From 77dc6ea38a889a069114ebe8dc9bffb5d7e29023 Mon Sep 17 00:00:00 2001 From: nam3lum Date: Wed, 8 Oct 2025 17:33:02 +0300 Subject: [PATCH 1/6] [detector] feat: Rootly Webhook Detector --- pkg/detectors/rootlywebhook/rootlywebhook.go | 108 ++++++++++++++++++ .../rootlywebhook_integration_test.go | 104 +++++++++++++++++ .../rootlywebhook/rootlywebhook_test.go | 85 ++++++++++++++ pkg/engine/defaults/defaults.go | 2 + pkg/pb/detectorspb/detectors.pb.go | 16 ++- proto/detectors.proto | 1 + 6 files changed, 310 insertions(+), 6 deletions(-) create mode 100644 pkg/detectors/rootlywebhook/rootlywebhook.go create mode 100644 pkg/detectors/rootlywebhook/rootlywebhook_integration_test.go create mode 100644 pkg/detectors/rootlywebhook/rootlywebhook_test.go diff --git a/pkg/detectors/rootlywebhook/rootlywebhook.go b/pkg/detectors/rootlywebhook/rootlywebhook.go new file mode 100644 index 000000000000..8cd77ae747e6 --- /dev/null +++ b/pkg/detectors/rootlywebhook/rootlywebhook.go @@ -0,0 +1,108 @@ +package rootlywebhook + +import ( + "bytes" + "context" + "fmt" + "net/http" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" + regexp "github.com/wasilibs/go-re2" +) + +type Scanner struct{} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + client = common.SaneHttpClient() + + // Rootly webhook tokens are 64 character hex strings + keyPat = regexp.MustCompile(`\b([a-f0-9]{64})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"rootly", "webhook"} +} + +// FromData will find and optionally verify RootlyWebhook secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + uniqueMatches := make(map[string]struct{}) + + // Look for potential webhook tokens + for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) { + uniqueMatches[match[1]] = struct{}{} + } + + for match := range uniqueMatches { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_RootlyWebhook, + Raw: []byte(match), + } + + if verify { + isVerified, verificationErr := verifyMatch(ctx, client, match) + s1.Verified = isVerified + s1.SetVerificationError(verificationErr, match) + } + + results = append(results, s1) + } + + return results, nil +} + +func verifyMatch(ctx context.Context, client *http.Client, token string) (bool, error) { + // We don't want to actually create alerts in Rootly. To verify tokens without spamming them, + // we send a payload that typically causes a 500 error (parsing issue) but still validates the auth. + // The expected scenario is 500 which means the key is working but the payload format causes an error. + // In case 200 comes, it means an actual alert has been created in Rootly (hopefully this never happens). + payload := bytes.NewReader([]byte(`{"rootly":["TruffleHog"]}`)) + + req, err := http.NewRequestWithContext(ctx, http.MethodPost, "https://webhooks.rootly.com/webhooks/incoming/generic_webhooks", payload) + if err != nil { + return false, err + } + + req.Header.Add("Authorization", "Bearer "+token) + req.Header.Add("Content-Type", "application/json") + + res, err := client.Do(req) + if err != nil { + return false, err + } + defer res.Body.Close() + + switch res.StatusCode { + case http.StatusOK: + // 200: Successfully processed the webhook - this means an actual alert was created in Rootly. + // Hopefully this never happens, but we at least know the token is verified. + return true, nil + case http.StatusInternalServerError: + // 500: Auth is valid but there was a server error (e.g., parsing issue with our test payload) + // This is the expected response that indicates the token is valid without creating alerts. + return true, nil + case http.StatusNotFound: + // 404: Integration/webhook not found - token is invalid + return false, nil + case http.StatusUnauthorized: + // 401: Unauthorized - token is invalid + return false, nil + default: + return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_RootlyWebhook +} + +func (s Scanner) Description() string { + return "Rootly webhook tokens are used to create alerts using incoming webhook requests to its incident management platform." +} diff --git a/pkg/detectors/rootlywebhook/rootlywebhook_integration_test.go b/pkg/detectors/rootlywebhook/rootlywebhook_integration_test.go new file mode 100644 index 000000000000..9cc421e34271 --- /dev/null +++ b/pkg/detectors/rootlywebhook/rootlywebhook_integration_test.go @@ -0,0 +1,104 @@ +//go:build detectors +// +build detectors + +package rootlywebhook + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/kylelemons/godebug/pretty" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestRootlyWebhook_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors6") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("ROOTLYWEBHOOK_TOKEN") + inactiveSecret := testSecrets.MustGetField("ROOTLYWEBHOOK_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("rootly webhook token: %s", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_RootlyWebhook, + Verified: true, + }, + }, + wantErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("rootly webhook secret %s but not valid", inactiveSecret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_RootlyWebhook, + Verified: false, + }, + }, + wantErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := Scanner{} + got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("RootlyWebhook.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + got[i].Raw = nil + } + if diff := pretty.Compare(got, tt.want); diff != "" { + t.Errorf("RootlyWebhook.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} diff --git a/pkg/detectors/rootlywebhook/rootlywebhook_test.go b/pkg/detectors/rootlywebhook/rootlywebhook_test.go new file mode 100644 index 000000000000..88d08404ab8a --- /dev/null +++ b/pkg/detectors/rootlywebhook/rootlywebhook_test.go @@ -0,0 +1,85 @@ +package rootlywebhook + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestRootlyWebhook_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + + tests := []struct { + name string + input string + want []string + }{ + { + name: "valid pattern", + input: "rootly webhook: 84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a", + want: []string{"84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a"}, + }, + { + name: "valid pattern with context", + input: "curl -H \"Authorization: Bearer 84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a\" https://webhooks.rootly.com/webhooks/incoming/generic_webhooks", + want: []string{"84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a"}, + }, + { + name: "valid pattern in url", + input: "https://webhooks.rootly.com/webhooks/incoming/generic_webhooks?secret=84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a", + want: []string{"84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a"}, + }, + { + name: "invalid pattern - short", + input: "84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9", // 63 chars + want: nil, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 && len(test.want) > 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index 45c03b957d94..2422c9d17b4f 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -618,6 +618,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/robinhoodcrypto" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rocketreach" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rootly" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rootlywebhook" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/route4me" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rownd" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rubygems" @@ -1498,6 +1499,7 @@ func buildDetectorList() []detectors.Detector { &rocketreach.Scanner{}, // &rockset.Scanner{}, &rootly.Scanner{}, + &rootlywebhook.Scanner{}, &route4me.Scanner{}, &rownd.Scanner{}, &rubygems.Scanner{}, diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index af94bc51afa5..8bf5865783f0 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1145,6 +1145,7 @@ const ( DetectorType_HashiCorpVaultAuth DetectorType = 1036 DetectorType_PhraseAccessToken DetectorType = 1037 DetectorType_Photoroom DetectorType = 1038 + DetectorType_RootlyWebhook DetectorType = 1039 ) // Enum value maps for DetectorType. @@ -2185,6 +2186,7 @@ var ( 1036: "HashiCorpVaultAuth", 1037: "PhraseAccessToken", 1038: "Photoroom", + 1039: "RootlyWebhook", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3222,6 +3224,7 @@ var ( "HashiCorpVaultAuth": 1036, "PhraseAccessToken": 1037, "Photoroom": 1038, + "RootlyWebhook": 1039, } ) @@ -3675,7 +3678,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0xbb, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0xcf, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4751,11 +4754,12 @@ var file_detectors_proto_rawDesc = []byte{ 0x6c, 0x74, 0x41, 0x75, 0x74, 0x68, 0x10, 0x8c, 0x08, 0x12, 0x16, 0x0a, 0x11, 0x50, 0x68, 0x72, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x8d, 0x08, 0x12, 0x0e, 0x0a, 0x09, 0x50, 0x68, 0x6f, 0x74, 0x6f, 0x72, 0x6f, 0x6f, 0x6d, 0x10, 0x8e, - 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, - 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, - 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x08, 0x12, 0x12, 0x0a, 0x0d, 0x52, 0x6f, 0x6f, 0x74, 0x6c, 0x79, 0x57, 0x65, 0x62, 0x68, 0x6f, + 0x6f, 0x6b, 0x10, 0x8f, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, + 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, + 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, + 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, + 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index 0c1ea05eebb7..12fde16dfc41 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1048,6 +1048,7 @@ enum DetectorType { HashiCorpVaultAuth = 1036; PhraseAccessToken = 1037; Photoroom = 1038; + RootlyWebhook = 1039; } message Result { From 824f19bc040ecf49570a8526dc89793bbbefae1f Mon Sep 17 00:00:00 2001 From: Dadash Guliyev <64528432+nam3lum@users.noreply.github.com> Date: Thu, 9 Oct 2025 14:32:38 +0300 Subject: [PATCH 2/6] Update identifiers to webhook domain --- pkg/detectors/rootlywebhook/rootlywebhook.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/detectors/rootlywebhook/rootlywebhook.go b/pkg/detectors/rootlywebhook/rootlywebhook.go index 8cd77ae747e6..ae27730f7910 100644 --- a/pkg/detectors/rootlywebhook/rootlywebhook.go +++ b/pkg/detectors/rootlywebhook/rootlywebhook.go @@ -27,7 +27,7 @@ var ( // Keywords are used for efficiently pre-filtering chunks. // Use identifiers in the secret preferably, or the provider name. func (s Scanner) Keywords() []string { - return []string{"rootly", "webhook"} + return []string{"webhooks.rootly.com"} } // FromData will find and optionally verify RootlyWebhook secrets in a given set of bytes. From 2aa657106323521ec02e5d7ee8f8b194fc4a7fed Mon Sep 17 00:00:00 2001 From: Dadash Guliyev <64528432+nam3lum@users.noreply.github.com> Date: Sat, 11 Oct 2025 15:25:08 +0300 Subject: [PATCH 3/6] Remove the non-valid pattern from tests --- pkg/detectors/rootlywebhook/rootlywebhook_test.go | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/pkg/detectors/rootlywebhook/rootlywebhook_test.go b/pkg/detectors/rootlywebhook/rootlywebhook_test.go index 88d08404ab8a..f2a00f8f0457 100644 --- a/pkg/detectors/rootlywebhook/rootlywebhook_test.go +++ b/pkg/detectors/rootlywebhook/rootlywebhook_test.go @@ -21,19 +21,14 @@ func TestRootlyWebhook_Pattern(t *testing.T) { }{ { name: "valid pattern", - input: "rootly webhook: 84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a", + input: "https://webhooks.rootly.com/webhooks/incoming/generic_webhooks?secret=84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a", want: []string{"84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a"}, }, { - name: "valid pattern with context", + name: "valid pattern 2", input: "curl -H \"Authorization: Bearer 84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a\" https://webhooks.rootly.com/webhooks/incoming/generic_webhooks", want: []string{"84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a"}, }, - { - name: "valid pattern in url", - input: "https://webhooks.rootly.com/webhooks/incoming/generic_webhooks?secret=84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a", - want: []string{"84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9a"}, - }, { name: "invalid pattern - short", input: "84942ab61f62d34f98511711fd59cedc35bb3a217e6a2399d50a62c01fc4ee9", // 63 chars From 0f7ec8c3f278142c1f88ad1d99eb4ce854c6d8f9 Mon Sep 17 00:00:00 2001 From: Dadash Guliyev <64528432+nam3lum@users.noreply.github.com> Date: Wed, 15 Oct 2025 11:56:38 +0300 Subject: [PATCH 4/6] Update Rootly Webhook detector detector based to contain extra keywords for precise detection --- pkg/detectors/rootlywebhook/rootlywebhook.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/detectors/rootlywebhook/rootlywebhook.go b/pkg/detectors/rootlywebhook/rootlywebhook.go index ae27730f7910..087fd99644ef 100644 --- a/pkg/detectors/rootlywebhook/rootlywebhook.go +++ b/pkg/detectors/rootlywebhook/rootlywebhook.go @@ -21,13 +21,13 @@ var ( client = common.SaneHttpClient() // Rootly webhook tokens are 64 character hex strings - keyPat = regexp.MustCompile(`\b([a-f0-9]{64})\b`) + keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"rootly", "webhook"}) + `\b([a-f0-9]{64})\b`) ) // Keywords are used for efficiently pre-filtering chunks. // Use identifiers in the secret preferably, or the provider name. func (s Scanner) Keywords() []string { - return []string{"webhooks.rootly.com"} + return []string{"webhooks.rootly.com", "rootly", "rootlywebhook", "rootly_webhook", "rootly_token"} } // FromData will find and optionally verify RootlyWebhook secrets in a given set of bytes. From 3a2f7bfda0c4affc473b5ad83ab1abef7e25e69e Mon Sep 17 00:00:00 2001 From: Dadash Guliyev <64528432+nam3lum@users.noreply.github.com> Date: Wed, 15 Oct 2025 11:59:59 +0300 Subject: [PATCH 5/6] Add additional keyword based to detector based on how webhook is implemented --- pkg/detectors/rootlywebhook/rootlywebhook.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/detectors/rootlywebhook/rootlywebhook.go b/pkg/detectors/rootlywebhook/rootlywebhook.go index 087fd99644ef..b7f1fd879f24 100644 --- a/pkg/detectors/rootlywebhook/rootlywebhook.go +++ b/pkg/detectors/rootlywebhook/rootlywebhook.go @@ -21,7 +21,7 @@ var ( client = common.SaneHttpClient() // Rootly webhook tokens are 64 character hex strings - keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"rootly", "webhook"}) + `\b([a-f0-9]{64})\b`) + keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"rootly", "webhook", "Authorization"}) + `\b([a-f0-9]{64})\b`) ) // Keywords are used for efficiently pre-filtering chunks. From 5b735e3096c16733924e597794cc3f9e0fadabef Mon Sep 17 00:00:00 2001 From: Dadash Guliyev <64528432+nam3lum@users.noreply.github.com> Date: Wed, 15 Oct 2025 12:03:36 +0300 Subject: [PATCH 6/6] Additional keyword to rootly webhook scanner --- pkg/detectors/rootlywebhook/rootlywebhook.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/detectors/rootlywebhook/rootlywebhook.go b/pkg/detectors/rootlywebhook/rootlywebhook.go index b7f1fd879f24..271df87615b2 100644 --- a/pkg/detectors/rootlywebhook/rootlywebhook.go +++ b/pkg/detectors/rootlywebhook/rootlywebhook.go @@ -27,7 +27,7 @@ var ( // Keywords are used for efficiently pre-filtering chunks. // Use identifiers in the secret preferably, or the provider name. func (s Scanner) Keywords() []string { - return []string{"webhooks.rootly.com", "rootly", "rootlywebhook", "rootly_webhook", "rootly_token"} + return []string{"webhooks.rootly.com", "rootly", "rootlywebhook", "rootly_webhook", "rootly_token", "rootly_webhook_token"} } // FromData will find and optionally verify RootlyWebhook secrets in a given set of bytes.