{
  "version": "secret-deny-patterns.v1",
  "patterns": [
    {
      "id": "env-files",
      "reason_code": "secret-env-file",
      "match": [".env", ".env.*"],
      "case_insensitive": true
    },
    {
      "id": "private-keys",
      "reason_code": "secret-private-key",
      "match": ["*.pem", "*.key", "id_rsa*", "id_ed25519*", "id_dsa*", "id_ecdsa*", "*.p12", "*.pfx", "*.keystore", "*.kdbx", "*.htpasswd"],
      "case_insensitive": true
    },
    {
      "id": "tool-credentials",
      "reason_code": "secret-tool-credential",
      "match": [".npmrc", ".pypirc", ".netrc", ".git-credentials", ".aws/credentials", ".aws/config", ".gcp/*credentials*.json", "google-services.json", "GoogleService-Info.plist", "*serviceAccount*.json", "firebase-adminsdk-*.json"],
      "case_insensitive": true
    },
    {
      "id": "token-secret-names",
      "reason_code": "secret-name-match",
      "match": ["**/*token*", "**/*secret*", "**/*credentials*", "**/*password*", "**/*apikey*", "**/*api_key*"],
      "case_insensitive": true
    },
    {
      "id": "mobile-signing",
      "reason_code": "secret-mobile-signing",
      "match": ["*.mobileprovision", "*.cer", "*.certSigningRequest"],
      "case_insensitive": true
    }
  ],
  "allowlist": [
    "src/cli/helpers/secret-deny-patterns.js",
    "src/cli/contracts/security/secret-deny-patterns.json",
    "src/cli/contracts/security/secret-deny-patterns.schema.json",
    "tests/unit/secret-deny-patterns-contracts.test.js"
  ],
  "exclusions": [".env.example", ".env.template", ".env.sample"]
}