Security · Tier 3

Secret Assignment Detector

Detect likely plaintext secrets in config assignments.

Answer Capsule

Secret Assignment Detector helps extract values with a production-oriented regex baseline. Use it for fast client or backend checks, then add semantic validation and engine-specific tests before release. This reduces false positives while keeping implementation predictable across environments.

Regex Block

\b(api[_-]?key|secret|token)\s*=\s*['"][A-Za-z0-9_-]{16,}['"]

Compatibility Badges

PCRE JavaScript Python Java

Token Explanation

Token-by-token with plain language, one sentence per token group.

`*` allows zero or more repetitions.
`?` enables optional or lazy behavior.
`|` adds alternation branches.

Edge Cases And Caveats

Very long input strings can impact performance if Secret Assignment Detector is used without anchors.
Unicode and locale edge cases should be tested in the exact runtime engine before rollout.
Always include rejected examples in tests to prevent false positives during refactors.

Test Cases

Input	Expected
api_key="abcDEF0123456789"	Pass
mode="debug"	Fail
	Fail
sample-value	Fail
test@example.com	Fail
1234567890	Fail

Engine Variants

PCRE

Reference implementation.

JavaScript

Re-test lookbehind, unicode, and flags.

Python

Prefer raw strings and explicit flags.

Java

Double-escape backslashes in string literals.

FAQ

When should I use the Secret Assignment Detector regex?

Use this when you need a quick format validation or extraction step before business-level checks.

Is this pattern cross-engine compatible?

Core behavior is designed for broad compatibility, but always re-test flags and advanced groups in your target engine.

What should I avoid with this pattern?

Avoid treating regex as the only safety check. Pair it with parser or domain-specific validation for production flows.

Try it Live

Test and customize this pattern in our interactive editor

Test this pattern