Skip to content

Commit 3376409

Browse files
committed
refactor: move HighRiskEnvKeys to apikeys.go, K8SProdPatterns to local.go
1 parent 4f2c483 commit 3376409

3 files changed

Lines changed: 125 additions & 125 deletions

File tree

internal/scan/apikeys.go

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,128 @@ import (
1313
"github.com/Pringled/agentcheck/internal/models"
1414
)
1515

16+
// HighRiskEnvKeys is the set of environment variable names that indicate
17+
// high-value credentials are present in the shell. Values are NEVER read or logged;
18+
// only the key name is used.
19+
var HighRiskEnvKeys = map[string]bool{
20+
// AI / ML inference
21+
"OPENAI_API_KEY": true,
22+
"ANTHROPIC_API_KEY": true,
23+
"COHERE_API_KEY": true,
24+
"MISTRAL_API_KEY": true,
25+
"REPLICATE_API_KEY": true,
26+
"HUGGINGFACE_TOKEN": true,
27+
"HF_TOKEN": true, // Hugging Face canonical short name (used by huggingface-hub)
28+
"TOGETHER_API_KEY": true,
29+
"GROQ_API_KEY": true,
30+
"VOYAGE_API_KEY": true,
31+
"ELEVEN_LABS_API_KEY": true,
32+
"PINECONE_API_KEY": true,
33+
"STABILITY_API_KEY": true, // Stability AI — pay-per-image generation
34+
"WANDB_API_KEY": true, // Weights & Biases — model/experiment data
35+
"TAVILY_API_KEY": true, // Tavily search — widely used in LangChain/LangGraph agents
36+
"LANGCHAIN_API_KEY": true, // LangSmith tracing (LangChain ecosystem)
37+
"AZURE_OPENAI_API_KEY": true, // Azure OpenAI — distinct from service principal creds
38+
"FAL_KEY": true, // fal.ai — GPU inference, financial risk
39+
"NVIDIA_API_KEY": true, // NVIDIA NIM — enterprise GPU inference
40+
41+
// Cloud: env-based credentials
42+
"AWS_ACCESS_KEY_ID": true,
43+
"AWS_SECRET_ACCESS_KEY": true,
44+
"AWS_SESSION_TOKEN": true,
45+
"GOOGLE_APPLICATION_CREDENTIALS": true,
46+
"AZURE_CLIENT_SECRET": true,
47+
"AZURE_CLIENT_ID": true,
48+
"AZURE_TENANT_ID": true,
49+
50+
// Secrets managers (key to all other secrets)
51+
"VAULT_TOKEN": true, // HashiCorp Vault — grants access to all managed secrets
52+
"OP_SERVICE_ACCOUNT_TOKEN": true, // 1Password Connect service account
53+
"OP_CONNECT_TOKEN": true, // 1Password Connect API token
54+
"INFISICAL_TOKEN": true, // Infisical secrets manager
55+
56+
// Source control & CI/CD
57+
"GITHUB_TOKEN": true,
58+
"GITLAB_TOKEN": true,
59+
"BITBUCKET_APP_PASSWORD": true,
60+
"NPM_TOKEN": true,
61+
"PYPI_API_TOKEN": true,
62+
"CIRCLE_TOKEN": true, // CircleCI — CI supply chain attack surface
63+
64+
// Payment
65+
"STRIPE_SECRET_KEY": true,
66+
"BRAINTREE_PRIVATE_KEY": true,
67+
"PAYPAL_CLIENT_SECRET": true,
68+
"SQUARE_ACCESS_TOKEN": true,
69+
"ADYEN_API_KEY": true, // Adyen — enterprise e-commerce payments
70+
"RAZORPAY_KEY_SECRET": true, // Razorpay — dominant in South/SE Asia
71+
"MOLLIE_API_KEY": true, // Mollie — dominant in EU
72+
"PADDLE_API_KEY": true, // Paddle — SaaS billing
73+
74+
// Messaging & comms (can exfiltrate data or send spam at scale)
75+
"TWILIO_AUTH_TOKEN": true,
76+
"SENDGRID_API_KEY": true,
77+
"MAILGUN_API_KEY": true,
78+
"SLACK_BOT_TOKEN": true,
79+
"DISCORD_BOT_TOKEN": true,
80+
"VONAGE_API_SECRET": true, // Vonage/Nexmo — SMS/voice telephony
81+
"KLAVIYO_API_KEY": true, // Klaviyo — e-commerce email, customer PII
82+
"MAILCHIMP_API_KEY": true, // Mailchimp — customer lists, PII
83+
"CUSTOMERIO_API_KEY": true, // Customer.io — behavioral marketing, PII
84+
"BREVO_API_KEY": true, // Brevo (Sendinblue) — EU email, PII
85+
86+
// Identity & auth
87+
"OKTA_API_TOKEN": true,
88+
"AUTH0_CLIENT_SECRET": true,
89+
"CLERK_SECRET_KEY": true, // Clerk — popular Next.js auth, auth bypass risk
90+
"WORKOS_API_KEY": true, // WorkOS — enterprise SSO
91+
92+
// Observability
93+
"DATADOG_API_KEY": true,
94+
"SENTRY_AUTH_TOKEN": true,
95+
"NEW_RELIC_LICENSE_KEY": true, // New Relic — APM data, log exfil
96+
"NEW_RELIC_API_KEY": true, // New Relic user/account API key
97+
"GRAFANA_API_KEY": true, // Grafana Cloud
98+
"GRAFANA_TOKEN": true, // Grafana Cloud access policy token
99+
"HONEYCOMB_API_KEY": true, // Honeycomb — trace data
100+
101+
// Cloud / hosting / IaC
102+
"VERCEL_TOKEN": true,
103+
"NETLIFY_AUTH_TOKEN": true,
104+
"CLOUDFLARE_API_TOKEN": true,
105+
"HEROKU_API_KEY": true,
106+
"RAILWAY_TOKEN": true,
107+
"FLY_API_TOKEN": true,
108+
"DIGITALOCEAN_TOKEN": true, // DigitalOcean — full infra control
109+
"DO_API_TOKEN": true, // DigitalOcean alternative env var name
110+
"LINODE_TOKEN": true, // Linode/Akamai — full infra control
111+
"RENDER_API_KEY": true, // Render — deploy platform access
112+
"PULUMI_ACCESS_TOKEN": true, // Pulumi — IaC state = all infra secrets
113+
"TFE_TOKEN": true, // Terraform Cloud — IaC state
114+
"CLOUDINARY_API_SECRET": true, // Cloudinary — media storage
115+
116+
// Databases (connection strings often embed credentials)
117+
"DATABASE_URL": true,
118+
"MONGODB_URI": true,
119+
"REDIS_URL": true,
120+
"MONGODB_ATLAS_PRIVATE_KEY": true, // MongoDB Atlas admin API (separate from connection string)
121+
"TURSO_AUTH_TOKEN": true, // Turso — SQLite-at-edge DB access
122+
"UPSTASH_REDIS_REST_TOKEN": true, // Upstash — serverless Redis/Kafka
123+
"ELASTIC_API_KEY": true, // Elasticsearch — data exfil risk
124+
"ELASTIC_CLOUD_API_KEY": true, // Elastic Cloud management API
125+
126+
// CRM / e-commerce / dev tools
127+
"ATLASSIAN_API_TOKEN": true, // Atlassian/Jira — project data, PII
128+
"JIRA_API_TOKEN": true, // Jira alternative env var
129+
"HUBSPOT_ACCESS_TOKEN": true, // HubSpot CRM — customer PII + sales data
130+
"SALESFORCE_CLIENT_SECRET": true, // Salesforce — enterprise CRM
131+
"SHOPIFY_API_SECRET_KEY": true, // Shopify — store orders, customer PII
132+
"ZENDESK_API_TOKEN": true, // Zendesk — customer support PII
133+
"INTERCOM_ACCESS_TOKEN": true, // Intercom — customer chat PII
134+
"SEGMENT_WRITE_KEY": true, // Segment — all customer behavioral events
135+
"ALGOLIA_API_KEY": true, // Algolia — search index admin access
136+
}
137+
16138
// credentialSuffixRe matches env var names that contain a credential-related term.
17139
// Provider name patterns require this suffix to avoid false positives on non-credential
18140
// vars like GITHUB_WORKSPACE or OPENAI_BASE_URL.

internal/scan/local.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ import (
1010
"github.com/Pringled/agentcheck/internal/models"
1111
)
1212

13+
// K8SProdPatterns is the set of substrings that identify a Kubernetes context as production.
14+
var K8SProdPatterns = []string{"prod", "production", "prd", "live"}
15+
1316
// toolCheck specifies a simple binary-outcome CLI tool check.
1417
// A check runs cmd and produces:
1518
// - confirmedFinding when rc == 0 (tool confirmed accessible/authenticated).

internal/scan/scan.go

Lines changed: 0 additions & 125 deletions
Original file line numberDiff line numberDiff line change
@@ -148,131 +148,6 @@ func runScanner(sc Scanner) (result models.ScanResult) {
148148
return sc.Scan()
149149
}
150150

151-
// K8SProdPatterns is the set of substrings that identify a Kubernetes context as production.
152-
var K8SProdPatterns = []string{"prod", "production", "prd", "live"}
153-
154-
// HighRiskEnvKeys is the set of environment variable names that indicate
155-
// high-value credentials are present in the shell. Values are NEVER read or logged;
156-
// only the key name is used.
157-
var HighRiskEnvKeys = map[string]bool{
158-
// AI / ML inference
159-
"OPENAI_API_KEY": true,
160-
"ANTHROPIC_API_KEY": true,
161-
"COHERE_API_KEY": true,
162-
"MISTRAL_API_KEY": true,
163-
"REPLICATE_API_KEY": true,
164-
"HUGGINGFACE_TOKEN": true,
165-
"HF_TOKEN": true, // Hugging Face canonical short name (used by huggingface-hub)
166-
"TOGETHER_API_KEY": true,
167-
"GROQ_API_KEY": true,
168-
"VOYAGE_API_KEY": true,
169-
"ELEVEN_LABS_API_KEY": true,
170-
"PINECONE_API_KEY": true,
171-
"STABILITY_API_KEY": true, // Stability AI — pay-per-image generation
172-
"WANDB_API_KEY": true, // Weights & Biases — model/experiment data
173-
"TAVILY_API_KEY": true, // Tavily search — widely used in LangChain/LangGraph agents
174-
"LANGCHAIN_API_KEY": true, // LangSmith tracing (LangChain ecosystem)
175-
"AZURE_OPENAI_API_KEY": true, // Azure OpenAI — distinct from service principal creds
176-
"FAL_KEY": true, // fal.ai — GPU inference, financial risk
177-
"NVIDIA_API_KEY": true, // NVIDIA NIM — enterprise GPU inference
178-
179-
// Cloud: env-based credentials
180-
"AWS_ACCESS_KEY_ID": true,
181-
"AWS_SECRET_ACCESS_KEY": true,
182-
"AWS_SESSION_TOKEN": true,
183-
"GOOGLE_APPLICATION_CREDENTIALS": true,
184-
"AZURE_CLIENT_SECRET": true,
185-
"AZURE_CLIENT_ID": true,
186-
"AZURE_TENANT_ID": true,
187-
188-
// Secrets managers (key to all other secrets)
189-
"VAULT_TOKEN": true, // HashiCorp Vault — grants access to all managed secrets
190-
"OP_SERVICE_ACCOUNT_TOKEN": true, // 1Password Connect service account
191-
"OP_CONNECT_TOKEN": true, // 1Password Connect API token
192-
"INFISICAL_TOKEN": true, // Infisical secrets manager
193-
194-
// Source control & CI/CD
195-
"GITHUB_TOKEN": true,
196-
"GITLAB_TOKEN": true,
197-
"BITBUCKET_APP_PASSWORD": true,
198-
"NPM_TOKEN": true,
199-
"PYPI_API_TOKEN": true,
200-
"CIRCLE_TOKEN": true, // CircleCI — CI supply chain attack surface
201-
202-
// Payment
203-
"STRIPE_SECRET_KEY": true,
204-
"BRAINTREE_PRIVATE_KEY": true,
205-
"PAYPAL_CLIENT_SECRET": true,
206-
"SQUARE_ACCESS_TOKEN": true,
207-
"ADYEN_API_KEY": true, // Adyen — enterprise e-commerce payments
208-
"RAZORPAY_KEY_SECRET": true, // Razorpay — dominant in South/SE Asia
209-
"MOLLIE_API_KEY": true, // Mollie — dominant in EU
210-
"PADDLE_API_KEY": true, // Paddle — SaaS billing
211-
212-
// Messaging & comms (can exfiltrate data or send spam at scale)
213-
"TWILIO_AUTH_TOKEN": true,
214-
"SENDGRID_API_KEY": true,
215-
"MAILGUN_API_KEY": true,
216-
"SLACK_BOT_TOKEN": true,
217-
"DISCORD_BOT_TOKEN": true,
218-
"VONAGE_API_SECRET": true, // Vonage/Nexmo — SMS/voice telephony
219-
"KLAVIYO_API_KEY": true, // Klaviyo — e-commerce email, customer PII
220-
"MAILCHIMP_API_KEY": true, // Mailchimp — customer lists, PII
221-
"CUSTOMERIO_API_KEY": true, // Customer.io — behavioral marketing, PII
222-
"BREVO_API_KEY": true, // Brevo (Sendinblue) — EU email, PII
223-
224-
// Identity & auth
225-
"OKTA_API_TOKEN": true,
226-
"AUTH0_CLIENT_SECRET": true,
227-
"CLERK_SECRET_KEY": true, // Clerk — popular Next.js auth, auth bypass risk
228-
"WORKOS_API_KEY": true, // WorkOS — enterprise SSO
229-
230-
// Observability
231-
"DATADOG_API_KEY": true,
232-
"SENTRY_AUTH_TOKEN": true,
233-
"NEW_RELIC_LICENSE_KEY": true, // New Relic — APM data, log exfil
234-
"NEW_RELIC_API_KEY": true, // New Relic user/account API key
235-
"GRAFANA_API_KEY": true, // Grafana Cloud
236-
"GRAFANA_TOKEN": true, // Grafana Cloud access policy token
237-
"HONEYCOMB_API_KEY": true, // Honeycomb — trace data
238-
239-
// Cloud / hosting / IaC
240-
"VERCEL_TOKEN": true,
241-
"NETLIFY_AUTH_TOKEN": true,
242-
"CLOUDFLARE_API_TOKEN": true,
243-
"HEROKU_API_KEY": true,
244-
"RAILWAY_TOKEN": true,
245-
"FLY_API_TOKEN": true,
246-
"DIGITALOCEAN_TOKEN": true, // DigitalOcean — full infra control
247-
"DO_API_TOKEN": true, // DigitalOcean alternative env var name
248-
"LINODE_TOKEN": true, // Linode/Akamai — full infra control
249-
"RENDER_API_KEY": true, // Render — deploy platform access
250-
"PULUMI_ACCESS_TOKEN": true, // Pulumi — IaC state = all infra secrets
251-
"TFE_TOKEN": true, // Terraform Cloud — IaC state
252-
"CLOUDINARY_API_SECRET": true, // Cloudinary — media storage
253-
254-
// Databases (connection strings often embed credentials)
255-
"DATABASE_URL": true,
256-
"MONGODB_URI": true,
257-
"REDIS_URL": true,
258-
"MONGODB_ATLAS_PRIVATE_KEY": true, // MongoDB Atlas admin API (separate from connection string)
259-
"TURSO_AUTH_TOKEN": true, // Turso — SQLite-at-edge DB access
260-
"UPSTASH_REDIS_REST_TOKEN": true, // Upstash — serverless Redis/Kafka
261-
"ELASTIC_API_KEY": true, // Elasticsearch — data exfil risk
262-
"ELASTIC_CLOUD_API_KEY": true, // Elastic Cloud management API
263-
264-
// CRM / e-commerce / dev tools
265-
"ATLASSIAN_API_TOKEN": true, // Atlassian/Jira — project data, PII
266-
"JIRA_API_TOKEN": true, // Jira alternative env var
267-
"HUBSPOT_ACCESS_TOKEN": true, // HubSpot CRM — customer PII + sales data
268-
"SALESFORCE_CLIENT_SECRET": true, // Salesforce — enterprise CRM
269-
"SHOPIFY_API_SECRET_KEY": true, // Shopify — store orders, customer PII
270-
"ZENDESK_API_TOKEN": true, // Zendesk — customer support PII
271-
"INTERCOM_ACCESS_TOKEN": true, // Intercom — customer chat PII
272-
"SEGMENT_WRITE_KEY": true, // Segment — all customer behavioral events
273-
"ALGOLIA_API_KEY": true, // Algolia — search index admin access
274-
}
275-
276151
// Summarise computes a Summary from a slice of ScanResults.
277152
// UNCERTAIN findings contribute to the uncertain count but not to findings_total,
278153
// since they represent incomplete checks rather than confirmed findings.

0 commit comments

Comments
 (0)