kingfisher/crates/kingfisher-rules/data/rules/docusign.yml

rules:
  - name: DocuSign API Secret Key
    id: kingfisher.docusign.1
    pattern: |
      (?xi)
      \b
      docusign
      (?:.|[\n\r]){0,64}?
      \b(?:secret[_-]?key|ds[_-]?secret|secret)\b
      (?:.|[\n\r]){0,16}?
      [=:"'\s]
      ['"]*
      (
        [a-f0-9]{8}-
        [a-f0-9]{4}-
        [a-f0-9]{4}-
        [a-f0-9]{4}-
        [a-f0-9]{12}
      )
      \b
    pattern_requirements:
      min_digits: 6
    min_entropy: 3.0
    confidence: medium
    examples:
      - "docusign.secret_key = 12345678-abcd-9876-5432-abcdef123456"
      - "docusign\nds_secret = 87654321-fedc-1234-abcd-fedcba987654"
    # Validation intentionally omitted: DocuSign's /oauth/token endpoint
    # returns {"error":"invalid_grant"} for any request with an invalid
    # authorization code, regardless of whether client_id/client_secret are
    # actually valid. That makes it impossible to distinguish live from
    # inactive credentials via that endpoint without performing a full OAuth
    # flow, which is out of scope for passive validation.
    references:
      - https://developers.docusign.com/platform/auth/
      - https://developers.docusign.com/platform/build-integration/

  - name: DocuSign Integration Key
    id: kingfisher.docusign.2
    pattern: |
      (?xi)
      \b
      docusign
      (?:.|[\n\r]){0,64}?
      (?:integration[_-]?key|client[_-]?id|app[_-]?id)\b
      (?:.|[\n\r]){0,16}?
      [=:"'\s]
      ['"]*
      (
        [a-f0-9]{8}-
        [a-f0-9]{4}-
        [a-f0-9]{4}-
        [a-f0-9]{4}-
        [a-f0-9]{12}
      )
      \b
    pattern_requirements:
      min_digits: 6
    min_entropy: 3.0
    confidence: medium
    visible: false
    examples:
      - DOCUSIGN_CLIENT_ID=7a39ce6d-94cf-4bf6-9e9e-9213373c15f4
      - 'docusign.integration_key = "3d2f18c9-2075-4e78-834b-64f57f8757d0"'
    references:
      - https://developers.docusign.com/platform/build-integration/

  - name: DocuSign Auth Host
    id: kingfisher.docusign.3
    pattern: |
      (?xi)
      \b
      (
        account(?:-d)?\.docusign\.com
      )
      \b
    min_entropy: 1.0
    confidence: medium
    visible: false
    examples:
      - account.docusign.com
      - account-d.docusign.com
    references:
      - https://developers.docusign.com/platform/auth/

  - name: DocuSign Redirect URI
    id: kingfisher.docusign.4
    pattern: |
      (?xi)
      \b
      docusign
      (?:.|[\n\r]){0,64}?
      (?:redirect[_-]?uri|oauth[_-]?redirect)\b
      (?:.|[\n\r]){0,16}?
      [=:"'\s]
      (
        https?://[^\s"'<>]{6,200}
      )
    min_entropy: 1.5
    confidence: medium
    visible: false
    examples:
      - DOCUSIGN_REDIRECT_URI=https://example.com/docusign/callback
      - 'docusign.redirect_uri = "https://localhost:3000/oauth/docusign"'
    references:
      - https://developers.docusign.com/platform/auth/