feat: detect hardcoded Anthropic (Claude) API keys (#20)

Musa2609 · web-flow · commit 4fab46a1917c · 2026-01-11T15:04:48.000+01:00
Adds a new security rule to detect hardcoded Anthropic (Claude) API
keys.

- Regex-based detection for `sk-ant-*` keys
- High severity with remediation guidance
- Includes an example file demonstrating detection

This expands AI/LLM credential leakage coverage.
diff --git a/src/pyspector/rules/built-in-rules.toml b/src/pyspector/rules/built-in-rules.toml
@@ -2142,4 +2142,12 @@ severity = "Medium"
 confidence = "Low"
 remediation = "Validate format strings and use safe formatting methods."
 ast_match = "Call(func.id=format)"
-file_pattern = "*.py"
+file_pattern = "*.py"
+
+[[rule]]
+id = "AI002"
+description = "Hardcoded Anthropic (Claude) API key detected."
+severity = "High"
+remediation = "Remove hardcoded API keys and load them from environment variables or a secure secrets manager."
+pattern = "(?i)sk-ant-api[0-9]*-[A-Za-z0-9_-]{20,}"
+file_pattern = ".*\\.py"
diff --git a/tests/examples/hardcoded_anthropic_key.py b/tests/examples/hardcoded_anthropic_key.py
@@ -0,0 +1,4 @@
+ANTHROPIC_API_KEY = "sk-ant-api03-FAKEKEYFORTESTING-ABCDEF1234567890"
+
+def example():
+    pass

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +ANTHROPIC_API_KEY = "sk-ant-api03-FAKEKEYFORTESTING-ABCDEF1234567890"
++
 +def example():
 +    pass