feat: Add trunk rule to detect mParticle API keys (#633)

jamesnrokt · web-flow · commit 3f3c79faf8b6 · 2026-01-12T13:43:27.000-05:00
* feat: Add trunk rule to detect mParticle API keys

* Correct location of trunk check

* Only check trunk changes on pull request
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -12,7 +12,7 @@ permissions:
   checks: write
   id-token: write
 
-  # Code quality checks
+jobs:
   trunk-check:
     name: Trunk code check
     runs-on: ubuntu-latest
@@ -21,10 +21,7 @@ permissions:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
       - name: Trunk Check
         uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1.2.4
-        with:
-          check-mode: all
 
-jobs:
   pr-check-hadcoded-secrets:
     name: "Check PR for hardcoded secrets"
     uses: mParticle/mparticle-workflows/.github/workflows/security-hardcoded-secrets.yml@main
diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
@@ -35,6 +35,31 @@ lint:
     - shellcheck@0.11.0
     - shfmt@3.6.0
     - trufflehog@3.90.6
+    - mparticle-api-key-check # Custom rule to prevent mParticle API keys from being committed
+  definitions:
+    - name: mparticle-api-key-check
+      files: [ALL]
+      commands:
+        - name: check-mparticle-keys
+          output: pass_fail
+          # ──────────────────────────────────────────────────────────────────────
+          # Matches:
+          #   us2-[32 hex chars]
+          #   us1-...
+          #   us-...
+          #   eu1-...
+          #   Any two lowercase letters + optional digits + hyphen + exactly 32 hex chars
+          # ──────────────────────────────────────────────────────────────────────
+          run: >-
+            sh -c '
+              if grep -E "(?i)[a-z]{2}[0-9]*-[0-9a-f]{32}" "${target}"; then
+                echo "ERROR: Possible mParticle API key detected in ${target}"
+                echo "       Format: xx...-[32 hex chars]  (e.g. us2-, eu1-, us-, au4-, etc.)"
+                echo "API keys should never be committed to version control!"
+                exit 1
+              fi
+            '
+          success_codes: [0, 1]
   disabled:
     - yamllint
   ignore:
