feat(secret): add detection rules for AI & Vector Database API keys #10633
mkouchaoui
started this conversation in
Ideas
Replies: 1 comment
-
|
Hi @mkouchaoui ! Thanks for the suggestion! We've already added a set of rules for detecting OpenAI secrets — they'll be available starting with v0.72.0 (see #10794). As for the other services, feel free to share your plugin here. We also track how much demand each suggestion gets from the community. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Description
I'm proposing the addition of specialized secret detection rules for popular AI and Vector Database services. As the adoption of LLM-native stacks grows, protecting these credentials in CI/CD pipelines has become a critical requirement.
Proposed Rules:
I have already developed and local-tested regex patterns and validation logic for the following providers:
Pinecone: Detection of pcsk_ prefixed keys with format validation.
Weaviate: API key patterns used in cloud and local instances.
Qdrant: Cloud API key detection.
OpenAI: Enhancing project-based key (sk-proj-) detection.
HuggingFace: Detection of new fine-grained access tokens (hf_).
Implementation Plan:
I am ready to submit a Pull Request adding these rules to pkg/fanal/secret/builtin-rules.go along with the necessary test fixtures in pkg/fanal/secret/scanner_test.go.
I've already implemented a working prototype as a Trivy plugin and would love to bring these into the core engine to benefit the wider community.
Target
Git Repository
Scanner
Secret
Beta Was this translation helpful? Give feedback.
All reactions