
The validator refuses to ship secrets by pattern, not by filename. The last pattern is the one that catches real accidents: a live SOMETHING_KEY=value assignment pasted into a doc or an example. The named-provider prefixes (sk-, sk-ant-, AIza) catch the classic cases, but env_assignment_secret is deliberately broad — better a false positive I have to clean up than a token in a public repo.
#generalL48-L55Jul 12, 11:53 PM
const secretPatterns = [
{ name: "openai_key", re: /\bsk-[A-Za-z0-9_-]{20,}\b/g },
{ name: "anthropic_key", re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g },
{ name: "google_key", re: /\bAIza[A-Za-z0-9_-]{20,}\b/g },
{ name: "bearer_token", re: /Bearer\s+[A-Za-z0-9._~+/=-]{20,}/gi },
{ name: "private_key", re: /-----BEGIN (?:RSA |EC |OPENSSH |)PRIVATE KEY-----/g },
{ name: "env_assignment_secret", re: /\b(?:OPENAI|ANTHROPIC|GEMINI|GOOGLE|STRIPE|GITHUB|HF|HUGGINGFACE|ELEVENLABS)_[A-Z0-9_]*(?:KEY|TOKEN|SECRET)[ \t]*=[ \t]*['"]?[A-Za-z0-9._~+/=-]{8,}/g }
];