Optimize the regex pattern in the artifactory access token detector#4685
Open
shahzadhaider1 wants to merge 6 commits intotrufflesecurity:mainfrom
Open
Optimize the regex pattern in the artifactory access token detector#4685shahzadhaider1 wants to merge 6 commits intotrufflesecurity:mainfrom
shahzadhaider1 wants to merge 6 commits intotrufflesecurity:mainfrom
Conversation
kashifkhan0771
approved these changes
Jan 21, 2026
mariduv
approved these changes
Feb 2, 2026
nabeelalam
reviewed
Feb 12, 2026
| // Use identifiers in the secret preferably, or the provider name. | ||
| func (s Scanner) Keywords() []string { | ||
| return []string{"artifactory", "jfrog.io"} | ||
| return []string{"artifactory", "jfrog.io", "AKCp"} |
Contributor
There was a problem hiding this comment.
Do we need an artifactory keyword? It doesn't seem to be a required prefix
Contributor
Author
There was a problem hiding this comment.
The artifactory keyword was already present, so I kept it as-is. It’s not meant to indicate a required prefix for the secret itself, but rather to help with contextual matching. In practice, I think Artifactory credentials are often defined or referenced near the term “artifactory” (config files, env vars, comments, etc.), so having it as a keyword can help reduce noise and improve signal.
That said, I’m open to removing it if we think it’s not providing enough value.
nabeelalam
approved these changes
Feb 12, 2026
Contributor
nabeelalam
left a comment
nabeelalam
left a comment
There was a problem hiding this comment.
Just one suggestion otherwise good to go!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates the Artifactory detector to properly detect Artifactory API keys with the
AKCpprefix format.Problem
The existing Artifactory detector was using a very generic regex pattern that detected any 73 or 64 character alphanumeric strings, leading to potential false positives. The detector was not specifically targeting the old Artifactory API key format (
AKCpprefix).Changes
1. Updated Regex Pattern
\b([a-zA-Z0-9]{64,73})\b\b(AKCp[A-Za-z0-9]{69})\b2. Updated Keywords
AKCpto the keywords list for better pre-filtering3. Updated Tests
AKCpprefix patternImportant Note on Testing
JFrog deprecated Artifactory API keys (format
AKCp*) and disabled the ability to create new API keys at the end of Q3 2024.Sources:
Since real
AKCpAPI keys can no longer be generated:Checklist:
AKCpprefix formatmake test-community)?make lintthis requires golangci-lint)?