kingfisher/crates/kingfisher-rules/data/rules/flagsmith.yml

rules:

  - name: Flagsmith Organisation API Key
    id: kingfisher.flagsmith.1
    pattern: |
      (?xi)
      \b
      (?i:flagsmith)
      [^\n\r]{0,16}?
      \b
      (
        [A-Za-z0-9]{8}\.[A-Za-z0-9]{16}[A-Za-z0-9]{16}
      )
      \b
    pattern_requirements:
      min_digits: 4
      min_uppercase: 4
      min_lowercase: 4
    min_entropy: 3.5
    confidence: medium
    examples:
      - 'FLAGSMITH_API_KEY=dVoSZFo3.3c5qN55mA1XdLZnTO2moz5Ud1Qwo18Ie'
      - 'flagsmith api_key=7SoNiIyO.L6eehZzlmE32iuEPZjdkXskw711I3FLz'
      - 'flagsmith api token: zfR3T3VI.GLEC5p3cggDGTDhOwTdNwuYxxqmSMuoA'
    references:
      - https://docs.flagsmith.com/integrating-with-flagsmith/flagsmith-api-overview/admin-api/authentication
      - https://docs.flagsmith.com/third-party-integrations/ci-cd/terraform#terraform-api-key
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://api.flagsmith.com/api/v1/projects/
          headers:
            Authorization: "Api-Key {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid
  - name: Flagsmith Environment Key
    id: kingfisher.flagsmith.2
    pattern: |
      (?xi)
      \b
      flagsmith
      [^\n\r]{0,16}?
      \b
      (
        [a-f0-9]{20}[a-f0-9]{20}
      )
      \b
    pattern_requirements:
      min_digits: 6
    min_entropy: 3.0
    confidence: medium
    examples:
      - 'FLAGSMITH_ENV_KEY=103edeabc2a901041329b22da61d09cf466cf733'
      - 'flagsmith env key: 65ea217e98f87d37152e4897896108e976bcf053'
      - 'flagsmith api token=62612be866d95626691158801ea28a10bc2bafab'
    references:
      - https://docs.flagsmith.com/integrating-with-flagsmith/flagsmith-api-overview/flags-api/authentication
      - https://docs.flagsmith.com/clients/server-side
    # Flagsmith documents public client-side Environment Keys for the Flags API
    # and separate `ser.` server-side keys for the Environment Document flow.
    # The 40-hex keys matched here do not have a reliable documented token-only
    # validation endpoint, so validation is intentionally omitted to avoid false
    # "inactive credential" results.