Merge pull request #107 from advanced-security/new-vendor-and-pii-patterns

aegilops · web-flow · commit 9605a3c2f315 · 2025-11-21T15:23:55.000Z
New vendor and PII patterns
diff --git a/README.md b/README.md
@@ -101,6 +101,12 @@ Custom Secret Scanning Patterns repository.
 - IBAN
 
 - Norwegian national identity number/D number
+
+- US Social Security number
+
+- US Individual Taxpayer Identification Number (ITIN)
+
+- UK National Insurance Number
   
 
 ### [RSA Keys](./rsa)
@@ -206,4 +212,14 @@ Custom Secret Scanning Patterns repository.
 - Azure Shared Access Signature (SAS) Token
 
 - CircleCI API token
+
+- AWS Key ID (standalone)
+
+- Azure generic key
+
+- Azure generic key (legacy)
+
+- AWS Bedrock API Key
+
+- AWS Bedrock API Key (2)
   
diff --git a/configs/README.md b/configs/README.md
@@ -639,7 +639,7 @@ Add these additional matches to the [Secret Scanning Custom Pattern](https://doc
 - Not Match:
 
   ```regex
-  ^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}+(/[a-z._-]{1,}){2,}/?$
+  ^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}(/[a-z._-]{1,}){2,}/?$
   ```
 
 </details>
diff --git a/configs/patterns.yml b/configs/patterns.yml
@@ -327,7 +327,7 @@ patterns:
         # non-secret related content
         - ^(?i)(true|false|y(es)?|no?|on|off|0|1|nill|null|none|(\\x[a-f0-9]{2})+)$
         # a path
-        - '^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}+(/[a-z._-]{1,}){2,}/?$'
+        - '^(/|file:///|https?://[A-Za-z]:/)[A-Za-z0-9._-]{3,}(/[a-z._-]{1,}){2,}/?$'
     comments:
       - "Looks for secrets in the format of `SECRET=secret` at the start of a line, possibly with an `ENV ` or `export ` prefix"
       - "Allows no whitespace in the secret, to cut false positives"
diff --git a/pii/README.md b/pii/README.md
@@ -233,4 +233,159 @@ Add these additional matches to the [Secret Scanning Custom Pattern](https://doc
   1111111111[123]|11112222333|01123456978|410185 ?123 ?45|220676 ?123 ?45|01010202010|01010101023
   ```
 
+</details>
+
+## US Social Security number
+
+
+
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+- This can produce false positives, since it doesn't check for all known-invalid numbers
+
+- Examples include 123-45-6789 and 078-05-1120 - the latter is ignored already
+  
+
+<details>
+<summary>Pattern Format</summary>
+
+```regex
+(?P<area>00[1-9]|0[1-9][0-9]|[1-8][0-9][0-9])-(?P<group>0[1-9]|[1-9][0-9])-(?P<serial>[0-9]{4})
+```
+
+</details>
+
+<details>
+<summary>Start Pattern</summary>
+
+```regex
+\A|[^0-9A-Za-z_-]
+```
+
+</details><details>
+<summary>End Pattern</summary>
+
+```regex
+\z|[^0-9A-Za-z_-]
+```
+
+</details>
+
+<details>
+<summary>Additional Matches</summary>
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+  ```regex
+  ^666-.*$
+  ```
+- Not Match:
+
+  ```regex
+  ^.*-0000$
+  ```
+- Not Match:
+
+  ```regex
+  ^078-05-1120$
+  ```
+
+</details>
+
+## US Individual Taxpayer Identification Number (ITIN)
+
+
+
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- This can produce false positives, since it doesn't check for all known-invalid numbers
+
+- There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+  
+
+<details>
+<summary>Pattern Format</summary>
+
+```regex
+9[0-9][0-9]-(?:5[0-9]|6[0-5]|7[0-9]|8[0-8]|9[0-24-9])-[0-9]{4}
+```
+
+</details>
+
+<details>
+<summary>Start Pattern</summary>
+
+```regex
+\A|[^0-9A-Za-z_-]
+```
+
+</details><details>
+<summary>End Pattern</summary>
+
+```regex
+\z|[^0-9A-Za-z_-]
+```
+
+</details>
+
+## UK National Insurance Number
+
+
+
+_version: v0.1_
+
+**Comments / Notes:**
+
+
+- There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+  
+
+<details>
+<summary>Pattern Format</summary>
+
+```regex
+[A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]
+```
+
+</details>
+
+<details>
+<summary>Start Pattern</summary>
+
+```regex
+\A|[^0-9A-Za-z]
+```
+
+</details><details>
+<summary>End Pattern</summary>
+
+```regex
+\z|[^0-9A-Za-z]
+```
+
+</details>
+
+<details>
+<summary>Additional Matches</summary>
+
+Add these additional matches to the [Secret Scanning Custom Pattern](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#example-of-a-custom-pattern-specified-using-additional-requirements).
+
+
+- Not Match:
+
+  ```regex
+  ^QQ ?12 ?34 ?56 ?[A-D]$
+  ```
+
 </details>
diff --git a/pii/patterns.yml b/pii/patterns.yml
@@ -257,3 +257,63 @@ patterns:
       - With no validation of the checksum this can cause a lot of false positives
       - The example test data does not have a valid checksum - it is one of the examples used with one digit in the checksum changed
       - You can test using the correct checksum, but it is used as a NOT match here to prevent false positives on other test data
+
+  - name: US Social Security number
+    type: us_ssn
+    regex:
+      pattern: |
+        (?P<area>00[1-9]|0[1-9][0-9]|[1-8][0-9][0-9])-(?P<group>0[1-9]|[1-9][0-9])-(?P<serial>[0-9]{4})
+      start: |
+        \A|[^0-9A-Za-z_-]
+      end: |
+        \z|[^0-9A-Za-z_-]
+      additional_not_match:
+        - ^666-.*$
+        - ^.*-0000$
+        - ^078-05-1120$
+    test:
+      data: |
+        123-45-6789
+      start_offset: 0
+      end_offset: 11
+    comments:
+      - There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+      - This can produce false positives, since it doesn't check for all known-invalid numbers
+      - Examples include 123-45-6789 and 078-05-1120 - the latter is ignored already
+
+  - name: US Individual Taxpayer Identification Number (ITIN)
+    type: us_itin
+    regex:
+      pattern: |
+        9[0-9][0-9]-(?:5[0-9]|6[0-5]|7[0-9]|8[0-8]|9[0-24-9])-[0-9]{4}
+      start: |
+        \A|[^0-9A-Za-z_-]
+      end: |
+        \z|[^0-9A-Za-z_-]
+    test:
+      data: |
+        912-70-1234
+      start_offset: 0
+      end_offset: 11
+    comments:
+      - This can produce false positives, since it doesn't check for all known-invalid numbers
+      - There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
+
+  - name: UK National Insurance Number
+    type: uk_national_insurance_number
+    regex:
+      pattern: |
+        [A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]
+      start: |
+        \A|[^0-9A-Za-z]
+      end: |
+        \z|[^0-9A-Za-z]
+      additional_not_match:
+        - ^QQ ?12 ?34 ?56 ?[A-D]$
+    test:
+      data: |
+        QQ012345C
+      start_offset: 0
+      end_offset: 9
+    comments:
+      - There is no checksum, so where this produces false positives there is no reliable way to filter them out with post-processing
diff --git a/vendors/README.md b/vendors/README.md
diff --git a/vendors/patterns.yml b/vendors/patterns.yml
