kingfisher/crates/kingfisher-rules/data/rules/firebase.yml

rules:
  - name: Firebase Cloud Messaging Server Key
    id: kingfisher.firebase.1
    pattern: |
      (?x)
      \b
      (
        AAAA[A-Za-z0-9_-]{7}
        :
        APA91b[A-Za-z0-9_-]{120,180}
      )
      (?:[^A-Za-z0-9_-]|$)
    pattern_requirements:
      min_digits: 2
      min_uppercase: 1
      min_lowercase: 1
      ignore_if_contains:
        - example
        - sample
        - placeholder
        - your_key_here
    min_entropy: 4.0
    confidence: medium
    examples:
      - FCM_SERVER_KEY=AAAAA1b2CdE:APA91bAbCdEfGhIjKlMnOpQrStUvWxYz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-AaBbCcDdEeFfGgHhIiJj
      - 'firebase_server_key: "AAAAQ1w2ErT:APA91bZaYxWvUtSrQpOnMlKjIhGfEdCbA9876543210ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-MmNnOoPpQqRrSsTtUuVv"'
    references:
      - https://firebase.google.com/docs/cloud-messaging/migrate-v1
    # FCM legacy server keys no longer have a safe token-only validation path.
    # HTTP v1 requires OAuth2 access tokens from service accounts rather than the legacy key itself.

  - name: Firebase Cloud Messaging Device Token
    id: kingfisher.firebase.2
    pattern: |
      (?x)
      \b
      (
        [A-Za-z0-9_-]{22}
        :
        APA91b[A-Za-z0-9_-]{120,180}
      )
      (?:[^A-Za-z0-9_-]|$)
    pattern_requirements:
      min_digits: 2
      min_uppercase: 1
      min_lowercase: 1
      ignore_if_contains:
        - example
        - sample
        - placeholder
    min_entropy: 4.0
    confidence: medium
    examples:
      - FCM_DEVICE_TOKEN=AbCdEfGhIjKlMnOpQrStUv:APA91bZaYxWvUtSrQpOnMlKjIhGfEdCbA9876543210ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-AaBbCcDdEeFfGgHhIiJj
      - 'registrationToken: "AbCdEfGhIjKlMnOpQrStUv:APA91bZaYxWvUtSrQpOnMlKjIhGfEdCbA9876543210ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-AaBbCcDdEeFfGgHhIiJj"'
    references:
      - https://firebase.google.com/docs/cloud-messaging/manage-tokens
    # Registration tokens can’t be safely live-validated using only the token value.