Skip to content

V2 detector for confluent #4489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

V2 detector for confluent #4489

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d230450
changes to confluent detector for new secret pattern
ap00rv Sep 5, 2025
0a3e20d
add versioned confluent detectors to defaults.go
ap00rv Oct 7, 2025
8329c67
add confluent API key detection in V2 detector
ap00rv Oct 8, 2025
568ea89
fix regex for API key in V2 detector
ap00rv Oct 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions pkg/detectors/confluent/confluent.go β†’ pkg/detectors/confluent/v1/confluent.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ func (s Scanner) Keywords() []string {
return []string{"confluent"}
}

func (s Scanner) Version() int { return 1 }

// FromData will find and optionally verify Confluent secrets in a given set of bytes.
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
dataStr := string(data)
Expand All @@ -52,6 +54,10 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
DetectorType: detectorspb.DetectorType_Confluent,
Raw: []byte(resMatch),
RawV2: []byte(resMatch + resSecret),
ExtraData: map[string]string{
"rotation_guide": "https://docs.confluent.io/cloud/current/security/authenticate/workload-identities/service-accounts/api-keys/best-practices-api-keys.html#rotate-api-keys-regularly",
"version": fmt.Sprintf("%d", s.Version()),
},
}

if verify {
Expand Down
0 ...s/confluent/confluent_integration_test.go β†’ ...onfluent/v1/confluent_integration_test.go
View file
Open in desktop
File renamed without changes.
0 pkg/detectors/confluent/confluent_test.go β†’ pkg/detectors/confluent/v1/confluent_test.go
View file
Open in desktop
File renamed without changes.
118 changes: 118 additions & 0 deletions pkg/detectors/confluent/v2/confluent.go
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to this, we must send the API key in an Authorization: Basic {credentials} header, which requires us to provide the credentials as the API key ID and associated API secret separated by a colon and encoded using Base64 format.

So my question is, how useful is this API secret alone without an API key ID? I get that we can detect and potentially verify the API secret using your new implementation, but can an API secret alone be exploited if leaked?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point ! API secret cannot be exploited without the corresponding API key.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added API key detection in V2, similar to V1. Sorry about that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update. I am not saying this is wrong but I do have some concerns regarding the way we are verifying the secrets. Right now, we are detecting keys and secrets, but we are verifying only secrets, instead of verifying a pair of key and secret.

For example, I copied the secret you have added in the test file and pasted in a file, and added a fake api key "0123456789ABCDEF", and ran a scan and the detector is showing this finding as a verified secret. However, this is a fake pair of secret and if this pair of API key and secret is leaked, they are worthless(correct me if I am wrong here).

So maybe we should switch to the API-based verification. I am open to suggestions here but just giving you the idea of how we detect and verify secrets in the detectors.

I am attaching the screenshot of the scan result where the incorrect API key is shown as verified.

Image

Copy link
Contributor Author

@ap00rv ap00rv Oct 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no way to accurately verify confluent secrets via API (for both V1 and V2) . V2 secrets don't need API verification since they have CRC32 checksum appended. But, I have added API key + secret detection for V2 (instead of just secrets detection). More context in the issue : #4490

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added API key detection in V2, similar to V1. Sorry about that.

Thanks for adding the API Key ID detection, however, I do not see the API Key ID actually being used in the verification part. The reason I asked for the addition of API Key ID here was because in order to verify a confluent API Key, we need both the API key ID and the associated API Secret as mentioned in the docs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is another example. I have created the following secret using a Python script:

confluent_key=ABCDEF1234567890
confluent_secret: cfltAsBrY8jb/2fxvr4eyerR8Cel/PnpFSuWfn5Y3Rfzgg70rfKOczuFrmk3LUYA

Both of these are fake, yet they were able to bypass the checksum-based validation, and the detector marked them as a verified result.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @shahzadhaider1 , The test secret you shared in the last comment has a valid checksum. That is why it's passing the check. However, I think we can rely on this checksum based mechanism because of the following reasons :

  • the new pattern for Confluent Secrets is very specific and it's unlikely that random strings will match this pattern, especially due to the CRC32 checksum being appended at the end.
  • If the secret is present in text and valid, then it is very likely that a valid Confluent key pattern (16 bytes of uppercase characters or numbers only) is also present in the nearby text, in which case we can consider it the key+secret pair as valid. for the key pattern, we are using \b which will ensure that the key pattern only matches complete words and not random characters.

I think the above checks are sufficient to eliminate FPs in real world. Please let me know your thoughts. Thanks !

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shahzadhaider1 please let me know if you agree my last comment in this thread. Thanks !

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after some internal discussion, I have decided to convert this to a draft. we are thinking about how we can accurately perform validation on different types of API keys. Thanks a lot for your inputs.

Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
package confluent

import (
"context"
b64 "encoding/base64"
"fmt"
"hash/crc32"
"strings"

regexp "github.com/wasilibs/go-re2"

"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)

type Scanner struct {
detectors.DefaultMultiPartCredentialProvider
}

// Ensure the Scanner satisfies the interface at compile time.
var _ detectors.Detector = (*Scanner)(nil)

var (
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"confluent"}) + `\b([A-Z0-9]{16})\b`)
// Match cflt prefix followed by 60 characters consisting of A-Z, a-z, 0-9, + or /
//See https://docs.confluent.io/cloud/current/security/authenticate/workload-identities/service-accounts/api-keys/overview.html#api-secret-format
secretPat = regexp.MustCompile(`\b(cflt[A-Za-z0-9+/]{60})\b`)
)

// Keywords are used for efficiently pre-filtering chunks.
// Use identifiers in the secret preferably, or the provider name.
func (s Scanner) Keywords() []string {
return []string{"cflt"}
}

func (s Scanner) Version() int { return 2 }

// FromData will find and optionally verify Confluent secrets in a given set of bytes.
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
dataStr := string(data)

matches := keyPat.FindAllStringSubmatch(dataStr, -1)
secretMatches := secretPat.FindAllStringSubmatch(dataStr, -1)

for _, match := range matches {
resMatch := strings.TrimSpace(match[1])

for _, match := range secretMatches {
resSecret := strings.TrimSpace(match[1]) // Use index 1 for the captured group

s1 := detectors.Result{
DetectorType: detectorspb.DetectorType_Confluent,
Raw: []byte(resMatch),
RawV2: []byte(resMatch + resSecret),
ExtraData: map[string]string{
"rotation_guide": "https://docs.confluent.io/cloud/current/security/authenticate/workload-identities/service-accounts/api-keys/best-practices-api-keys.html#rotate-api-keys-regularly",
"version": fmt.Sprintf("%d", s.Version()),
},
}

if verify {
s1.Verified = verifyConfluentSecret(resSecret)
}

results = append(results, s1)
}
}

return results, nil
}

// verifyConfluentSecret verifies the Confluent secret by checking the CRC32 checksum
func verifyConfluentSecret(secret string) bool {
if len(secret) != 64 { // cflt + 60 characters
return false
}

if !strings.HasPrefix(secret, "cflt") {
return false
}

// Extract the first 54 characters after 'cflt' prefix (58 total - 4 for cflt)
payload := secret[4:58] // Characters 5-58 (54 characters)

// Extract the last 6 characters as the checksum
checksumEncoded := secret[58:64]

// Decode the checksum from base64
checksumBytes, err := b64.StdEncoding.DecodeString(checksumEncoded + "==") // Add padding if needed
if err != nil {
// Try without padding
checksumBytes, err = b64.StdEncoding.DecodeString(checksumEncoded)
if err != nil {
return false
}
}

if len(checksumBytes) < 4 {
return false
}

// Calculate CRC32 checksum of the payload
expectedChecksum := crc32.ChecksumIEEE([]byte(payload))

// Convert received checksum bytes to uint32 (little endian to match the encoding)
receivedChecksum := uint32(checksumBytes[3])<<24 | uint32(checksumBytes[2])<<16 |
uint32(checksumBytes[1])<<8 | uint32(checksumBytes[0])

return expectedChecksum == receivedChecksum
}

func (s Scanner) Type() detectorspb.DetectorType {
return detectorspb.DetectorType_Confluent
}

func (s Scanner) Description() string {
return "Confluent provides a streaming platform based on Apache Kafka to help companies harness their data in real-time. Confluent Cloud API keys can be used to access and manage Confluent Cloud control plane APIs and resources."
}
123 changes: 123 additions & 0 deletions pkg/detectors/confluent/v2/confluent_integration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
//go:build detectors
// +build detectors

package confluent

import (
"context"
"fmt"
"testing"

"github.com/kylelemons/godebug/pretty"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"

"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)

func TestConfluent_FromChunk(t *testing.T) {
// Valid secret with proper CRC32 checksum
validSecret := "cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDjw"
// Invalid secret with wrong checksum
invalidSecret := "cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDje"
key := "JSAOOCIC74SGECCP"

type args struct {
ctx context.Context
data []byte
verify bool
}
tests := []struct {
name string
s Scanner
args args
want []detectors.Result
wantErr bool
}{
{
name: "found, verified",
s: Scanner{},
args: args{
ctx: context.Background(),
data: []byte(fmt.Sprintf("You can find a confluent secret %s with key %s", validSecret, key)),
verify: true,
},
want: []detectors.Result{
{
DetectorType: detectorspb.DetectorType_Confluent,
Verified: true,
ExtraData: map[string]string{
"rotation_guide": "https://docs.confluent.io/cloud/current/security/authenticate/workload-identities/service-accounts/api-keys/best-practices-api-keys.html#rotate-api-keys-regularly",
"version": "2",
},
},
},
wantErr: false,
},
{
name: "found, unverified",
s: Scanner{},
args: args{
ctx: context.Background(),
data: []byte(fmt.Sprintf("You can find a confluent secret %s with %s key but not valid", invalidSecret, key)), // the secret would satisfy the regex but not pass validation
verify: true,
},
want: []detectors.Result{
{
DetectorType: detectorspb.DetectorType_Confluent,
Verified: false,
ExtraData: map[string]string{
"rotation_guide": "https://docs.confluent.io/cloud/current/security/authenticate/workload-identities/service-accounts/api-keys/best-practices-api-keys.html#rotate-api-keys-regularly",
"version": "2",
},
},
},
wantErr: false,
},
{
name: "not found",
s: Scanner{},
args: args{
ctx: context.Background(),
data: []byte("You cannot find the secret within"),
verify: true,
},
want: nil,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := Scanner{}
got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data)
if (err != nil) != tt.wantErr {
t.Errorf("Confluent.FromData() error = %v, wantErr %v", err, tt.wantErr)
return
}
for i := range got {
if len(got[i].Raw) == 0 {
t.Fatalf("no raw secret present: \n %+v", got[i])
}
got[i].Raw = nil
}
if diff := pretty.Compare(got, tt.want); diff != "" {
t.Errorf("Confluent.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
}
})
}
}

func BenchmarkFromData(benchmark *testing.B) {
ctx := context.Background()
s := Scanner{}
for name, data := range detectors.MustGetBenchmarkData() {
benchmark.Run(name, func(b *testing.B) {
b.ResetTimer()
for n := 0; n < b.N; n++ {
_, err := s.FromData(ctx, false, data)
if err != nil {
b.Fatal(err)
}
}
})
}
}
87 changes: 87 additions & 0 deletions pkg/detectors/confluent/v2/confluent_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
package confluent

import (
"context"
"testing"

"github.com/google/go-cmp/cmp"

"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
"github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick"
)

var (
validPattern = `
=== Confluent Cloud API key ===

API key:
JSAOOCIC74SGECCP

API secret:
cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDjw

Resource scope:
Cloud resource management

`
secret = "JSAOOCIC74SGECCPcfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDjw"
)

func TestConfluent_Pattern(t *testing.T) {
d := Scanner{}
ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d})

tests := []struct {
name string
input string
want []string
}{
{
name: "valid pattern",
input: validPattern,
want: []string{secret},
},
}

for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input))
if len(matchedDetectors) == 0 {
t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input)
return
}

results, err := d.FromData(context.Background(), false, []byte(test.input))
if err != nil {
t.Errorf("error = %v", err)
return
}

if len(results) != len(test.want) {
if len(results) == 0 {
t.Errorf("did not receive result")
} else {
t.Errorf("expected %d results, only received %d", len(test.want), len(results))
}
return
}

actual := make(map[string]struct{}, len(results))
for _, r := range results {
if len(r.RawV2) > 0 {
actual[string(r.RawV2)] = struct{}{}
} else {
actual[string(r.Raw)] = struct{}{}
}
}
expected := make(map[string]struct{}, len(test.want))
for _, v := range test.want {
expected[v] = struct{}{}
}

if diff := cmp.Diff(expected, actual); diff != "" {
t.Errorf("%s diff: (-want +got)\n%s", test.name, diff)
}
})
}
}
6 changes: 4 additions & 2 deletions pkg/engine/defaults/defaults.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,8 @@ import (
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/commercejs"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/commodities"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/companyhub"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/confluent"
confluentv1 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/confluent/v1"
confluentv2 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/confluent/v2"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/contentfulpersonalaccesstoken"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/conversiontools"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/convertapi"
Expand Down Expand Up @@ -1047,7 +1048,8 @@ func buildDetectorList() []detectors.Detector {
&commercejs.Scanner{},
&commodities.Scanner{},
&companyhub.Scanner{},
&confluent.Scanner{},
&confluentv1.Scanner{},
&confluentv2.Scanner{},
&contentfulpersonalaccesstoken.Scanner{},
&conversiontools.Scanner{},
&convertapi.Scanner{},
Expand Down