[INS-345] Add New Relic Insights Query Key detector#4781
[INS-345] Add New Relic Insights Query Key detector#4781mustansir14 wants to merge 3 commits intotrufflesecurity:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| uniqueAccountIDMatches[match[1]] = struct{}{} | ||
| } | ||
|
|
||
| for _, keyMatch := range keyMatches { |
There was a problem hiding this comment.
Key matches not deduplicated unlike other multi-part detectors
Medium Severity
Account ID matches are deduplicated into uniqueAccountIDMatches, but keyMatches is iterated directly from FindAllStringSubmatch without deduplication. Other multi-part detectors in the codebase (e.g., adobeio, airbrakeprojectkey, airship) consistently deduplicate both parts into maps before the nested loops. This inconsistency means duplicate keys in scanned data produce duplicate results and redundant verification API calls.
There was a problem hiding this comment.
This is intended. The idea is to report multiple results if the key appears in multiple places, so that the user can remove it from all of those places.
Account ID matches are deduplicated because they are not the primary credential.
1 participant
Description:
This PR adds the New Relic Insights Query Key Detector.
Regex:
Key:
\b(NRIQ-[a-zA-Z0-9-_]{25})Account ID:
detectors.PrefixRegex([]string{"relic", "account", "id"}) + '\b(\d{4,10})\b'The key is the actual credential but account ID is required for verification because the verification endpoint requires an account ID in the path, and there is no other deterministic way to verify the credential without specifying the valid account ID (invalid or malformed account IDs return the same response as an invalid key)
Verification:
For verification, we use the Insights Query API with a simple select query:
https://insights-api.newrelic.com/v1/accounts/[account_id]/query?nrql=SELECT%%201.We send a GET request. A response code of
200means the key is valid.401means it is an invalid/rotated key.Note: For EU region keys, the host should be
insights-api.eu.newrelic.comCorpora Test:
The detector does not appear in the list.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Adds a new detector with live HTTP verification against New Relic endpoints and expands the detector type enum, which can affect scanning behavior and introduces external request/timeout considerations.
Overview
Adds a new
NewRelicInsightsQueryKeydetector that identifiesNRIQ-...Insights Query keys and associated account IDs, emitting results keyed by the combinedkey+accountID(RawV2) and optionally verifying via the legacy Insights Query API against both US/EU regions (recording the successful region inExtraData).Registers the detector in the default detector list and extends the protobuf
DetectorTypeenum to includeNewRelicInsightsQueryKey, with accompanying unit + integration tests and benchmarks for detection/verification behavior.Written by Cursor Bugbot for commit 7345494. This will update automatically on new commits. Configure here.