generic.secrets.security.detected-private-key.detected-private-key

rules:
  - id: detected-private-key
    patterns:
      - pattern-either:
          - patterns:
              - pattern: -----BEGIN $TYPE PRIVATE KEY----- $KEY
              - metavariable-regex:
                  metavariable: $TYPE
                  regex: (?i)([dr]sa|ec|openssh|encrypted)?
          - patterns:
              - pattern: |
                  -----BEGIN PRIVATE KEY-----
                  $KEY
      - metavariable-analysis:
          metavariable: $KEY
          analyzer: entropy
    languages:
      - generic
    message: Private Key detected. This is a sensitive credential and should not be
      hardcoded here. Instead, store this in a separate, private file.
    severity: ERROR
    metadata:
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
      category: security
      technology:
        - secrets
      confidence: LOW
      owasp:
        - A07:2021 - Identification and Authentication Failures
      references:
        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]