Skip to content

feat(detectors): add Resend detector#5103

Open
mwoss wants to merge 1 commit into
trufflesecurity:mainfrom
mwoss:add-resend-detector
Open

feat(detectors): add Resend detector#5103
mwoss wants to merge 1 commit into
trufflesecurity:mainfrom
mwoss:add-resend-detector

Conversation

@mwoss

@mwoss mwoss commented Jul 1, 2026

Copy link
Copy Markdown

Description:

Hi Trufflehog team! I work at Resend (the email API this detector targets), submitting this on behalf of the team. Happy to be the point of contact for the key format and verification behavior, and I can provide sanctioned test credentials (RESEND_API_KEY, RESEND_API_KEY_SENDING_ACCESS, RESEND_API_KEY_INACTIVE) for trufflehog-testing/detectors5 via any secure channel you prefer.

Key format: re_[1-9A-HJ-NP-Za-km-z]{8}_[1-9A-HJ-NP-Za-km-z]{24} (base58 alphabet, excluding the ambiguous characters 0, O, I, and l).

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Note

Low Risk
Additive detector-only change following existing patterns; verification uses a read-only API call and does not alter core scan engine behavior.

Overview
Adds a Resend secret detector so scans can find leaked email API keys and optionally confirm they are still valid.

Keys matching re_ + base58 segments are extracted with keyword prefilter re_. When verification is on, the scanner calls Resend’s read-only GET /api-keys endpoint: 200 marks full_access, 401 with restricted_api_key marks active sending_access, and other statuses leave the finding unverified. Verified hits include permission and a rotation_guide link in extra data.

The new DetectorType_Resend (1053) is wired into the default detector list. Unit tests cover regex/duplicates; integration tests (build tag detectors) exercise live keys for full access, sending-only, and inactive keys plus timeout/error paths.

Reviewed by Cursor Bugbot for commit 2f6e588. Bugbot is set up for automated code reviews on this repo. Configure here.

@mwoss mwoss requested a review from a team July 1, 2026 16:30
@mwoss mwoss requested review from a team as code owners July 1, 2026 16:30
@CLAassistant

CLAassistant commented Jul 1, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Adds a TruffleHog detector for Resend (https://resend.com), an email API
for transactional and marketing email.

Key format: re_[1-9A-HJ-NP-Za-km-z]{8}_[1-9A-HJ-NP-Za-km-z]{24}
(base58 alphabet, excluding the ambiguous characters 0, O, I, and l).
@mwoss mwoss force-pushed the add-resend-detector branch from 2f6e588 to de1963f Compare July 1, 2026 16:34
@mwoss mwoss mentioned this pull request Jul 2, 2026
@mwoss

mwoss commented Jul 2, 2026

Copy link
Copy Markdown
Author

Closes #5107

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants