kingfisher/crates/kingfisher-rules/data/rules/triggerdev.yml

rules:
  - name: Trigger.dev Secret Key
    id: kingfisher.triggerdev.1
    pattern: |
      (?x)
      \b
      (
        tr_(?:dev|prod|stg)_[A-Za-z0-9]{20}
      )
      \b
    pattern_requirements:
      min_digits: 1
      min_uppercase: 1
      min_lowercase: 1
    min_entropy: 3.0
    confidence: medium
    examples:
      - 'TRIGGER_SECRET_KEY=tr_dev_AN0MnvS4n4GdfhELPUMU'
      - 'TRIGGER_SECRET_KEY=tr_prod_KCqL36ucD5LTPa9kdnMj'
    references:
      - https://trigger.dev/docs/management/authentication
      - https://trigger.dev/docs/management/envvars/list
    depends_on_rule:
      - rule_id: kingfisher.triggerdev.3
        variable: TRIGGER_PROJECT_REF
    validation:
      type: Http
      content:
        request:
          method: GET
          url: 'https://api.trigger.dev/api/v1/projects/{{ TRIGGER_PROJECT_REF }}/envvars/{{ TOKEN | split: "_" | slice: 1, 1 | first | replace: "stg", "staging" }}'
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid

  - name: Trigger.dev Personal Access Token
    id: kingfisher.triggerdev.2
    pattern: |
      (?x)
      \b
      (
        tr_pat_[A-Za-z0-9]{20}
      )
      \b
    pattern_requirements:
      min_digits: 1
      min_uppercase: 1
      min_lowercase: 1
    min_entropy: 3.0
    confidence: medium
    examples:
      - 'TRIGGER_ACCESS_TOKEN=tr_pat_G8DwRcZEc0ONFMtkVHt8'
    references:
      - https://trigger.dev/docs/management/authentication
      - https://trigger.dev/docs/management/envvars/list
    depends_on_rule:
      - rule_id: kingfisher.triggerdev.3
        variable: TRIGGER_PROJECT_REF
    validation:
      type: Http
      content:
        request:
          method: GET
          url: 'https://api.trigger.dev/api/v1/projects/{{ TRIGGER_PROJECT_REF }}/envvars/dev'
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid
    # Trigger.dev documents PAT creation in the dashboard, but no same-key revocation endpoint is publicly documented.

  - name: Trigger.dev Project Reference
    id: kingfisher.triggerdev.3
    pattern: |
      (?xi)
      \b
      (?:TRIGGER_PROJECT_REF|projectRef|trigger(?:\.config)?|trigger\.dev)
      (?:.|[\n\r]){0,48}?
      (
        proj_[a-z0-9]{12,32}
      )
      \b
    min_entropy: 3.0
    confidence: medium
    visible: false
    examples:
      - 'TRIGGER_PROJECT_REF=proj_yubjwjsfkxnylobaqvqz'
      - 'projectRef: "proj_yubjwjsfkxnylobaqvqz"'
    references:
      - https://trigger.dev/docs/management/envvars/list