Add Octopus Deploy API Key detector

[asivaprasad09]

Summary

This PR adds a detector for Octopus Deploy API keys used to authenticate requests to Octopus REST API endpoints.

Key features:

• Detects API keys with the API- prefix followed by exactly 26 uppercase alphanumerics
• Context-aware matching requiring "octopus" or "X-Octopus-ApiKey" nearby
• Implements CustomFalsePositiveChecker interface for additional validation
• Non-verifying detector (API keys require server URL for verification)
• Includes comprehensive test coverage

Changes

• Added OctopusApiKey (ID 1053) to proto/detector_type.proto
• Created detector implementation at pkg/detectors/octopusapikey/
• Integrated detector into default detector list in pkg/engine/defaults/defaults.go
• Updated proto-generated files with new detector type
• Added comprehensive unit tests with 100% pass rate

Pattern Details

The detector uses a context-aware regex pattern:

(octopus|x-octopus-apikey).*\b(API-[A-Z0-9]{26})(?:['"|\n\r\s\x60;]|$)

This requires either "octopus" or "x-octopus-apikey" to appear before the token to avoid false positives. The API key format is highly specific:

• Must start with API- prefix
• Followed by exactly 26 uppercase letters and digits
• No lowercase letters, special characters, or hyphens in the key portion

Testing

All tests pass successfully:

go test ./pkg/detectors/octopusapikey -tags=detectors -v

Test coverage includes:

• Valid pattern detection in HTTP header context (X-Octopus-ApiKey header)
• Environment variable assignments
• Multiple tokens in the same file
• Deduplication of repeated tokens
• Rejection of invalid patterns:
  • Keys that are too short
  • Keys with lowercase characters (strict uppercase validation)
  • Keys with wrong prefix format
• Proper detector type and keyword registration

Design Rationale

Why context-aware matching?
While the API-[A-Z0-9]{26} format is specific, it could still match other API key formats. Requiring "octopus" or the standard HTTP header name "X-Octopus-ApiKey" in nearby context ensures high precision while maintaining excellent recall for actual Octopus Deploy keys.

Why support both keywords?

• "octopus" catches environment variables, config files, and code comments
• "X-Octopus-ApiKey" catches HTTP header usage, which is the standard way to use these keys in API requests

Why no verification?
Octopus Deploy API keys require both the API key AND the Octopus Server URL to verify. Since the detector only extracts the key (not the associated server URL), verification is not possible without additional context. The key format itself is sufficiently distinctive to provide high-confidence detection.

SecretParts Population

The detector properly populates SecretParts with:

SecretParts: map[string]string{"key": key}

And includes a rotation guide in ExtraData:

ExtraData: map[string]string{
    "rotation_guide": "https://octopus.com/docs/octopus-rest-api/how-to-create-an-api-key",
}

Example Matches

✅ Will detect:

X-Octopus-ApiKey: API-ZNRMR7SL6L3ATMOIK7GKJDKLPY
OCTOPUS_API_KEY="API-7F1M9T3D5P7Q2W4R6Y8U0I2O4A"
octopus_key: API-1A2B3C4D5E6F7G8H9I0J1K2L3M

❌ Will NOT detect (reducing false positives):

# Missing context
API_KEY="API-ZNRMR7SL6L3ATMOIK7GKJDKLPY"

# Wrong format
octopus key="API-ZNRMR7SL6L3ATMOIK7GkJDKLPY"  # lowercase 'k'
octopus key="AP1-ZNRMR7SL6L3ATMOIK7GKJDKLPY"  # wrong prefix
octopus key="API-ABC123"  # too short

🤖 Generated with Claude Code

---

Note

Low Risk
Additive secret-detection only; no changes to auth, verification, or core scan pipeline beyond registering one more default detector.

Overview
Adds Octopus Deploy API key scanning as detector type OctopusApiKey (ID 1053), wired into the default engine and protobuf enum.

The new scanner matches API- plus 26 uppercase alphanumerics only when nearby context includes octopus or X-Octopus-ApiKey, deduplicates hits, fills SecretParts and a rotation-guide link, and uses the shared false-positive checker. There is no live verification (keys need a server URL). Unit tests cover headers, env vars, multi-key/dedup, and invalid formats.

^{Reviewed by Cursor Bugbot for commit db92812. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit db92812. Configure here.}

[cursor]

Invalid pattern tests lack keyword context, testing wrong thing

Low Severity

The three "invalid pattern" test cases (too short, lowercase characters, wrong prefix) don't contain "octopus" or "x-octopus-apikey" in their input. They pass because the keyword context is missing, not because the format validation rejects them. If someone later accidentally weakens the format regex (e.g., changing [A-Z0-9] to [A-Za-z0-9]), the "lowercase characters" test would still pass since it never actually exercises that validation path. Each invalid test input needs the keyword prefix to properly validate format rejection.

 

^{Reviewed by Cursor Bugbot for commit db92812. Configure here.}