rules:
  - name: Clerk Secret Key
    id: kingfisher.clerk.1
    pattern: |
      (?xi)
      \b
      clerk
      (?:.|[\n\r]){0,32}?
      (?:SECRET|PRIVATE|API|KEY|TOKEN)
      (?:.|[\n\r]){0,16}?
      \b
      (
        sk_(?:test|live)_[A-Za-z0-9]{32}
      )
      \b
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.3
    confidence: medium
    examples:
      - CLERK_SECRET_KEY=sk_live_abcdefghijklmnopqrstuvwxyz123456
      - clerk_secret = sk_test_4pX9kL2mN8qR3sT7vY1zA3bC6dE0fG2h
    references:
      - https://clerk.com/docs/deployments/clerk-environment-variables
      - https://clerk.com/docs/guides/development/machine-auth/api-keys
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://api.clerk.com/v1/users?limit=1
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid