Database connection strings are used to connect to databases, often with embedded credentials. version: v0.1
Pattern Format
[^"'`\x00-\x08\r\n|]*([Ss]erver|[Pp]rovider|[Dd]atabase|[Uu]ser [Ii]d|[Dd]ata [Ss]ource|[Ee]ndpoint|[Dd]efault[Ee]nd[Pp]oints[Pp]rotocol|[Aa]ccountName|[Da]ata[Ss]ource|[Aa]uthentication|[Ll]ogin|[Ii]nitial[Cc]atalog|DB|Trusted_Connection|authenticationType|DSN|[Dd]ata[Ss]ource[Nn]ame|[Ii]ntegrated[Ss]ecurity|[Ll]ocation|[Ee]ncrypt|[Ss]ystem|[Pp]rotocol|[Hh]ost|[Pp]ort|SRVR|[Dd]river|Dbq|[Ss]sl[Mm]ode|SSL|[Uu]id|DBNAME|SystemDB|[Pp]ersist [Ss]ecurity [Ii]nfo|[Cc]onnection [Tt]ype|[Dd]ata[Ss]ource[Nn]ame|[Ee]xcel [Ff]ile|[Ss]erver [Nn]ame|URL)=[^"'`\x00-\x08\r\n|]*Start Pattern
\A|["'`]|"|[\r\n]|[=:-]End Pattern
\z|["'`]|"|[\r\n]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Match:
(^|;)([Pp]assword|[Pp]wd|[Ss]hared[Ss]ecret[Vv]alue|[Aa]ccount[Kk]ey|PW|pw|[Cc]ipher [Kk]ey|OAuth Access Token Secret)=
-
Not Match:
(^|;)([Pp]assword|[Pp]wd|[Ss]hared[Ss]ecret[Vv]alue|[Aa]ccount[Kk]ey|PW|pw|[Cc]ipher [Kk]ey|OAuth Access Token Secret)=(%s\b|\{\{[^}]+\}\}|\{[0-9]+\}|\$?\{[^}]+\}|\[[A-Z_]+\]|['"`]|$)
Database connection strings are used to connect to databases, often with embedded credentials. version: v0.1
Comments / Notes:
-
This will spot connection strings for many databases, including MySQL, PostgreSQL, Oracle, SQL Server
-
To cut FPs, we require the start of the string to be a database-specific keyword
Pattern Format
[^;"\x00-\x08]+Start Pattern
("|")(([Ss]erver|[Pp]rovider|[Dd]atabase|[Uu]ser [Ii]d|[Dd]ata [Ss]ource|[Ee]ndpoint|[Dd]efault[Ee]nd[Pp]oints[Pp]rotocol|[Aa]ccountName|[Da]ata[Ss]ource|[Aa]uthentication|[Ll]ogin|[Ii]nitial[Cc]atalog|DB|Trusted_Connection|authenticationType|DSN|[Dd]ata[Ss]ource[Nn]ame|[Ii]ntegrated[Ss]ecurity|[Ll]ocation|[Ee]ncrypt|[Ss]ystem|[Pp]rotocol|[Hh]ost|[Pp]ort|SRVR|[Dd]river|Dbq|[Ss]sl[Mm]ode|SSL|[Uu]id|DBNAME|SystemDB|[Pp]ersist [Ss]ecurity [Ii]nfo|[Cc]onnection [Tt]ype|[Dd]ata[Ss]ource[Nn]ame|[Ee]xcel [Ff]ile|[Ss]erver [Nn]ame|URL)=[^"]+;) ?([Pp]assword|[Pp]wd|[Ss]hared[Ss]ecret[Vv]alue|[Aa]ccount[Kk]ey|PW|pw|[Cc]ipher [Kk]ey|OAuth Access Token Secret)=End Pattern
(;|"|")Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^(%(\.\*)?s|\$[a-zA-Z_]+|<[a-zA-Z_]+>|\{[a-zA-Z_]*\}|\[[a-zA-Z_]+\]|%[A-Z_]+%|\.\*|\[\^])$
-
Not Match:
parameters\('[^']+'\)
Database connection strings are used to connect to databases, often with embedded credentials. version: v0.1
Comments / Notes:
-
This will spot connection strings for many databases, including MySQL, PostgreSQL, Oracle, SQL Server
-
To cut FPs, we require part of the string after the password to be a database-specific keyword
Pattern Format
[^;"\x00-\x08]+Start Pattern
(?i)("|")([Pp]assword|[Pp]wd|[Ss]hared[Ss]ecret[Vv]alue|[Aa]ccount[Kk]ey|PW|pw|[Cc]ipher [Kk]ey|OAuth Access Token Secret)=End Pattern
;[^";]* ?([Ss]erver|[Pp]rovider|[Dd]atabase|[Uu]ser [Ii]d|[Dd]ata [Ss]ource|[Ee]ndpoint|[Dd]efault[Ee]nd[Pp]oints[Pp]rotocol|[Aa]ccountName|[Da]ata[Ss]ource|[Aa]uthentication|[Ll]ogin|[Ii]nitial[Cc]atalog|DB|Trusted_Connection|authenticationType|DSN|[Dd]ata[Ss]ource[Nn]ame|[Ii]ntegrated[Ss]ecurity|[Ll]ocation|[Ee]ncrypt|[Ss]ystem|[Pp]rotocol|[Hh]ost|[Pp]ort|SRVR|[Dd]river|Dbq|[Ss]sl[Mm]ode|SSL|[Uu]id|DBNAME|SystemDB|[Pp]ersist [Ss]ecurity [Ii]nfo|[Cc]onnection [Tt]ype|[Dd]ata[Ss]ource[Nn]ame|[Ee]xcel [Ff]ile|[Ss]erver [Nn]ame|URL)=Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^(%(\.\*)?s|\$[a-zA-Z_]+|<[a-zA-Z_]+>|\{[a-zA-Z_]+\}|\[[a-zA-Z_]+\]|%[A-Z_]+%|\.\*)$
-
Not Match:
parameters\('[^']+'\)
Database connection strings are used to connect to databases, often with embedded credentials. version: v0.1
Comments / Notes:
- This will spot the ConnectionStrings__Default env var being set with a Password
Pattern Format
[^;\r\n"'\x00-\x08]+Start Pattern
(\A|\b)ConnectionStrings__Default=[^\r\n]*([Pp]assword|[Pp]wd|[Ss]hared[Ss]ecret[Vv]alue|[Aa]ccount[Kk]ey|PW|pw|[Cc]ipher [Kk]ey|OAuth Access Token Secret)=End Pattern
([;\n]|\z)Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
^(%(\.\*)?s|\$[a-zA-Z_]+|<[a-zA-Z_]+>|\$?\{[a-zA-Z_]+\}|\[[a-zA-Z_]+\]|%[A-Z_]+%|\.\*)$
A TSQL CREATE LOGIN or USER command using a password version: v0.1
Comments / Notes:
- This is specific to Microsoft SQL Server TSQL syntax
Pattern Format
[^'\x00-\x08]{8,128}Start Pattern
(\A|\b)CREATE\s+(LOGIN|USER)\s+[^\s\x00-\x08]+\s+WITH\s+PASSWORD\s+=\s+N?'End Pattern
\'SQLAlchemy connection strings are used to connect to databases, often with embedded credentials. version: v0.1
Pattern Format
[^$/?#@\s][^/?#@\s\x00-\x08]*Start Pattern
(\A|\b)mysql\+[a-z]+://[^/?#:@\s\x00-\x08]*:End Pattern
@Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
(?i)^[[{(<]?(?:password|passwd|secret)[\]})>]?$
-
Not Match:
^\$?\{[^}+]\}i\}$
-
Not Match:
^%(?:\.\*)?s$
version: v0.2
Pattern Format
mongodb(\+[a-z]+)?://[^'"`<>/:@\s\x00-\x08]+:[^'"`<>/@\s\x00-\x08]+@[^?'"`\s\x00-\x08]+Start Pattern
\A|\bEnd Pattern
\z|\s|['"`?]Additional Matches
Add these additional matches to the Secret Scanning Custom Pattern.
-
Not Match:
(?i):(test|a|my)?[_-]?pass(word)?@
-
Not Match:
:%(?:\.\*)?[sv]@
-
Not Match:
:\$?\{[^}+]\}@
-
Not Match:
^mongodb\+srv://b\*b%40f3tt%3D:%244to%40L8%3DMC@test3.test.build.10gen.cc/mydb%3F\?replicaSet=repl0
version: v0.1
Pattern Format
jdbc:[^:\x00-\x08]+:\/\/[^\/\x00-\x08]+\/[^?\x00-\x08]+\?user=[^&\x00-\x08]+&password=[^\s'"`<{$%*\x00-\x08]+Start Pattern
\A|\bEnd Pattern
\z|\s|['"`<]