z_-]{20,}\bOften 20–40 chars alnum with
:in HTTPS URL.Regex (URL form):
https?:\/\/[^:\s\/]+:[0-9A-Za-z_\-]{20,40}@bitbucket\.org\/Regex:
\bDefaultEndpointsProtocol=https;AccountName=[a-z0-9]{3,24};AccountKey=[A-Za-z0-9+\/=]{80,}(\;EndpointSuffix=core\.windows\.net)?\bRegex:
\bsv=\d{4}-\d{2}-\d{2}&ss=[bqtfsr]+&srt=[sc]\w*&sp=[rwdlacupx\-]+&se=\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z&st=\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z&spr=https?&sig=[A-Za-z0-9%]+Regex:
\b(?i:aws)?_?secret(_|)access(_|)key"?\s*[:=]\s*['"][A-Za-z0-9\/+=]{40}['"]Often begins
IQoJand is long base64url.Regex:
\bIQoJ[A-Za-z0-9\/+=]{200,}\bRegex (key fields):
\{\s*"type"\s*:\s*"service_account"\s*,\s*"project_id"\s*:\s*".+?"\s*,\s*"private_key_id"\s*:\s*"[0-9a-f]{40}"\s*,\s*"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----[\s\S]+?-----END PRIVATE KEY-----"\s*,\s*"client_email"\s*:\s*".+?\.gserviceaccount\.com"Regex:
\bAIza[0-9A-Za-z\-_]{35}\bBot/User/Legacy:
xox[baprs]-Regex:
\bxox[baprs]-[0-9A-Za-z-]{10,100}\bRegex:
\bhttps://hooks\.slack\.com/services/[A-Z0-9]{9}/[A-Z0-9]{9,}/[A-Za-z0-9]{24,}\bFormat:
\d{18,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}Regex:
\b\d{18,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}\bRegex:
\bhttps://discord(?:app)?\.com/api/webhooks/\d{16,20}/[A-Za-z0-9_-]{30,}\bRegex:
\b\d{8,10}:[A-Za-z0-9_-]{35}\bRegex:
\b(routing|integration)_key\s*[:=]\s*['"]?[0-9a-f]{32}['"]?\bRegex:
\bhttps?:\/\/[0-9a-f]{32}@[a-z0-9\.-]+\/\d+\bRegex:
\bdatadog(?:_api)?_key\s*[:=]\s*['"]?[0-9a-f]{32}['"]?\bExamples:
NRAK-...(ingest),NRII-...(insights)Regex:
\bNR(AK|II|RA)-[A-Za-z0-9]{27}\bRegex:
\bSG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}\bRegex:
\bsk\.[A-Za-z0-9]{64}\b|\bpk\.[A-Za-z0-9]{60,}\bOften 40 chars, many start with
00.Regex:
\b00[0-9a-zA-Z]{38}\bPayments & commerce
Stripe Secret/Publishable/Webhook
Secret:
sk_live_[0-9A-Za-z]{24}Publishable:
pk_live_[0-9A-Za-z]{24}Webhook Secret:
whsec_[0-9A-Za-z]{28,}Regex:
\bsk_(?:live|test)_[0-9A-Za-z]{24}\b\bpk_(?:live|test)_[0-9A-Za-z]{24}\b\bwhsec_[0-9A-Za-z]{28,}\bBraintree Access Token
Regex:
\baccess_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}\bShopify Shared Secret
Regex (hex 32):
\bshpss_[0-9a-f]{32}\bAdmin API token:
\bshpat_[0-9a-f]{32}\bCI/CD & Dev tooling
Regex:
\bCIRCLECI_TOKEN[=:]\s*['"]?[0-9a-f]{40}['"]?\bRegex:
\b(travis|CI)_TOKEN[=:]\s*['"]?[A-Za-z0-9_\-]{20,}['"]?\bRegex:
\bheroku[a-z0-9]{6,}-[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}\b|\b(?i:heroku).*apikey.*['"][0-9a-f]{32}['"]Regex:
\b(?i:snyk)_?token\s*[:=]\s*['"]?[a-f0-9]{8}(?:-[a-f0-9]{4}){3}-[a-f0-9]{12}['"]?\bSocial & comms
Regex:
\b[0-9a-f]{32}\b(?=.*\bTRELLO\b)|\bTRELLO_?(KEY|TOKEN)\s*=\s*[0-9a-zA-Z]{32,64}\bRegex:
\b(?i:zoom).*(secret|token)\s*[:=]\s*['"][A-Za-z0-9\-_]{32,}['"]Regex:
\bEAA[A-Za-z0-9]{20,}\b(similar to Facebook tokens but broader match)Databases & connection strings
Regex:
\bpostgres(?:ql)?:\/\/[^:\s\/]+:[^@\s\/]+@[^:\s\/]+:\d+\/[^\s'"]+\bRegex:
\bmysql:\/\/[^:\s\/]+:[^@\s\/]+@[^:\s\/]+:\d+\/[^\s'"]+\bRegex:
\bmongodb\+srv:\/\/[^:\s\/]+:[^@\s\/]+@[^\/\s]+\/[^\s'"]+\bRegex:
\bredis:\/\/:[^@\s]+@[^:\s\/]+:\d+\bOAuth, JWTs & generic credentials
Regex:
\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\bRegex:
\bhttps?:\/\/[^:\s\/]+:[^@\s\/]+@[^\/\s]+Regex:
(?i)\b(pass(word)?|secret|api[_-]?key|token)\b\s*[:=]\s*['"][^'"]{8,}['"]RSA:
-----BEGIN RSA PRIVATE KEY-----[\s\S]+?-----END RSA PRIVATE KEY-----PKCS8:
-----BEGIN PRIVATE KEY-----[\s\S]+?-----END PRIVATE KEY-----EC:
-----BEGIN EC PRIVATE KEY-----[\s\S]+?-----END EC PRIVATE KEY-----Regex:
-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]+?-----END OPENSSH PRIVATE KEY-----Regex:
-----BEGIN PGP PRIVATE KEY BLOCK-----[\s\S]+?-----END PGP PRIVATE KEY BLOCK-----More provider-specific API tokens
Regex:
\b[A-Za-z0-9_-]{15}AAAAAA[A-Za-z0-9_-]{43}\bRegex:
\bdo(pat|_token)?[_-]?[A-Za-z0-9]{30,}\b|\b(?i:digitalocean).*(token|key)\s*[:=]\s*['"][A-Za-z0-9]{30,}['"]Regex:
\b(?i:linode).*(token|key)\s*[:=]\s*['"][A-Za-z0-9_-]{40,}['"]Regex:
\b[0-9a-f]{32}\b(?=.*\bTOGGL\b)Regex:
\b(?i:twilio).*?(auth[_-]?token)\s*[:=]\s*['"]?[0-9a-f]{32}['"]?\bRegex:
\b[a-z0-9._%+-]+@(?:atlassian|jira|confluence)[^:]*:[A-Za-z0-9]{24}\bRegex:
\b(?i:zendesk).*(api[_-]?token)\s*[:=]\s*['"][A-Za-z0-9]{40}['"]Regex:
\b(?i:auth0).*(client[_-]?secret)\s*[:=]\s*['"][A-Za-z0-9\-_]{32,}['"]