kingfisher/crates/kingfisher-rules/data/rules/workos.yml

rules:
  - name: WorkOS API Key
    id: kingfisher.workos.1
    pattern: |
      (?x)
      \b
      (?i:workos)
      (?:.|[\n\r]){0,24}?
      \b
      (
        sk_live_a2V5Xz[A-Za-z0-9+/]{69}={0,2}
      )
      (?:[^A-Za-z0-9+/=]|$)
    pattern_requirements:
      min_digits: 4
      min_lowercase: 4
      ignore_if_contains:
        - example
    min_entropy: 3.5
    confidence: medium
    examples:
      - 'WORKOS_API_KEY="sk_live_a2V5XzAxS1BSWE1LTjBEWE1INlpBU0VEWjU2VFE3LFdjOWxFMTNDS29xRkdlYU9uMUpDbUpTZWE"'
    references:
      - https://workos.com/docs/reference/api-keys
      - https://workos.com/docs/authkit/api-keys
      - https://docs.github.com/en/code-security/reference/secret-security/supported-secret-scanning-patterns
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://api.workos.com/organizations
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid
            - type: WordMatch
              words:
                - '"object"'
                - '"data"'
              match_all_words: true
    # WorkOS account API keys are managed from the WorkOS dashboard; no self-revocation endpoint is documented.