feat(detectors): GCP, Azure, Twilio, SendGrid, OpenAI-style keys, and DB URL passwords#3
Merged
Merged
Conversation
…RL patterns New high-confidence detectors: GCP API keys (AIza...) and service-account JSON content markers, Azure storage AccountKey values, Twilio API key SIDs, SendGrid keys, OpenAI-style sk-/sk-proj- keys, Anthropic sk-ant- keys, and database URLs with inline passwords (postgres, mysql, mariadb, mongodb, redis, amqp, mssql). Placeholder rejection extended (pass, pwd, 123456). Fixtures and positive/negative tests for each; fixture totals now 27 findings across 15 files.
Brace-wrapped template values (postgres://u:{password}@h) and bare shell
variable references (:$PGPASSWORD@) are interpolation placeholders, not
credentials; the DB URL detector was flagging them.
Confirmed by review workflow, verified empirically before and after: - database_url_password missed SQLAlchemy dialect+driver schemes (postgresql+psycopg2://, mysql+pymysql://, mssql+pyodbc://) and Rails' mysql2://; scheme alternation now accepts an optional +driver suffix. - database_url_password missed empty-username URLs (redis://:pw@host), the canonical Redis/Mongo auth form; username segment now optional. - azure_storage_account_key missed SharedAccessKey= (Service Bus, Event Hubs, IoT Hub connection strings use this instead of AccountKey=). Also fixed two false positives surfaced during manual verification: - The well-known, publicly documented Azurite/Storage-Emulator default key is now excluded via is_placeholder() (shared, so every detector respects it, not just the one whose regex happens to capture it - AccountKey also matches the generic env_assignment name filter). - gcp_service_account no longer fires on the bare type marker alone (common in docs/example snippets); now requires private_key evidence nearby, which every real service-account credential file has. README honest-limitations section documents the remaining deliberate tradeoffs: any non-placeholder DB password is flagged regardless of strength, and GCP API keys are flagged even though some (Firebase web config) are meant to be client-visible.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AIza...) and service-account JSON (content marker + filename rule), Azure storage/Service Bus/Event Hub/IoT Hub connection string keys, Twilio API key SIDs, SendGrid API keys, OpenAI-style and Anthropic keys, and database URLs with inline passwords across Postgres/MySQL/MariaDB/MongoDB/Redis/AMQP/MSSQL.+driver/ Railsmysql2://schemes, empty-username Redis/Mongo URLs, AzureSharedAccessKey=) and 2 false positives (the well-known public Azurite dev key, and the bare GCP service-account JSON marker firing on docs snippets without a private key nearby).Test plan
pytest: 186 passed (30 new tests covering positive/negative cases for every new detector, plus regression tests for each fixed gap)ctxguard scan .) returns findings only undertests/fixtures/, zero elsewhereruff checkclean on all changed filesmysql2://,redis://:pw@host, AzureSharedAccessKey=, Azurite dev key exclusion, GCP marker tightening) before and after