rules:
  - name: Azure Connection String
    id: kingfisher.azure.1
    pattern: |
      (?xi)
      (?: AccountName | SharedAccessKeyName | SharedSecretIssuer) \s*=\s* ([^;]{1,80}) \s*;\s*
      .{0,10}\s*
      (?: AccountKey | SharedAccessKey | SharedSecretValue) \s*=\s* ([^;]{1,100})
      (?: ;|$ )
    min_entropy: 3.3
    confidence: medium
    examples:
      - |
        # Azure Storage Connection String
        AzureWebJobsStorage=DefaultEndpointsProtocol=https;AccountName=hanatour9833;AccountKey=6jqh42QQjWWBwoPGGR/Jr0PZjhBMZVbHm/gkhEfHvOj8aV6+oI8ed6ZAAwB5a6993WqyQDiuJJB0QpseJwqYxw==;EndpointSuffix=core.windows.net
      - |
        DefaultEndpointsProtocol=http;AccountName=testacc1;
        AccountKey=1gy3lpE7Du1j5ljKiupgKzywSw2isjsa69sfsdfsdsgfsgfdgfdgfd/YThisv/OVVLfIOv9kQ==;
        BlobEndpoint=http://127.0.0.1:8440/testacc1;
        TableEndpoint=http://127.0.0.1:8440/testacc1;
        QueueEndpoint=http://127.0.0.1:8440/testacc1;
      - |
        "IOTHUB_CONNECTION_STRING": {
          "value": "HostName=d1-vi-ioth521.azure-devices.net;SharedAccessKeyName=registryReadWrite;SharedAccessKey=S8ii67l3Gd1Ba69az78iP9UksewzhjvUfh1DIuDs30w="
        }
      - |
        "AZURE_STORAGE_CONNECTION_STRING": {
          "value": "DefaultEndpointsProtocol=https;AccountName=d1biblobstor521;AccountKey=NjEwGHd9+piK+iCi2C2XURWPmeDDjif9UKN1HAszYptL4iQ+yD7/dgjLMZc3VOpURsa53aJ4HZfbVWzL429C5g==;EndpointSuffix=core.windows.net"
        }
    references:
      - https://azure.microsoft.com/en-us/blog/windows-azure-web-sites-how-application-strings-and-connection-strings-work/
      - https://docs.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string
      - https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas#best-practices-when-using-sas

  - name: Azure App Configuration Connection String
    id: kingfisher.azure.2
    pattern: |
      (?xi)
      (https://[A-Z0-9-]+\.azconfig\.io);
      Id=(.{4}-.{2}-.{2}:[A-Z0-9+/]{18,22});
      Secret=([A-Z0-9+/]{36,50}=)
    min_entropy: 3.3
    confidence: medium
    examples:
      - 'Endpoint=https://foo-nonprod-appconfig.azconfig.io;Id=ABCD-E6-s0:tl6ABcdefGHi7kLMno/p;Secret=abCD1EF+GHIJxLMnOPqRSa53VWX05zaBCdE/fg9hi4k='
      - 'https://foo-nonprod-appconfig.azconfig.io;Id=ABCD-E6-s0:tl6ABcdefGHi7kLMno/p;Secret=abCD1EF+GHIJxLMnOA53ST8uVWX05zaBCdE/fg9hi4k='
      - 'Endpoint=https://appconfig-test01.azconfig.io;Id=09pv-l0-s0:opFCQMC6+9485xJgN5Ws;Secret=GcoEA53t7GLRNJ910M46IrbHO/Vg0tt4HujRdsaCoTY='
      - '        private static string appConfigurationConnectionString = "Endpoint=https://appcs-fg-pwc.azconfig.io;Id=pi5x-l9-s0:SZLlhHA53Nz2MpAl04cU;Secret=CQ+mlfQqkzfZv4XA53gigJ/seeXMKwNsqW/rM3wmtuE=";'
    references:
      - https://docs.microsoft.com/en-us/azure/azure-app-configuration/
      - https://docs.microsoft.com/en-us/azure/azure-app-configuration/howto-best-practices
      - https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_utils.py

  - name: Azure Personal Access Token
    id: kingfisher.azure.3
    pattern: |
      (?xi)
      (?i: ADO_PAT | pat_token | personal_?access_?token | \$token )
      \s* = \s*
      ["']
      ([a-z0-9]{52})
      ["']
    min_entropy: 3.3
    confidence: medium
    examples:
      - |
        var personalAccessToken = "zpczok4kqgnw5prpfy3ehiylbqvgbjfkdiqkejsxqamy7qbkep7q";  // Provide a value or retrieve it from configuration
      - |
        $token = "58oo4mvqr2tpw7b4w3loeckwfu5o6nw3sihfckvlwoxgqimlddza"
      - |
        if __name__ == "__main__":
            ado_pat =  "iyfmob6xjrfmit67anxbot64umfx2clwx7dz5ynxi4q2z3uqegvq"
  - name: Azure Container Registry URL
    id: kingfisher.azure.4
    pattern: |
      (?xi)
      (
        [a-z0-9][a-z0-9-]{1,100}[a-z0-9]
      )\.azurecr\.io
    confidence: medium
    visible: false
    min_entropy: 2.0
    examples:
      - "myregistry.azurecr.io"
  - name: Azure Container Registry Password
    id: kingfisher.azure.5
    pattern: |
      (?xi)
      \b
      (
        [A-Z0-9+/]{42}\+ACR[A-Z0-9]{6}
      )
      \b
    pattern_requirements:
      min_digits: 2
    confidence: medium
    min_entropy: 4.0
    validation:
      type: Http
      content:
        request:
          method: GET
          url: "https://{{ACR_USERNAME}}.azurecr.io/v2/_catalog"
          headers:
            Authorization: "Basic {{ ACR_USERNAME | append: ':' | append: TOKEN | b64enc }}"
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
    examples:
      - "Abcdefghijklmnopqrstuvwxyz123456789012ABCD+ACRefg123"
    depends_on_rule:
      - rule_id: "kingfisher.azure.4"
        variable: ACR_USERNAME
    references:
      - https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication