Skip to main content

Matchers

RegexMatcher

Matches values captured by a pattern.

Example:

type: RegexMatcher
# each captured value will return a match.
# The name of the capture group is the name of the returned match.
pattern: '(?P<apikey>foo_[a-f0-9]{20})'

# optional. Set this to an empty string to disable look_ahead if the
# pattern has a strong suffix.
look_ahead: ''

# optional. Set this to an empty string to disable look_behind if the
# pattern has a strong prefix.
look_behind: ''

type (required)

Type: string

Must be set to RegexMatcher.

pattern (required)

Type: string

Pattern with named capturing groups. Each named capturing group returns a match.

look_behind

Type: string

Default: (?&lt;![_a-zA-Z0-9])

Extra expression inserted BEFORE the pattern to ensure we don't capture false positives in the middle of a random string.

look_ahead

Type: string

Default: (?![A-Za-z0-9!#(*.?[^~_+])

Extra expression inserted AFTER the pattern to ensure we don't capture false positives in the middle of a random string.

AssignmentRegexMatcher

Capture assignments (KEY=VALUE, KEY:VALUE, ...).

This matcher matches assignment expressions with a value that matches the given regular expression. It should be used when you want to find variable assignments, because the precision of the regular expression is not high enough or because you know the secret is used as a variable.

The following matcher would find password variables of the form ab[0-9]{2} and report them as a match called "password".

type: AssignmentRegexMatcher
value_regexp:
  # This would match "ab12" in `var pwd = ab12;`. Each captured group
  # will return a match
  '(?P<password>ab[0-9]{2})'
# The left-side value (variable name) must contain this keyword.
name_keyword: 'password'
# Prefix of the left-side value (variable name)
name_prefix: 'KEY'

This matcher would match:

KEY_PASSWORD = ab12;
key_PassWord=ab45
key.password: ab78,

type (required)

Type: string

Must be set to AssignmentRegexMatcher.

value_regexp (required)

Type: string

Pattern with a named capturing group. Must match the VALUE part.

name_keyword (required)

Type: string

Pattern to match the KEY part. Case-insensitive.

name_prefix

Type: string

Pattern matching an optional prefix that must be found in the KEY part. Case-insensitive.

AggregateMatcher

Group multiple matchers.

When a secret is composed of multiple matches (for example a client_id and a client_secret), you can group them using the AggregateMatcher. Several matchers can be listed inside of it. All combinations of them will be looked for.

Example:

type: AggregateMatcher
matchers:
  - type: RegexMatcher
    pattern: '(?P<client_id>acme_[a-z0-9]{12})'
  - type: AssignmentRegexMatcher
    value_regexp: '(?P<client_secret>[a-z0-9]{24})'
    name_keyword: 'client[_-]?id'

type (required)

Type: string

Must be set to AggregateMatcher.

matchers (required)

Type: list[Matcher]

strategy

Type: Strategy

The strategy to use to group matches.

Example:

type: AggregateMatcher
strategy:
  type: DistanceStrategy
  nb_matches: 2
matchers:
  # ...
Last updated on

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status