github.com/google/osv-scalibr@v0.4.1/veles/secrets/stripeapikeys/detector.go

github.com/google/osv-scalibr@v0.4.1/veles/secrets/stripeapikeys/detector.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Copyright 2025 Google LLC
    16  //
    17  // Licensed under the Apache License, Version 2.0 (the "License");
    18  // you may not use this file except in compliance with the License.
    19  // You may obtain a copy of the License at
    20  //
    21  // http://www.apache.org/licenses/LICENSE-2.0
    22  //
    23  // Unless required by applicable law or agreed to in writing, software
    24  // distributed under the License is distributed on an "AS IS" BASIS,
    25  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    26  // See the License for the specific language governing permissions and
    27  // limitations under the License.
    28  
    29  package stripeapikeys
    30  
    31  import (
    32  	"regexp"
    33  
    34  	"github.com/google/osv-scalibr/veles"
    35  	"github.com/google/osv-scalibr/veles/secrets/common/simpletoken"
    36  )
    37  
    38  var (
    39  	// Ensure constructors satisfy the interface at compile time.
    40  	_ veles.Detector = NewSecretKeyDetector()
    41  	_ veles.Detector = NewRestrictedKeyDetector()
    42  	_ veles.Detector = NewWebhookSecretDetector()
    43  )
    44  
    45  // Secret Keys Live (SK) regex: sk_live_[A-Za-z0-9]{10,99}
    46  const skMaxLen = 107 // Max length of the key itself, plus "sk_live_"
    47  var skRe = regexp.MustCompile(`sk_live_[A-Za-z0-9]{10,99}`)
    48  
    49  // Secret Keys Restricted (RK) regex: rk_live_[A-Za-z0-9]{10,99}
    50  const rkMaxLen = 107 // Max length of the key itself, plus "rk_live_"
    51  var rkRe = regexp.MustCompile(`rk_live_[A-Za-z0-9]{10,99}`)
    52  
    53  // Stripe Webhook Signing Secrets regex: whsec_[A-Za-z0-9]{32}
    54  const whsecMaxLen = 38 // Max length of the key itself, plus "whsec_"
    55  var whsecRe = regexp.MustCompile(`whsec_[A-Za-z0-9]{32}`)
    56  
    57  // NewSecretKeyDetector returns a detector for Stripe Secret Keys (sk_live_...).
    58  func NewSecretKeyDetector() veles.Detector {
    59  	return simpletoken.Detector{
    60  		MaxLen: skMaxLen,
    61  		Re:     skRe,
    62  		FromMatch: func(b []byte) (veles.Secret, bool) {
    63  			return StripeSecretKey{Key: string(b)}, true
    64  		},
    65  	}
    66  }
    67  
    68  // NewRestrictedKeyDetector returns a detector for Stripe Restricted Keys (rk_live_...).
    69  func NewRestrictedKeyDetector() veles.Detector {
    70  	return simpletoken.Detector{
    71  		MaxLen: rkMaxLen,
    72  		Re:     rkRe,
    73  		FromMatch: func(b []byte) (veles.Secret, bool) {
    74  			return StripeRestrictedKey{Key: string(b)}, true
    75  		},
    76  	}
    77  }
    78  
    79  // NewWebhookSecretDetector returns a detector for Stripe Webhook Signing Secrets (whsec_...).
    80  func NewWebhookSecretDetector() veles.Detector {
    81  	return simpletoken.Detector{
    82  		MaxLen: whsecMaxLen,
    83  		Re:     whsecRe,
    84  		FromMatch: func(b []byte) (veles.Secret, bool) {
    85  			return StripeWebhookSecret{Key: string(b)}, true
    86  		},
    87  	}
    88  }