Skip to content

feat: add FrameworkSecretKey detector for Symfony, Laravel, Django, Rails#4696

Open
PascalThuet wants to merge 3 commits intotrufflesecurity:mainfrom
PascalThuet:feat/framework-secret-detector
Open

feat: add FrameworkSecretKey detector for Symfony, Laravel, Django, Rails#4696
PascalThuet wants to merge 3 commits intotrufflesecurity:mainfrom
PascalThuet:feat/framework-secret-detector

Conversation

@PascalThuet
Copy link
Contributor

@PascalThuet PascalThuet commented Jan 25, 2026

Summary

Adds a new detector for framework secret keys commonly exposed in .env files and configuration. This addresses #4687.

Supported Frameworks

Framework Variable Pattern Example
Symfony APP_SECRET [a-f0-9]{32,64} APP_SECRET=a1b2c3d4...
Laravel APP_KEY base64:[A-Za-z0-9+/]{42,44}={0,2} APP_KEY=base64:wJalr...
Django SECRET_KEY 50+ chars (quoted) SECRET_KEY='django-insecure-...'
Rails SECRET_KEY_BASE [a-f0-9]{64,128} SECRET_KEY_BASE=abc123...

Security Impact

These secrets enable attackers to:

  • Forge session cookies - Impersonate any user
  • Bypass CSRF protection - Execute state-changing actions
  • Decrypt sensitive data - Access encrypted cookies/tokens
  • RCE in some cases - Laravel's encrypted cookies can lead to RCE via deserialization

Implementation Details

  • Unverified detector - No API to validate against, but high-confidence patterns
  • Shannon entropy filtering - Applied to Django to reduce false positives
  • Deduplication - Prevents SECRET_KEY_BASE from also matching as SECRET_KEY
  • Redaction - Secrets displayed as a1b2c3d4...****789a
  • Framework metadata - ExtraData includes framework name, variable, and documentation URL

Changes

  • proto/detectors.proto - Add FrameworkSecretKey = 1040
  • pkg/detectors/frameworksecret/ - New detector with tests
  • pkg/engine/defaults/defaults.go - Register detector

Test Plan

  • Unit tests pass (go test ./pkg/detectors/frameworksecret/... -v)
  • Manual testing with sample .env files
  • All 4 frameworks detected correctly
  • False positives filtered (placeholders, env vars, templates)
  • No duplicate detections for Rails SECRET_KEY_BASE

Test Output

$ go run . filesystem /tmp/all-frameworks.env
Found unverified result 🐷🔑❓ - Symfony APP_SECRET
Found unverified result 🐷🔑❓ - Laravel APP_KEY  
Found unverified result 🐷🔑❓ - Django SECRET_KEY
Found unverified result 🐷🔑❓ - Rails SECRET_KEY_BASE

References

Closes #4687

@PascalThuet
proto: add FrameworkSecretKey detector type
b35f9c8 
Add new detector type for framework secret keys (Symfony, Laravel,
Django, Rails) to the protobuf definitions.

Relates to trufflesecurity#4687
@PascalThuet
feat: add FrameworkSecretKey detector
9319cdc 
Add detector for framework secret keys commonly exposed in .env files
and configuration:

- Symfony APP_SECRET (32+ hex chars)
- Laravel APP_KEY (base64:... format)
- Django SECRET_KEY (50+ chars, quoted)
- Rails SECRET_KEY_BASE (64-128 hex chars)

Features:
- Shannon entropy filtering for Django secrets
- Deduplication to prevent SECRET_KEY_BASE matching as SECRET_KEY
- Proper redaction for display
- Framework-specific metadata in ExtraData

These secrets cannot be verified via API but have high-confidence
patterns. Exposed keys allow session forgery, CSRF bypass, and
potentially RCE (Laravel).

Closes trufflesecurity#4687
@PascalThuet
feat: register FrameworkSecretKey in default detectors
062b982 
Add frameworksecret.Scanner{} to the default detector list.

Relates to trufflesecurity#4687
@PascalThuet PascalThuet requested a review from a team January 25, 2026 08:08
@PascalThuet PascalThuet requested review from a team as code owners January 25, 2026 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: Detector for Framework Secret Keys (Symfony, Laravel, Django, Rails)

1 participant

@PascalThuet