Skip to content

[INS-197] Add redhatpyxis api key detector#4995

Open
MuneebUllahKhan222 wants to merge 2 commits into
mainfrom
redhatpyxis-detector
Open

[INS-197] Add redhatpyxis api key detector#4995
MuneebUllahKhan222 wants to merge 2 commits into
mainfrom
redhatpyxis-detector

Conversation

@MuneebUllahKhan222
Copy link
Copy Markdown
Contributor

@MuneebUllahKhan222 MuneebUllahKhan222 commented May 29, 2026
edited by cursor Bot
Loading

Description

This PR adds the Red Hat Pyxis API Key Detector for TruffleHog.

It scans for Red Hat Pyxis API keys and optionally verifies them via the official Red Hat Ecosystem Catalog API.

Regex:

\b([a-z0-9]{32})\b

The detector uses contextual keyword redhat to reduce false positives.

Verification

For verification, we use the Red Hat Pyxis Projects API:

https://catalog.redhat.com/api/containers/v1/projects/certification/requests/images?page_size=1&page=0

We send a GET request with the token in the X-API-KEY header.

A response code of:

  • 200 OK means the API key is valid
  • 401 Unauthorized means the API key is invalid.

This API endpoint is part of the official Red Hat Ecosystem Catalog API and can be used safely for verification. It is a read-only endpoint and does not perform any destructive actions.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Note

Low Risk
Additive detector and enum wiring; verification uses a read-only external API and is gated by an existing feature-flag pattern.

Overview
Adds a Red Hat Pyxis secret detector that finds 32-character lowercase alphanumeric API keys near a redhat keyword and, when verification is on, checks them with a read-only GET to the Red Hat Ecosystem Catalog (X-API-KEY), treating 200 as valid and 401 as invalid.

Wires the scanner into the default engine list behind RedHatPyxisDetectorEnabled (enabled by default in main.go, same pattern as Pinecone/Cloudinary), registers DetectorType_RedHatPyxis (1053) in proto/generated enums, and adds unit, pattern, integration, and benchmark tests.

Reviewed by Cursor Bugbot for commit d6b0690. Bugbot is set up for automated code reviews on this repo. Configure here.

@MuneebUllahKhan222 MuneebUllahKhan222 requested a review from a team May 29, 2026 13:36
@MuneebUllahKhan222 MuneebUllahKhan222 requested review from a team as code owners May 29, 2026 13:36
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026

Corpora Test Results

Scans a corpus of real-world public code against only the detectors changed in this PR, then compares unique match counts between the PR build and the main baseline to catch regex regressions. Verification is disabled — each detector's regex is measured independently.

1 new · 0 clean  |  Scoped to: redhatpyxis

Status Detector Unique matches (main) Unique matches (PR) New Removed
🆕 RedHatPyxis 9
  • 🔴 regression: >5 new, >20% increase over main, or any removed
  • ⚠️ warning: 1–5 new and ≤20% increase over main
  • ✅ clean
  • 🆕 new detector (no baseline)

shahzadhaider1
shahzadhaider1 reviewed Jun 2, 2026
View reviewed changes
Comment thread pkg/detectors/redhatpyxis/redhatpyxis.go
// Keywords used for fast pre-filtering
func (s Scanner) Keywords() []string {
return []string{
"redhat",
Copy link
Copy Markdown
Contributor

@shahzadhaider1 shahzadhaider1 Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it'll be beneficial to add pyxis to the detector/regex keywords instead of redhat or along with redhat?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shahzadhaider1 shahzadhaider1 shahzadhaider1 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MuneebUllahKhan222 @shahzadhaider1