trufflesecurity · mustansir14 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
@@ -0,0 +1,127 @@
+package newrelicuserkey
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	regexp "github.com/wasilibs/go-re2"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
+)
+
+type Scanner struct {
+	client *http.Client
+}
+
+// Ensure the Scanner satisfies the interfaces at compile time.
+var _ detectors.Detector = (*Scanner)(nil)
+
+var (
+	defaultClient = common.SaneHttpClient()
+	keyPat        = regexp.MustCompile(`\b(NRAK-[A-Z0-9]{27})\b`)
+)
+
+func (s Scanner) getClient() *http.Client {
+	if s.client != nil {
+		return s.client
+	}
+
+	return defaultClient
+}
+
+// Keywords are used for efficiently pre-filtering chunks.
+func (s Scanner) Keywords() []string { return []string{"nrak-"} }
+
+func (s Scanner) Type() detectorspb.DetectorType {
+	return detectorspb.DetectorType_NewRelicUserKey
+}
+
+func (s Scanner) Description() string {
+	return "A New Relic User API Key is an authentication token used to query data from New Relic via the NerdGraph API or REST API, allowing users to access account data and perform read operations securely. It is primarily used for interacting with New Relic’s query and configuration services."
+}
+
+func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
+	dataStr := string(data)
+
+	matches := keyPat.FindAllStringSubmatch(dataStr, -1)
+	for _, match := range matches {
+		resMatch := strings.TrimSpace(match[1])
+
+		s1 := detectors.Result{
+			DetectorType: s.Type(),
+			Raw:          []byte(resMatch),
+			Redacted:     resMatch[:8] + "...",
+		}
+
+		if verify {
+			isVerified, extraData, verificationErr := s.verify(ctx, resMatch)
+			s1.Verified = isVerified
+			s1.ExtraData = extraData
+			s1.SetVerificationError(verificationErr)
+		}
+
+		results = append(results, s1)
+	}
+
+	return results, nil
+}
+
+type graphqlResponse struct {
+	Data struct {
+		RequestContext struct {
+			UserID string `json:"userId"`
+		} `json:"requestContext"`
+	} `json:"data"`
+}
+
+// verify checks if the provided key is valid by making a request to the New Relic NerdGraph API.
+// It sends a POST request to the NerdGraph API. A valid key will result in a 200 OK response.
+// Invalid key will return in 401 Unauthorized, and a key with incorrect region will return a 403 Forbidden.
+// https://docs.newrelic.com/docs/apis/nerdgraph/get-started/introduction-new-relic-nerdgraph/
+func (s Scanner) verify(ctx context.Context, key string) (bool, map[string]string, error) {
+	regionUrls := map[string]string{
+		"us": "https://api.newrelic.com/graphql",
+		"eu": "https://api.eu.newrelic.com/graphql",
+	}
+	client := s.getClient()
+	body := "{ requestContext { userId } }"
+	errs := make([]error, 0, len(regionUrls))
+	for region, regionUrl := range regionUrls {
+		req, err := http.NewRequestWithContext(
+			ctx, http.MethodPost, regionUrl, strings.NewReader(body))
+		if err != nil {
+			return false, nil, fmt.Errorf("error constructing request: %w", err)
+		}
+		req.Header.Set("API-Key", key)
+
+		res, err := client.Do(req)
+		if err != nil {
+			return false, nil, fmt.Errorf("error making request: %w", err)
+		}
+		defer func() {
+			_ = res.Body.Close()
+		}()
+
+		switch res.StatusCode {
+		case http.StatusOK:
+			var resp graphqlResponse
+			if err := json.NewDecoder(res.Body).Decode(&resp); err != nil {
+				errs = append(errs, fmt.Errorf("error decoding response for region %s: %w", region, err))
+				continue
+			}
+			return true, map[string]string{"region": region, "user_id": resp.Data.RequestContext.UserID}, nil
+		case http.StatusUnauthorized, http.StatusForbidden:
+			// 401 means the key is invalid, 403 means the region is incorrect
+			continue
+		default:
+			errs = append(errs, fmt.Errorf("unexpected status code for region %s: %d", region, res.StatusCode))
+		}
+	}
+	return false, nil, errors.Join(errs...)
+}
@@ -0,0 +1,150 @@
+//go:build detectors
+// +build detectors
+
+package newrelicuserkey
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/kylelemons/godebug/pretty"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
+)
+
+func TestNewRelicUserKey_FromChunk(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
+	testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors6")
+	if err != nil {
+		t.Fatalf("could not get test secrets from GCP: %s", err)
+	}
+
+	key := testSecrets.MustGetField("NEW_RELIC_USER_KEY")
+	keyEU := testSecrets.MustGetField("NEW_RELIC_USER_KEY_EU")
+	keyInactive := "NRAK-GDJSS4QZORUYIC1OGTRNGQMT5VH"
+
+	type args struct {
+		ctx    context.Context
+		data   []byte
+		verify bool
+	}
+	tests := []struct {
+		name    string
+		s       Scanner
+		args    args
+		want    []detectors.Result
+		wantErr bool
+	}{
+		{
+			name: "found, verified",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte(fmt.Sprintf("You can find a new relic user key %s within", key)),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_NewRelicUserKey,
+					Verified:     true,
+					ExtraData: map[string]string{
+						"region":  "us",
+						"user_id": "1007651396",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "found eu, verified",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte(fmt.Sprintf("You can find a new EU relic user key %s within", keyEU)),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_NewRelicUserKey,
+					Verified:     true,
+					ExtraData: map[string]string{
+						"region":  "eu",
+						"user_id": "1007651478",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "found, unverified",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte(fmt.Sprintf("You can find a new relic user key %s within", keyInactive)), // the secret would satisfy the regex but not pass validation
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_NewRelicUserKey,
+					Verified:     false,
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "not found",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte("You cannot find the secret within"),
+				verify: true,
+			},
+			want:    nil,
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := Scanner{}
+			got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NewRelicUserKey.FromData() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			for i := range got {
+				if len(got[i].Raw) == 0 {
+					t.Fatalf("no raw secret present: \n %+v", got[i])
+				}
+				got[i].Raw = nil
+				if len(got[i].Redacted) == 0 {
+					t.Fatalf("no redacted secret present: \n %+v", got[i])
+				}
+				got[i].Redacted = ""
+			}
+			if diff := pretty.Compare(got, tt.want); diff != "" {
+				t.Errorf("NewRelicUserKey.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
+			}
+		})
+	}
+}
+
+func BenchmarkFromData(benchmark *testing.B) {
+	ctx := context.Background()
+	s := Scanner{}
+	for name, data := range detectors.MustGetBenchmarkData() {
+		benchmark.Run(name, func(b *testing.B) {
+			b.ResetTimer()
+			for n := 0; n < b.N; n++ {
+				_, err := s.FromData(ctx, false, data)
+				if err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
@@ -0,0 +1,80 @@
+package newrelicuserkey
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick"
+)
+
+var (
+	validPattern   = "NRAK-GDJSS4QZORUYIC1OGTRNGQMT5VH"
+	invalidPattern = "NRAK-GDJSS4QZORUYIC1OGTRNGQMT5V"
+)
+
+func TestNewRelicUserKey_Pattern(t *testing.T) {
+	d := Scanner{}
+	ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d})
+	tests := []struct {
+		name  string
+		input string
+		want  []string
+	}{
+		{
+			name:  "valid pattern",
+			input: fmt.Sprintf("new relic user key = '%s'", validPattern),
+			want:  []string{validPattern},
+		},
+		{
+			name:  "invalid pattern",
+			input: fmt.Sprintf("new relic user key = '%s'", invalidPattern),
+			want:  []string{},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input))
+			if len(matchedDetectors) == 0 {
+				t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input)
+				return
+			}
+
+			results, err := d.FromData(context.Background(), false, []byte(test.input))
+			if err != nil {
+				t.Errorf("error = %v", err)
+				return
+			}
+
+			if len(results) != len(test.want) {
+				if len(results) == 0 {
+					t.Errorf("did not receive result")
+				} else {
+					t.Errorf("expected %d results, only received %d", len(test.want), len(results))
+				}
+				return
+			}
+
+			actual := make(map[string]struct{}, len(results))
+			for _, r := range results {
+				if len(r.RawV2) > 0 {
+					actual[string(r.RawV2)] = struct{}{}
+				} else {
+					actual[string(r.Raw)] = struct{}{}
+				}
+			}
+			expected := make(map[string]struct{}, len(test.want))
+			for _, v := range test.want {
+				expected[v] = struct{}{}
+			}
+
+			if diff := cmp.Diff(expected, actual); diff != "" {
+				t.Errorf("%s diff: (-want +got)\n%s", test.name, diff)
+			}
+		})
+	}
+}
@@ -491,6 +491,7 @@ import (
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/netsuite"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/neutrinoapi"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/newrelicpersonalapikey"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/newrelicuserkey"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/newsapi"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/newscatcher"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/nexmoapikey"
@@ -1372,6 +1373,7 @@ func buildDetectorList() []detectors.Detector {
 		&netsuite.Scanner{},
 		&neutrinoapi.Scanner{},
 		&newrelicpersonalapikey.Scanner{},
+		&newrelicuserkey.Scanner{},
 		&newsapi.Scanner{},
 		&newscatcher.Scanner{},
 		&nexmoapikey.Scanner{},