Skip to content

Added support for additional validation rules in custom detector #4413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Aug 26, 2025
Merged

Added support for additional validation rules in custom detector #4413

merged 9 commits into from
Aug 26, 2025

Conversation

kashifkhan0771
Copy link
Contributor

@kashifkhan0771 kashifkhan0771 commented Aug 21, 2025
edited
Loading

Description:

This PR adds support for validation rules in custom detectors to reduce false positives.

Problem:
Go's RE2 regex engine lacks support for lookahead assertions (e.g., (?=.*[0-9])), making it impossible to validate that detected secrets contain specific character types like digits, uppercase letters, or special characters. This limitation often leads to false positives when detecting API keys, passwords, and tokens that should follow specific rules.

Solution:
Added a new validations field to the Custom detector configuration that supports the following validation types:

  • contains_digit: Requires at least one numeric digit (0-9)
  • contains_lowercase: Requires at least one lowercase letter (a-z)
  • contains_uppercase: Requires at least one uppercase letter (A-Z)
  • contains_special_char: Requires at least one special character

Example Usage:

detectors:
  - name: API Key Detector
    keywords:
      - api_key
    regex:
      key: ([A-Za-z0-9]{32,})
    validations:
      key:
        contains_digit: true
        contains_uppercase: true
        contains_special_char: true

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@kashifkhan0771 kashifkhan0771 requested review from a team as code owners August 21, 2025 11:42
@kashifkhan0771 kashifkhan0771 self-assigned this Aug 21, 2025
@kashifkhan0771 kashifkhan0771 linked an issue Aug 21, 2025 that may be closed by this pull request
Regex in config not matching passwords with all required elements #4402
Closed
@kashifkhan0771 kashifkhan0771 marked this pull request as draft August 21, 2025 11:50
nabeelalam
nabeelalam reviewed Aug 21, 2025
View reviewed changes
nabeelalam
nabeelalam reviewed Aug 21, 2025
View reviewed changes
@kashifkhan0771 kashifkhan0771 marked this pull request as ready for review August 21, 2025 14:44
@kashifkhan0771 kashifkhan0771 requested a review from camgunz August 25, 2025 11:09
nabeelalam
nabeelalam approved these changes Aug 26, 2025
View reviewed changes
Copy link
Contributor

@nabeelalam nabeelalam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

amanfcp
amanfcp approved these changes Aug 26, 2025
View reviewed changes
Copy link
Contributor

@amanfcp amanfcp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kashifkhan0771 kashifkhan0771 merged commit 15bc3e5 into trufflesecurity:main Aug 26, 2025
14 of 15 checks passed
@blsaccess blsaccess mentioned this pull request Sep 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amanfcp amanfcp amanfcp approved these changes

@nabeelalam nabeelalam nabeelalam approved these changes

@shahzadhaider1 shahzadhaider1 shahzadhaider1 approved these changes

@camgunz camgunz Awaiting requested review from camgunz

Assignees

@kashifkhan0771 kashifkhan0771

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Regex in config not matching passwords with all required elements
4 participants
@kashifkhan0771 @amanfcp @nabeelalam @shahzadhaider1