[INS-312] Duo API Secret Key Detector#4771
Open
MuneebUllahKhan222 wants to merge 8 commits intotrufflesecurity:mainfrom
Open
[INS-312] Duo API Secret Key Detector#4771MuneebUllahKhan222 wants to merge 8 commits intotrufflesecurity:mainfrom
MuneebUllahKhan222 wants to merge 8 commits intotrufflesecurity:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
amanfcp
reviewed
Mar 2, 2026
Comment on lines
+83
to
+91
| if verify { | ||
| verified, verificationErr := VerifyAdminToken(ctx, s.getClient(), host, apiKey, apiSecret) | ||
| if !verified { | ||
| verified, verificationErr = VerifyAuthToken(ctx, s.getClient(), host, apiKey, apiSecret) | ||
| s1.ExtraData["application"] = "Auth API" | ||
| } | ||
| s1.SetVerificationError(verificationErr, host, apiKey, apiSecret) | ||
| s1.Verified = verified | ||
| } |
Contributor
There was a problem hiding this comment.
The fallback is triggering if verified is false, that would also be true for an unexpected verification. Shouldn't the fallback trigger only when the verified is deterministically false?
Contributor
Author
There was a problem hiding this comment.
Good point! I have update the condition to !verified && verificationErr so that the second endpoint is hit only when the first endpoint hit encounters 401.
amanfcp
reviewed
Mar 3, 2026
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
amanfcp
reviewed
Mar 4, 2026
| return results, nil | ||
| } | ||
|
|
||
| // returns verfied=true if credentials are valid and belong to auth api, false if creds are invalid, and error if creds belong to auth api or for anything else (e.g., network error) |
Contributor
There was a problem hiding this comment.
Suggested change
| // returns verfied=true if credentials are valid and belong to auth api, false if creds are invalid, and error if creds belong to auth api or for anything else (e.g., network error) | |
| // returns verified=true if credentials are valid and belong to auth api, false if creds are invalid, and error if creds belong to auth api or for anything else (e.g., network error) |
amanfcp
approved these changes
Mar 4, 2026
rosecodym
approved these changes
Mar 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds the Duo API Credential Detector for TruffleHog.
It detects Duo Integration Keys, Secret Keys, and API hostnames, and optionally verifies them against Duo’s official APIs.
The detector supports identifying credentials for both:
regex
\b(DI[A-Z0-9]{18})\b\b([A-Za-z0-9]{40})\b\b([a-z0-9-]{6,}.duosecurity.com)\bVerification
For verification, the detector uses Duo’s official REST APIs and signs requests using Duo’s HMAC-based authentication scheme.
The detector attempts verification in the following order:
Endpoint:
GET /admin/v1/info/summaryEndpoint:
GET /auth/v2/checkRequests are signed using:
Basic <base64(ikey:signature)>formatVerification is read-only and does not perform any destructive actions.
Corpora Test
The detector does not appear in the corpora list.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Introduces new network-based verification logic and a new
DetectorTypeenum value, which can affect scanning behavior/output and may introduce false positives or verification-time failures if the API surface/availability changes.Overview
Adds a new
duodetector that identifies Duo API hosts plus Integration Key/Secret Key pairs and emits results ashost:ikey:skey, with optional verification via Duo-signedGETrequests (Admin API first, then Auth API fallback).Registers the detector in the default detector list and adds
DetectorType_Duotoproto/detectors.proto(and regenerateddetectors.pb.go), alongside unit tests and detectors-tagged integration tests covering verified/unverified and error cases.Written by Cursor Bugbot for commit 11eed25. This will update automatically on new commits. Configure here.