# SHHH Secrets Detection Patterns
# Configuration for the Secrets Sentinel monitoring system

patterns:
  AWS_ACCESS_KEY:
    regex: "AKIA[0-9A-Z]{16}"
    severity: "CRITICAL"
    confidence: 0.95
    active: true
    description: "AWS Access Key ID"
    remediation: "Revoke via AWS IAM immediately"
    
  AWS_SECRET_KEY:
    regex: "[A-Za-z0-9/+=]{40}"
    severity: "CRITICAL"
    confidence: 0.85
    active: true
    description: "AWS Secret Access Key"
    remediation: "Revoke via AWS IAM immediately"
    context_required: true  # Requires context analysis
    
  PRIVATE_KEY:
    regex: "-----BEGIN [A-Z ]*PRIVATE KEY-----"
    severity: "CRITICAL"
    confidence: 0.98
    active: true
    description: "Private Key (RSA, SSH, etc.)"
    remediation: "Rotate key immediately"
    
  GITHUB_TOKEN:
    regex: "ghp_[0-9A-Za-z]{36}"
    severity: "HIGH"
    confidence: 0.92
    active: true
    description: "GitHub Personal Access Token"
    remediation: "Revoke via GitHub settings"
    
  GITHUB_OAUTH:
    regex: "gho_[0-9A-Za-z]{36}"
    severity: "HIGH"
    confidence: 0.92
    active: true
    description: "GitHub OAuth Token"
    remediation: "Revoke via GitHub app settings"
    
  SLACK_TOKEN:
    regex: "xox[baprs]-[0-9A-Za-z-]{10,48}"
    severity: "HIGH"
    confidence: 0.90
    active: true
    description: "Slack Bot/User Token"
    remediation: "Revoke via Slack Admin API"
    
  JWT_TOKEN:
    regex: "eyJ[A-Za-z0-9_-]+?\\.[A-Za-z0-9_-]+?\\.[A-Za-z0-9_-]+?"
    severity: "MEDIUM"
    confidence: 0.85
    active: true
    description: "JSON Web Token"
    remediation: "Invalidate token and rotate signing key"
    
  GOOGLE_API_KEY:
    regex: "AIza[0-9A-Za-z\\-_]{35}"
    severity: "HIGH"
    confidence: 0.90
    active: true
    description: "Google API Key"
    remediation: "Revoke via Google Cloud Console"
    
  DOCKER_TOKEN:
    regex: "dckr_pat_[a-zA-Z0-9_-]{32,}"
    severity: "MEDIUM"
    confidence: 0.88
    active: true
    description: "Docker Personal Access Token"
    remediation: "Revoke via Docker Hub settings"
    
  GENERIC_API_KEY:
    regex: "[Aa][Pp][Ii]_?[Kk][Ee][Yy].*['\"][0-9a-zA-Z]{32,}['\"]"
    severity: "MEDIUM"
    confidence: 0.70
    active: true
    description: "Generic API Key Pattern"
    remediation: "Verify and revoke if legitimate"

# Pattern exceptions - known test/dummy values to ignore
exceptions:
  test_patterns:
    - "AKIA-TESTKEY-123"
    - "AKIAIOSFODNN7EXAMPLE"
    - "xoxb-test-token"
    - "ghp_test123456789012345678901234567890"
    - "-----BEGIN EXAMPLE PRIVATE KEY-----"
    
  development_indicators:
    - "test"
    - "example" 
    - "demo"
    - "mock"
    - "fake"
    - "dummy"

# Quarantine settings
quarantine:
  high_severity_auto_quarantine: true
  medium_severity_review_required: true
  retention_days: 90
  max_entries: 10000

# Alert settings  
alerts:
  webhook_timeout_seconds: 5
  retry_attempts: 3
  retry_delay_seconds: 2
  
# Revocation hooks
revocation_hooks:
  AWS_ACCESS_KEY: "https://security.chorus.services/hooks/aws-revoke"
  GITHUB_TOKEN: "https://security.chorus.services/hooks/github-revoke"
  SLACK_TOKEN: "https://security.chorus.services/hooks/slack-revoke"
  GOOGLE_API_KEY: "https://security.chorus.services/hooks/google-revoke"