veles: add SendGrid API key detector and validator #1654
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Add a new Veles secret detector for Twilio SendGrid API keys. SendGrid API keys have a distinctive format: - Prefix: SG. - Total Length: 69 characters - Structure: SG.<22 chars key_id>.<43 chars key_secret> Detector: - Uses regex pattern to match SendGrid API key format - Implements veles.Detector interface via simpletoken.Detector Validator: - Validates keys against SendGrid's /v3/user/account endpoint - 200 OK or 403 Forbidden -> valid key (exists and active) - 401 Unauthorized -> invalid key (expired/revoked) - Uses Bearer token authentication Tests include: - True positive cases (valid key formats) - True negative cases (invalid formats, wrong prefix, etc.) - Validator HTTP response handling - Context cancellation handling - Authorization header verification
Alearner12
force-pushed
the
add-sendgrid-detector
branch
from
fe0f05d to
b86518a
Compare
- Add sendgrid.NewDetector() to SecretDetectors in extractor/filesystem/list/list.go - Add sendgrid.NewValidator() to SecretsValidate in enricher/enricherlist/list.go This ensures the SendGrid detector is discoverable as a SCALIBR plugin and can be enabled via --plugins=secrets/sendgrid flag.
erikvarga
left a comment
erikvarga
left a comment
There was a problem hiding this comment.
Looks like some tests are failing (I think the modified scan_result.pb.go wasn't uploaded)
| // These are NOT real keys and will not work with the SendGrid API. | ||
| // They follow the correct format: SG.<22 chars>.<43 chars> = 69 total characters. | ||
| var testSendGridAPIKey = "SG." + strings.Repeat("a", 22) + "." + strings.Repeat("b", 43) | ||
| var testSendGridAPIKey2 = "SG." + strings.Repeat("X", 22) + "." + strings.Repeat("Y", 43) |
There was a problem hiding this comment.
Let's have the keys be spelled out completely to make them more easily copy-pasteable if someone wants a test secret.
If the change to strings.Repeat was added because GitHub's secret detector complained about the commits, you can disable them in your fork repo: https://docs.github.com/en/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enabling-secret-scanning-for-your-repository?learn=secret_scanning&learnProduct=code-security#enabling-secret-scanning-alerts-for-users
In the main osv-scalibr repo we already have them disabled for everything inside the veles/ directory.
- Add acceptance tests using velestest.AcceptDetector - Remove unused methods (SecretType, Provider, String) and their tests - Add proto support (scan_result.proto message, secret.go conversion) - Clarify 403 response handling in validator comment - Remove duplicate TestValidator_InvalidRequest test
Alearner12
force-pushed
the
add-sendgrid-detector
branch
from
5efc991 to
3661d47
Compare
- Add package comment to validator.go (ST1000) - Fix unchecked error in validator_test.go (errcheck) - Regenerate scan_result.pb.go with SendGridAPIKey types
|
@erikvarga All feedback addressed , Ready for review when you get a chance. Thanks! |
2 participants
Add a new Veles secret detector for Twilio SendGrid API keys.
SendGrid API keys have a distinctive format:
Detector:
Validator:
Tests include: