[INS-197] Add redhatpyxis api key detector#4995
Conversation
Corpora Test ResultsScans a corpus of real-world public code against only the detectors changed in this PR, then compares unique match counts between the PR build and the main baseline to catch regex regressions. Verification is disabled — each detector's regex is measured independently. 1 new · 0 clean | Scoped to:
|
| // Keywords used for fast pre-filtering | ||
| func (s Scanner) Keywords() []string { | ||
| return []string{ | ||
| "redhat", |
There was a problem hiding this comment.
Do you think it'll be beneficial to add pyxis to the detector/regex keywords instead of redhat or along with redhat?
There was a problem hiding this comment.
I also think this is a good idea, just in case someone calls it "pyxis" and not redhat or redhat_pyxis. Approving so you can address along with merge conflicts when you're in.
| // Keywords used for fast pre-filtering | ||
| func (s Scanner) Keywords() []string { | ||
| return []string{ | ||
| "redhat", |
There was a problem hiding this comment.
I also think this is a good idea, just in case someone calls it "pyxis" and not redhat or redhat_pyxis. Approving so you can address along with merge conflicts when you're in.
3 participants
Description
This PR adds the Red Hat Pyxis API Key Detector for TruffleHog.
It scans for Red Hat Pyxis API keys and optionally verifies them via the official Red Hat Ecosystem Catalog API.
Regex:
The detector uses contextual keyword
redhatto reduce false positives.Verification
For verification, we use the Red Hat Pyxis Projects API:
We send a
GETrequest with the token in theX-API-KEYheader.A response code of:
200 OKmeans the API key is valid401 Unauthorizedmeans the API key is invalid.This API endpoint is part of the official Red Hat Ecosystem Catalog API and can be used safely for verification. It is a read-only endpoint and does not perform any destructive actions.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Low Risk
Additive detector and enum wiring; verification uses a read-only external API and is gated by an existing feature-flag pattern.
Overview
Adds a Red Hat Pyxis secret detector that finds 32-character lowercase alphanumeric API keys near a
redhatkeyword and, when verification is on, checks them with a read-onlyGETto the Red Hat Ecosystem Catalog (X-API-KEY), treating 200 as valid and 401 as invalid.Wires the scanner into the default engine list behind
RedHatPyxisDetectorEnabled(enabled by default inmain.go, same pattern as Pinecone/Cloudinary), registersDetectorType_RedHatPyxis(1053) in proto/generated enums, and adds unit, pattern, integration, and benchmark tests.Reviewed by Cursor Bugbot for commit d6b0690. Bugbot is set up for automated code reviews on this repo. Configure here.