07 / Detection Rules
97 rules. Zero configuration.
The complete TigerMole rule set. 3 families. 97 patterns. Compiled into the binary — no remote updates, no telemetry.
HIGH PRECISION · 76 RULES
| ID | Name | Detects |
|---|---|---|
| A001 | GitHub PAT (classic) | Token with ghp_ prefix |
| A002 | GitHub Fine-grained Token | github_pat prefix |
| A003 | AWS Access Key ID | AKIA prefix, 20 chars |
| A004 | AWS Secret Access Key | Context-based detection |
| A005 | OpenAI API Key | sk-proj-, sk-svcacct- prefixes, or T3BlbkFJ magic string |
| A006 | Anthropic API Key | sk-ant-api03- / sk-ant-admin01- prefixes, ends in AA |
| A007 | Stripe Secret Key | sk_live_ / sk_test_ prefixes |
| A008 | Slack Bot/User Token | xoxb- / xoxp- prefixes |
| A009 | JWT | Base64 eyJ prefix with 3-segment structure |
| A010 | RSA/SSH Private Key | PEM blocks |
| A011 | Credit card number | Visa/MC/Amex, Luhn-validated |
| A012 | Google API Key | AIza prefix, 39 chars total |
| A013 | Slack Webhook URL | URLs with hooks.slack.com |
| A014 | SendGrid API Key | SG. prefix, 69 chars |
| A015 | Twilio Account SID | AC prefix + 32 hex chars |
| A016 | npm Auth Token | npm_ prefix + 36 alphanumeric |
| A017 | PyPI Upload Token | pypi- prefix, 50+ chars |
| A018 | Terraform Cloud Token | .atlasv1. format |
| A019 | SSH DSA Private Key | PEM DSA blocks |
| A020 | GCP Service Account JSON | JSON with service_account |
| A021 | GitLab Personal Access Token | glpat- prefix |
| A022 | GitHub OAuth Access Token | gho_ prefix, 36 chars |
| A023 | GitHub App Token | ghu_ / ghs_ prefixes, 36 chars |
| A024 | GitHub Refresh Token | ghr_ prefix, 36 chars |
| A025 | Hugging Face Access Token | hf_ prefix, 34 chars |
| A026 | Hugging Face Org Token | api_org_ prefix, 34 chars |
| A027 | DigitalOcean PAT | dop_v1_ prefix, 64 hex chars |
| A028 | Grafana Service Account Token | glsa_ prefix |
| A029 | Perplexity API Key | pplx- prefix, 48 chars |
| A030 | Azure AD Client Secret | q~ pattern, 31–34 chars |
| A031 | Shopify Access Token | shpat_ / shpss_ / shppa_ prefixes, 32 hex |
| A032 | GitLab CI/Deploy Token | glptt- / gldt- / glcbt- / glrt- prefixes |
| A033 | Discord Bot Token | 64 hex chars |
| A034 | Cloudflare API Key | Context with cloudflare keyword |
| A035 | Datadog API Key | Context with datadog keyword |
| A036 | Linear API Key | lin_api_ prefix, 40 chars |
| A037 | Heroku API Key v2 | HRKU-AA prefix, 60+ chars |
| A038 | Vercel Token | Context with vercel keyword, 24+ chars |
| A039 | Netlify PAT | nfp_ prefix or context |
| A040 | Cohere API Key | co- prefix (38+ chars) or context |
| A041 | Mistral API Key | Context with mistral keyword |
| A042 | Grafana API Key | Base64 eyJrIjoi prefix, 70–400 chars |
| A043 | Replicate API Token | r8_ prefix, 40 chars |
| A044 | Stripe Webhook Secret | whsec_ prefix, 32+ chars |
| A045 | Stripe Restricted Key | rk_live_ / rk_test_ prefixes |
| A046 | Sentry Auth Token | sntrys_ prefix, 64+ chars |
| A047 | Firebase Server Key | AAAA prefix with specific format |
| A048 | HashiCorp Vault Token | hvs. prefix, 90+ chars |
| A049 | New Relic API Key | NRAK- prefix, 27 chars |
| A050 | Together AI API Key | Context with together keyword |
| A051 | AWS Session Token | Context, 100+ base64 chars |
| A052 | CircleCI Personal API Token | CCIPAT_ prefix, 40 hex |
| A053 | Discord Webhook URL | Discord webhook URL format |
| A054 | Supabase API Key | sbp_ prefix, 40 hex |
| A055 | PagerDuty API Key | Base64 pattern with + separator |
| A056 | Elastic API Key | Context with elastic keyword |
| A057 | Mailgun API Key | key- prefix, 32 hex |
| A058 | GitLab Runner Registration Token | glrt- prefix |
| A059 | Travis CI Access Token | Context with travis keyword, 22 chars |
| A060 | JFrog API Key/Token | Context with jfrog / artifactory keywords |
| A061 | Azure SAS Token | Pattern with sv=, sig= parameters |
| A062 | Postmark Server Token | UUID format |
| A063 | SonarQube Token | sqp_ prefix, 40 hex |
| A064 | Jenkins API Token | Context with jenkins keyword |
| A065 | Linode Personal Access Token | 64 hex chars |
| A066 | Generic pk_ token | pk_ prefix, 20+ chars |
| A067 | Telegram Bot Token | {id}:AA{alphanumeric+dash} format |
| A068 | Atlassian API Token | ATATT3 prefix, 40+ chars |
| A069 | Docker Hub PAT | dckr_pat_ prefix, 27 chars |
| A070 | Doppler Token | dp.st. / dp.pt. / dp.ct. / dp.sa. prefixes, 40+ chars |
| A071 | Fly.io Access Token | fo1_ prefix, 40+ chars |
| A072 | Google OAuth Client Secret | GOCSPX- prefix, 28 chars |
| A073 | Mapbox Access Token | pk.eyJ / sk.eyJ prefixes |
| A074 | PlanetScale Database Token | pscale_tkn_ prefix, 30+ chars |
| A075 | Plaid Access Token | access-{sandbox|development|production}-{uuid} format |
| A076 | Square Access Token | sq0{3 letters}- prefix, 22+ chars |
ENTROPY-BASED · 8 RULES
| ID | Name | Context keywords | Min. requirements |
|---|---|---|---|
| B001 | Password/secret assignment | password, passwd, pwd, pass, secret, credential | ≥8 chars, entropy ≥3.5 |
| B002 | Generic API key | api_key, apikey, api-key, access_key, x-api-key | ≥16 chars, entropy ≥3.8 |
| B003 | Generic token | token, auth_token, access_token, bearer | ≥20 chars, entropy ≥3.8 |
| B004 | Database connection string | postgres, mysql, mongodb, redis, mssql | Database URI, entropy ≥3.0 |
| B005 | .env variable with high-entropy value | Secret-related variable names | entropy ≥3.8 |
| B006 | Authorization Bearer header | Authorization: Bearer {value} | ≥20 chars, entropy ≥3.5 |
| B007 | Authorization Basic header | Authorization: Basic {base64} | ≥16 base64 chars, entropy ≥3.0 |
| B008 | Semantic catch-all | password, secret, token, api_key, etc. | ≥4 chars, no entropy req. |
GDPR ART. 4 · 13 RULES
| ID | Name | Detects | Validation |
|---|---|---|---|
| C001 | Email address | Standard email format | — |
| C002 | Private IP (RFC 1918) | 10.x, 172.16-31.x, 192.168.x ranges | — |
| C003 | Spanish DNI/NIF | 8 digits + letter | Mod 23 |
| C004 | Unix/macOS path with user | /home/{user}/ or /Users/{user}/ | — |
| C005 | Windows path with user | C:\Users\{user}\ | — |
| C006 | IBAN | 2-letter country code + 2 digits + BBAN | Mod 97 (ISO 7064) |
| C007 | International phone | +{country_code} {7–13 digits} | — |
| C008 | SSN (US Social Security Number) | XXX-XX-XXXX format | SSN range validation |
| C009 | Spanish passport | 3 uppercase letters + 6 digits | — |
| C010 | Spanish phone | 9 digits starting with 3, 6, 7, or 9 | — |
| C011 | Spanish bank account (CCC) | 20 digits in groups | CCC check digit |
| C012 | IPv6 link-local | fe80: prefix | — |
| C013 | Spanish NIE | X/Y/Z prefix + 7 digits + letter | Mod 23 |
Detection Pipeline
7 stages. Every request.
Every outbound request passes through all 7 pipeline stages in under 2ms.
↓
Input text
1
Preflight (Aho-Corasick): filter candidates by keywords
2
Regex matching over candidates
3
Entropy validation (Family B only)
4
Mathematical validators (Luhn, mod-97, mod-23, SSN ranges)
5
Allowlist filter (placeholders, test values, examples)
6
Confidence scoring (keyword, entropy, validator, context)
7
Action by threshold
Action by threshold
MASK
≥ 0.7 → masked
LOG_ONLY
0.4–0.69 → log only
IGNORED
< 0.4 → ignored
Total: 97 rules — 76 (Family A) + 8 (Family B) + 13 (Family C)