[INS-406] Braintrust detector#4826
[INS-406] Braintrust detector#4826MuneebUllahKhan222 wants to merge 3 commits intotrufflesecurity:mainfrom
Conversation
Updated the description of the Braintrust detector to provide more detail about its functionality.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit 7763971. Configure here.
| [DEBUG] braintrust_key=sk-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! | ||
| `, | ||
| want: nil, | ||
| }, |
There was a problem hiding this comment.
Test for invalid characters passes for wrong reason
Low Severity
The "invalid pattern - invalid characters" test case only has 39 A characters after sk-, so the test passes because the input is too short (needs 48 alphanumeric chars), not because of the ! character. This gives a false sense that the regex properly rejects non-alphanumeric characters, but that assertion is never actually tested. To properly validate rejection of invalid characters, the input needs 47 alphanumeric characters plus the ! to reach the 48-character length requirement.
Reviewed by Cursor Bugbot for commit 7763971. Configure here.
2 participants
Description
This PR adds the Braintrust API Key Detector for TruffleHog.
It scans for Braintrust API keys (prefix
sk-) and optionally verifies them via the official API.Regex:
\b(sk-[A-Za-z0-9]{48})\bVerification
For verification, we use the Braintrust Projects API: https://api.braintrust.dev/v1/project?limit=1. We send a GET request with the token in the Authorization: Bearer header. A response code of 200 OK means the token is valid. 401 Unauthorized means it is an invalid or revoked token, while 403 Forbidden indicates a valid token with insufficient permissions.
This API endpoint is part of the official Braintrust API and can be used safely for verification. It is read-only and does not perform any destructive actions.
Corpora Test
The detector does not appear in the list.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Adds a new secret detector with optional online verification against an external API and extends the protobuf
DetectorTypeenum, which can affect downstream consumers expecting stable IDs.Overview
Adds a new
braintrustdetector that findssk--prefixed 48-char Braintrust API keys, deduplicates matches, and emits redacteddetectors.Resultentries.When verification is enabled, it validates tokens by calling Braintrust’s Projects API and treating
200/403as valid and401as invalid, surfacing unexpected statuses as verification errors; includes unit, integration, and benchmark coverage.Registers the detector in the default detector set and introduces a new protobuf enum value
DetectorType_BrainTrustApiKey(id1044).Reviewed by Cursor Bugbot for commit 7763971. Bugbot is set up for automated code reviews on this repo. Configure here.