rules:
  - id: detected-private-key
    patterns:
    - pattern-either:
      - patterns:
        - pattern:
            -----BEGIN $TYPE PRIVATE KEY-----
            $KEY
        - metavariable-regex:
            metavariable: $TYPE
            regex: (?i)([dr]sa|ec|openssh|encrypted)?
      - patterns:
        - pattern: |
            -----BEGIN PRIVATE KEY-----
            $KEY
    - metavariable-analysis:
        metavariable: $KEY
        analyzer: entropy
    languages: [generic]
    message: Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.
    severity: ERROR
    metadata:
      source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
      category: security
      technology:
        - secrets
      confidence: MEDIUM