rules: - name: React App Username id: kingfisher.reactapp.1 pattern: | (?x)(?i) \b REACT_APP (?: _[A-Z0-9]+)* _USER (?: NAME)? (?# variable name ) \s* = \s* ['"]? ( [^\s'"$]{3,} ) (?# value ) (?: [\s'"$] | $ ) min_entropy: 3.3 confidence: medium examples: - '# REACT_APP_GUEST_USERNAME=guest' - '# REACT_APP_USER=postgres' - 'REACT_APP_AUTH_USER=postgres' - 'REACT_APP_AUTH_USERNAME=bowie' - ' REACT_APP_AUTH_USERNAME=bowie # some comment' - 'REACT_APP_MAILER_USERNAME=smtp_username # Enter your SMTP email username' negative_examples: - 'REACT_APP_FRONTEND_LOGIN_FORGOT_USERNAME=$REACT_APP_MATRIX_BASE_URL/classroom/#/forgot_username' categories: [fuzzy, identifier] references: - https://create-react-app.dev/docs/adding-custom-environment-variables/ - https://stackoverflow.com/questions/48699820/how-do-i-hide-an-api-key-in-create-react-app - name: React App Password id: kingfisher.reactapp.2 pattern: | (?x)(?i) \b REACT_APP (?: _[A-Z0-9]+)* _PASS (?: WORD)? (?# variable name ) \s* = \s* ['"]? ( [^\s'"$]{6,} ) (?# value ) (?: [\s'"$] | $ ) min_entropy: 3.3 confidence: medium examples: - '# REACT_APP_GUEST_PASSWORD=mycoin!1' - '# REACT_APP_PASS=whiteduke' - 'REACT_APP_AUTH_PASS=whiteduke' - 'REACT_APP_AUTH_PASSWORD=whiteduke' - ' REACT_APP_AUTH_PASSWORD=whiteduke # some comment' - 'REACT_APP_MAILER_PASSWORD=smtp_password # Enter your SMTP email password' negative_examples: - ' const password = process.env.REACT_APP_FIREBASE_DEV_PASSWORD || "not-set"' - 'REACT_APP_FRONTEND_LOGIN_FORGOT_PASSWORD=$REACT_APP_MATRIX_BASE_URL/classroom/#/forgot_password' categories: [fuzzy, secret] references: - https://create-react-app.dev/docs/adding-custom-environment-variables/ - https://stackoverflow.com/questions/48699820/how-do-i-hide-an-api-key-in-create-react-app