Skip to content

feat(detectors): GCP, Azure, Twilio, SendGrid, OpenAI-style keys, and DB URL passwords#3

Merged
Ismail-Rhoulam merged 4 commits into
mainfrom
feat/cloud-detectors
Jul 12, 2026
Merged

feat(detectors): GCP, Azure, Twilio, SendGrid, OpenAI-style keys, and DB URL passwords#3
Ismail-Rhoulam merged 4 commits into
mainfrom
feat/cloud-detectors

Conversation

@Ismail-Rhoulam

Copy link
Copy Markdown
Owner

Summary

  • Adds detection for GCP API keys (AIza...) and service-account JSON (content marker + filename rule), Azure storage/Service Bus/Event Hub/IoT Hub connection string keys, Twilio API key SIDs, SendGrid API keys, OpenAI-style and Anthropic keys, and database URLs with inline passwords across Postgres/MySQL/MariaDB/MongoDB/Redis/AMQP/MSSQL.
  • Closes the specific gap requested: GCP service-account keys, Azure connection strings, Twilio/SendGrid/OpenAI-style keys, and DB URLs with inline passwords.
  • An adversarial multi-agent review pass caught and fixed 3 real coverage gaps (SQLAlchemy +driver / Rails mysql2:// schemes, empty-username Redis/Mongo URLs, Azure SharedAccessKey=) and 2 false positives (the well-known public Azurite dev key, and the bare GCP service-account JSON marker firing on docs snippets without a private key nearby).
  • README's "What it detects" and "Honest limitations" sections updated accordingly, including a documented, deliberate tradeoff: any non-placeholder DB password is flagged regardless of strength (a weak credential is still a working one).

Test plan

  • pytest: 186 passed (30 new tests covering positive/negative cases for every new detector, plus regression tests for each fixed gap)
  • Self-scan (ctxguard scan .) returns findings only under tests/fixtures/, zero elsewhere
  • ruff check clean on all changed files
  • Manually verified each fix empirically (SQLAlchemy dialect+driver URLs, mysql2://, redis://:pw@host, Azure SharedAccessKey=, Azurite dev key exclusion, GCP marker tightening) before and after

…RL patterns

New high-confidence detectors: GCP API keys (AIza...) and service-account
JSON content markers, Azure storage AccountKey values, Twilio API key SIDs,
SendGrid keys, OpenAI-style sk-/sk-proj- keys, Anthropic sk-ant- keys, and
database URLs with inline passwords (postgres, mysql, mariadb, mongodb,
redis, amqp, mssql). Placeholder rejection extended (pass, pwd, 123456).
Fixtures and positive/negative tests for each; fixture totals now 27
findings across 15 files.
Brace-wrapped template values (postgres://u:{password}@h) and bare shell
variable references (:$PGPASSWORD@) are interpolation placeholders, not
credentials; the DB URL detector was flagging them.
Confirmed by review workflow, verified empirically before and after:

- database_url_password missed SQLAlchemy dialect+driver schemes
  (postgresql+psycopg2://, mysql+pymysql://, mssql+pyodbc://) and Rails'
  mysql2://; scheme alternation now accepts an optional +driver suffix.
- database_url_password missed empty-username URLs (redis://:pw@host),
  the canonical Redis/Mongo auth form; username segment now optional.
- azure_storage_account_key missed SharedAccessKey= (Service Bus, Event
  Hubs, IoT Hub connection strings use this instead of AccountKey=).

Also fixed two false positives surfaced during manual verification:

- The well-known, publicly documented Azurite/Storage-Emulator default
  key is now excluded via is_placeholder() (shared, so every detector
  respects it, not just the one whose regex happens to capture it -
  AccountKey also matches the generic env_assignment name filter).
- gcp_service_account no longer fires on the bare type marker alone
  (common in docs/example snippets); now requires private_key evidence
  nearby, which every real service-account credential file has.

README honest-limitations section documents the remaining deliberate
tradeoffs: any non-placeholder DB password is flagged regardless of
strength, and GCP API keys are flagged even though some (Firebase web
config) are meant to be client-visible.
@Ismail-Rhoulam
Ismail-Rhoulam merged commit d548ad4 into main Jul 12, 2026
5 checks passed
@Ismail-Rhoulam
Ismail-Rhoulam deleted the feat/cloud-detectors branch July 12, 2026 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant