# SECRETS-002: High-Entropy Token in Config
#
# A high-entropy string that appears to be a secret token embedded in
# configuration file, detected by entropy analysis.

[metadata]
id = "secrets-002"
name = "High-entropy token in YAML config"
category = "secrets"
language = "yaml"
difficulty = "medium"
source = "hand-curated"
created = "2025-02-05"
notes = "Entropy-based secret detection"

[input]
filename = "config.yaml"
content = """
server:
  host: localhost
  port: 8080

database:
  connection_string: "postgresql://user:pass@localhost/db"

auth:
  # Generated token for service-to-service auth
  service_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

logging:
  level: info
"""

[expected]
must_contain = [
    { subject = "secrets/token", predicate = "hardcoded", value = true, rationale = "JWT token is hardcoded in config" },
    { subject = "secrets/token", predicate = "high_entropy", value = true, rationale = "Base64-encoded JWT has high entropy" }
]

[scoring]
weight = 1.0
min_confidence = 0.75