Detectors — nanodlp

How detection works: Each detector is a named pattern with a regex, optional proximity keywords (to reduce false positives), and an optional validator function (e.g., Luhn check for credit cards). You can override any built-in pattern or add new ones via a TOML overlay file — no recompilation needed.

# custom-patterns.toml
[[detector]]
name = "internal_employee_id"
pattern = "EMP-[0-9]{6}"
severity = "medium"
keywords = ["employee", "staff", "hr"]

☁️ Cloud secrets

14 detectors

aws_access_key_id
aws_secret_access_key
gcp_service_account_key
azure_client_secret
azure_storage_key
aws_session_token
gcp_api_key
+ 7 more

🔌 SaaS APIs

30 detectors

github_pat
github_oauth_token
slack_bot_token
slack_webhook_url
stripe_secret_key
stripe_publishable_key
twilio_account_sid
+ 23 more

🤖 AI providers

8 detectors

openai_api_key
anthropic_api_key
huggingface_token
groq_api_key
cohere_api_key
mistral_api_key
replicate_api_token
together_api_key

🔑 Private keys

7 detectors

rsa_private_key
ec_private_key
openssh_private_key
pgp_private_key
pkcs8_private_key
dsa_private_key
putty_private_key

🇺🇸 PII (US)

7 detectors

us_ssn
us_ein
us_itin
us_phone
us_passport
us_drivers_license
email_address

🌍 PII (international)

8 detectors

uk_nin
in_aadhaar
in_pan
br_cpf
br_cnpj
fr_insee
de_personalausweis
ca_sin

💳 Financial

4 detectors

credit_card (BIN + Luhn)
iban (MOD-97 validated)
us_bank_routing
swift_bic

₿ Crypto

3 detectors

bitcoin_address
ethereum_address
crypto_private_key_wif

Remaining 45 detectors cover: database connection strings (PostgreSQL, MySQL, MongoDB, Redis), JWT tokens, generic high-entropy strings, IPv4/IPv6 addresses, MAC addresses, and miscellaneous infrastructure credentials. Full list in the docs.

123 built-in detectors.