feat(detectors): add Base64PrivateKey detector#5056
Conversation
Adds a detector for base64-encoded private keys found in code. Detects RSA, EC, DSA, OpenSSH, and encrypted private keys in base64 format. Pattern-only detection - no verification (keys require context to verify). - Adds DetectorType_Base64PrivateKey (enum 1056) to proto - Implements Scanner with base64 decoding and private key marker detection - Includes comprehensive tests for multiple key formats - Registers detector in DefaultDetectors - Manual testing: 3/3 keys detected, 0 false positives Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Deeraj CM seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit bd56182. Configure here.
| if err != nil { | ||
| continue | ||
| } | ||
| } |
There was a problem hiding this comment.
URLEncoding fallback can never succeed for regex matches
Medium Severity
The base64.URLEncoding fallback on decode failure is unreachable dead logic. The regex base64Pat only matches standard base64 characters (+, /), but URLEncoding expects URL-safe characters (-, _). If the match contains + or /, URL decoding rejects them as invalid. If it doesn't, both encodings behave identically. Either way, URLEncoding can never succeed when StdEncoding fails for these matches. The most likely failure mode for StdEncoding is missing padding, so the correct fallback is base64.RawStdEncoding, which tolerates unpadded input. Without this, base64-encoded private keys stored without = padding are silently skipped.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit bd56182. Configure here.
2 participants
Summary
Adds a new detector for base64-encoded private keys in code.
What This Detects
Base64-encoded private keys (RSA, EC, DSA, OpenSSH, encrypted) that may be accidentally committed to repositories.
Implementation
Note
Medium Risk
Broad base64 matching may increase scan cost and false positives on unrelated long encoded data; otherwise this is additive detection with no verification or core engine changes.
Overview
Adds a Base64PrivateKey scanner so PEM private keys stored as base64 (env vars, configs) are caught when the existing privatekey detector only matches inline
BEGIN … PRIVATE KEYblocks.The scanner matches long base64 runs (100+ characters), decodes with standard or URL encoding, and flags matches whose plaintext contains common PEM headers (RSA, EC, DSA, PKCS#8, encrypted, OpenSSH). Findings are unverified (
Verified: false) and use the shared false-positive helper. DetectorType_Base64PrivateKey (1056) is wired through proto/generated enums and registered in the default detector list, with unit tests for detection, deduplication, and negative cases.Reviewed by Cursor Bugbot for commit bd56182. Bugbot is set up for automated code reviews on this repo. Configure here.