feat(detectors): add BcryptHash detector#5055
Conversation
Adds a detector for bcrypt password hashes found in code. Detects bcrypt hash formats: $2a$, $2b$, and $2y$ variants. No verification is performed as bcrypt is a one-way hash. - Adds DetectorType_BcryptHash (enum 1055) to proto - Implements Scanner with pattern matching for bcrypt hashes - Includes comprehensive tests for all bcrypt variants - Registers detector in DefaultDetectors Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Deeraj CM seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Reviewed by Cursor Bugbot for commit f2fefc5. Configure here.
| var ( | ||
| // Bcrypt hash format: $2a$, $2b$, or $2y$ followed by cost (2 digits) and 53 base64 chars | ||
| // Example: $2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW | ||
| bcryptPat = regexp.MustCompile(`\$2[aby]\$\d{2}\$[./A-Za-z0-9]{53}\b`) |
There was a problem hiding this comment.
Regex \b boundary misses hashes ending in .
High Severity
The \b word boundary at the end of bcryptPat fails to match valid bcrypt hashes whose 53rd character is . or /, since those are non-word characters. When followed by another non-word character (quote, space, newline, end-of-string), no word boundary exists and the regex won't match. Due to bcrypt's modified base64 encoding, . is one of only four possible values for the last hash character, meaning roughly 25% of valid bcrypt hashes go undetected in typical code contexts like quoted strings.
Reviewed by Cursor Bugbot for commit f2fefc5. Configure here.
|
|
||
| func (s Scanner) IsFalsePositive(result detectors.Result) (bool, string) { | ||
| return detectors.IsKnownFalsePositive(string(result.Raw), detectors.DefaultFalsePositives, true) | ||
| } |
There was a problem hiding this comment.
False positive checker incorrectly filters valid bcrypt hashes
High Severity
The IsFalsePositive method runs the default word-list check (IsKnownFalsePositive with wordCheck=true) against the raw bcrypt hash. Since bcrypt hashes are 53+ characters of pseudo-random base64, they very likely contain common English substrings (e.g., "from", "name", "data", "type") from the false-positive word lists, causing legitimate hashes to be silently dropped. Every other CustomFalsePositiveChecker in the codebase returns false, "" to bypass this check — this implementation needs to do the same.
Reviewed by Cursor Bugbot for commit f2fefc5. Configure here.
2 participants
Summary
$2a$,$2b$, and$2y$BcryptHash = 1055toproto/detector_type.proto, regeneratedpb.go, and registers the scanner inpkg/engine/defaults/defaults.goSecretPartswith the hash valueTest plan
go test ./pkg/detectors/bcrypthash -tags=detectors -v— all 9 test cases passgo build ./...succeedsgo vet ./...cleanNotes
Bcrypt hashes found in code may indicate leaked password hashes. While bcrypt is a secure one-way hashing algorithm, exposed hashes can be targeted by attackers for offline cracking attempts.
Detection
$2a$,$2b$,$2y$,bcrypt\$2[aby]\$\d{2}\$[./A-Za-z0-9]{53}\bNo Verification
Bcrypt hashes are one-way cryptographic hashes and cannot be verified without the original password. Results are detected but not verified (consistent with other pattern-only detectors like JWT).
Note
Low Risk
Isolated new detector plus enum/proto registration; no changes to auth, verification, or core scan pipeline beyond one more default scanner.
Overview
Adds a BcryptHash scanner so TruffleHog can flag bcrypt password hashes (
$2a$,$2b$,$2y$) in scanned content.The new detector uses keyword pre-filtering and a strict regex for cost + 53-character salt/hash payload, deduplicates matches, emits unverified findings with
SecretParts["hash"], and applies the sharedDefaultFalsePositivescheck viaIsFalsePositive. There is no remote verification (one-way hashes).Wiring includes
BcryptHash = 1055inproto/detector_type.protowith regenerateddetector_type.pb.go, registration ofbcrypthash.Scannerinpkg/engine/defaults/defaults.go, and unit tests for valid/invalid patterns andFromDatabehavior.Reviewed by Cursor Bugbot for commit f2fefc5. Bugbot is set up for automated code reviews on this repo. Configure here.