add confluent API key detection in V2 detector

Author: ap00rv

pkg/detectors/confluent/v1/confluent.go

@@ -35,7 +35,7 @@ func (s Scanner) Keywords() []string {
 	return []string{"confluent"}
 }
 
-func (Scanner) Version() int { return 1 }
+func (s Scanner) Version() int { return 1 }
 
 // FromData will find and optionally verify Confluent secrets in a given set of bytes.
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {

pkg/detectors/confluent/v2/confluent.go

@@ -21,9 +21,10 @@ type Scanner struct {
 var _ detectors.Detector = (*Scanner)(nil)
 
 var (
+	keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"confluent"}) + `\b([a-zA-Z0-9]{16})\b`)
 	// Match cflt prefix followed by 60 characters consisting of A-Z, a-z, 0-9, + or /
 	//See https://docs.confluent.io/cloud/current/security/authenticate/workload-identities/service-accounts/api-keys/overview.html#api-secret-format
-	secretPat = regexp.MustCompile(detectors.PrefixRegex([]string{"Confluent"}) + `\b(cflt[A-Za-z0-9+/]{60})\b`)
+	secretPat = regexp.MustCompile(`\b(cflt[A-Za-z0-9+/]{60})\b`)
 )
 
 // Keywords are used for efficiently pre-filtering chunks.
@@ -32,31 +33,37 @@ func (s Scanner) Keywords() []string {
 	return []string{"cflt"}
 }
 
-func (Scanner) Version() int { return 2 }
+func (s Scanner) Version() int { return 2 }
 
 // FromData will find and optionally verify Confluent secrets in a given set of bytes.
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	dataStr := string(data)
 
+	matches := keyPat.FindAllStringSubmatch(dataStr, -1)
 	secretMatches := secretPat.FindAllStringSubmatch(dataStr, -1)
 
-	for _, match := range secretMatches {
-		resSecret := strings.TrimSpace(match[1]) // Use index 1 for the captured group
+	for _, match := range matches {
+		resMatch := strings.TrimSpace(match[1])
 
-		s1 := detectors.Result{
-			DetectorType: detectorspb.DetectorType_Confluent,
-			Raw:          []byte(resSecret),
-			ExtraData: map[string]string{
-				"rotation_guide": "https://docs.confluent.io/cloud/current/security/authenticate/workload-identities/service-accounts/api-keys/best-practices-api-keys.html#rotate-api-keys-regularly",
-				"version":        fmt.Sprintf("%d", s.Version()),
-			},
-		}
+		for _, match := range secretMatches {
+			resSecret := strings.TrimSpace(match[1]) // Use index 1 for the captured group
 
-		if verify {
-			s1.Verified = verifyConfluentSecret(resSecret)
-		}
+			s1 := detectors.Result{
+				DetectorType: detectorspb.DetectorType_Confluent,
+				Raw:          []byte(resMatch),
+				RawV2:        []byte(resMatch + resSecret),
+				ExtraData: map[string]string{
+					"rotation_guide": "https://docs.confluent.io/cloud/current/security/authenticate/workload-identities/service-accounts/api-keys/best-practices-api-keys.html#rotate-api-keys-regularly",
+					"version":        fmt.Sprintf("%d", s.Version()),
+				},
+			}
 
-		results = append(results, s1)
+			if verify {
+				s1.Verified = verifyConfluentSecret(resSecret)
+			}
+
+			results = append(results, s1)
+		}
 	}
 
 	return results, nil

pkg/detectors/confluent/v2/confluent_integration_test.go

@@ -18,7 +18,8 @@ func TestConfluent_FromChunk(t *testing.T) {
 	// Valid secret with proper CRC32 checksum
 	validSecret := "cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDjw"
 	// Invalid secret with wrong checksum
-	invalidSecret := "cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDji"
+	invalidSecret := "cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDje"
+	key := "JSAOOCIC74SGECCP"
 
 	type args struct {
 		ctx    context.Context
@@ -37,7 +38,7 @@ func TestConfluent_FromChunk(t *testing.T) {
 			s:    Scanner{},
 			args: args{
 				ctx:    context.Background(),
-				data:   []byte(fmt.Sprintf("You can find a confluent secret %s", validSecret)),
+				data:   []byte(fmt.Sprintf("You can find a confluent secret %s with key %s", validSecret, key)),
 				verify: true,
 			},
 			want: []detectors.Result{
@@ -57,7 +58,7 @@ func TestConfluent_FromChunk(t *testing.T) {
 			s:    Scanner{},
 			args: args{
 				ctx:    context.Background(),
-				data:   []byte(fmt.Sprintf("You can find a confluent secret %s but not valid", invalidSecret)), // the secret would satisfy the regex but not pass validation
+				data:   []byte(fmt.Sprintf("You can find a confluent secret %s with %s key but not valid", invalidSecret, key)), // the secret would satisfy the regex but not pass validation
 				verify: true,
 			},
 			want: []detectors.Result{

pkg/detectors/confluent/v2/confluent_test.go

@@ -12,24 +12,19 @@ import (
 
 var (
 	validPattern = `
-		# Configuration File: config.yaml
-		database:
-			host: $DB_HOST
-			port: $DB_PORT
-			username: $DB_USERNAME
-			password: $DB_PASS  # IMPORTANT: Do not share this password publicly
+		=== Confluent Cloud API key ===
 
-		api:
-			auth_type: "Basic"
-			in: "Header"
-			confluent_secret: "cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipj0ObHQ"
-			base_url: "https://api.example.com/v1/user"
+		API key:
+		JSAOOCIC74SGECCP
+
+		API secret:
+		cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDjw
+
+		Resource scope:
+		Cloud resource management
 
-		# Notes:
-		# - Remember to rotate the secret every 90 days.
-		# - The above credentials should only be used in a secure environment.
 	`
-	secret = "cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipj0ObHQ"
+	secret = "JSAOOCIC74SGECCPcfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDjw"
 )
 
 func TestConfluent_Pattern(t *testing.T) {