feat(detectors): add Tencent Cloud credential detector#5051
Open
0xDevNinja wants to merge 2 commits into
Open
Conversation
Detects Tencent Cloud SecretId (AKID-prefixed) paired with a SecretKey and verifies the pair against the CVM DescribeRegions API using a TC3-HMAC-SHA256 signed request. Tencent returns HTTP 200 with an Error block in the body for authentication failures, so verification inspects the response body and treats AuthFailure.* codes as determinately invalid. Refs trufflesecurity#4036
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Adds a new verifiable detector for Tencent Cloud credentials (Closes #4036).
Tencent Cloud uses a two-part credential:
AKIDprefix followed by 32 alphanumeric charactersThe detector anchors on the
AKID-prefixed SecretId and pairs it with nearby SecretKey candidates (filtered by Shannon entropy to cut down on false positives from generic 32-char strings).Verification signs a
DescribeRegionsrequest to the CVM API (cvm.tencentcloudapi.com) with Tencent'sTC3-HMAC-SHA256scheme. Tencent's 3.0 APIs return HTTP 200 even for authentication failures, embedding anErrorblock in the JSON body, so verification inspects the body: anAuthFailure.*code is treated as determinately invalid, the absence of an error means the credentials are valid, and any other error code surfaces as an indeterminate result.No new third-party SDK is pulled in — the signature is computed with the standard library.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Verification performs outbound signed API calls with discovered credentials (standard for verifiable detectors), and pairing generic 32-char strings may still produce noise despite entropy filtering.
Overview
Adds Tencent Cloud SecretId/SecretKey detection and optional live verification, and registers it as
DetectorType_TencentCloud(1056) in the default engine.Detection keys off
AKID-prefixed SecretIds and pairs them with 32-character SecretKey candidates in the same chunk, dropping low-entropy keys to limit false positives. When verification is on, credentials are checked by signing aDescribeRegionscall to the CVM API with TC3-HMAC-SHA256 (stdlib only). Tencent returns HTTP 200 for auth failures, so the scanner treats missingResponse.Erroras valid,AuthFailure.*as invalid, and other errors as indeterminate.Unit tests cover patterns, mocked verification paths, and timeouts; integration tests use GCP-stored secrets behind the
detectorsbuild tag.Reviewed by Cursor Bugbot for commit 091fed4. Bugbot is set up for automated code reviews on this repo. Configure here.