kingfisher/testdata/test_char_requirements.yaml

rules:
  - name: Secure API Key with Character Requirements
    id: test.char_requirements.1
    pattern: |
      (?xi)
      api[_-]?key
      (?:.|[\n\r]){0,32}?
      \b
      ([A-Za-z0-9!@#$%^&*]{16,})
      \b
    min_entropy: 3.0
    confidence: high
    pattern_requirements:
      min_digits: 1
      min_uppercase: 1
      min_lowercase: 1
      min_special_chars: 1
    examples:
      - api_key = "Abc123!SecureToken"
      - api-key: "MyK3y!WithSpecial"
    negative_examples:
      - api_key = "abcdefghijklmnop"  # no uppercase, no digit, no special
      - api_key = "ABCDEFGHIJKLMNOP"  # no lowercase, no digit, no special
      - api_key = "abc123defghijklm"  # no uppercase, no special
pattern_requirements for rules — Post-regex character-class gating to cut false positives without lookarounds. Authors can now require minimum counts of digits, uppercase, lowercase, and special characters, with an optional custom special-char set. Why: Hyperscan doesn’t support lookaheads/behinds, so many “must contain X and Y” checks had to be baked into the regex (hurting readability) or were impossible. pattern_requirements applies lightweight, in-memory checks after a match is found, keeping patterns fast and clean. 2025-11-04 13:55:31 -05:00			`rules:`
			`- name: Secure API Key with Character Requirements`
			`id: test.char_requirements.1`
			`pattern: \|`
			`(?xi)`
			`api[_-]?key`
			`(?:.\|[\n\r]){0,32}?`
			`\b`
			`([A-Za-z0-9!@#$%^&*]{16,})`
			`\b`
			`min_entropy: 3.0`
			`confidence: high`
			`pattern_requirements:`
			`min_digits: 1`
			`min_uppercase: 1`
			`min_lowercase: 1`
			`min_special_chars: 1`
			`examples:`
			`- api_key = "Abc123!SecureToken"`
			`- api-key: "MyK3y!WithSpecial"`
			`negative_examples:`
			`- api_key = "abcdefghijklmnop" # no uppercase, no digit, no special`
			`- api_key = "ABCDEFGHIJKLMNOP" # no lowercase, no digit, no special`
			`- api_key = "abc123defghijklm" # no uppercase, no special`