feat: add host, db and username to ExtraData for database detectors

[mariocj89]

First time contributing to trufflehog, let me know if I should do anything differently. Thanks for your work ^^.

Fixes #4754 and helps with general triaging and identification for other database connection types :).

Description:

Populate ExtraData with parsed fields for all database connection string detectors (MongoDB, PostgreSQL, Redis, JDBC). This surfaces useful metadata about detected credentials.

The parsing logic already existed in each detector — this change exposes the extracted values in the result's ExtraData map alongside any pre-existing fields (rotation_guide, sslmode, etc.).

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

Manual test

Example file

mcorcherojim at PW0ACHMB in ~
$ cat /tmp/fake_secrets.txt
# MongoDB with database
mongodb://admin:SuperSecret123@mongo.prod.example.com:27017/customers

# PostgreSQL with database and sslmode
postgresql://dbadmin:P4ssw0rd!@pg-primary.internal:5432/analytics?sslmode=require

# Redis with username
redis://cacheuser:R3d1sP4ss@redis-cluster.example.com:6379/0

# JDBC MySQL
jdbc:mysql://appuser:MyS3cret@mysql-db.example.com:3306/orders

# JDBC PostgreSQL
jdbc:postgresql://etluser:Etl_Pass_99@warehouse.example.com:5432/datawarehouse

# JDBC SQL Server
jdbc:sqlserver://sqlbox.corp.local:1433;database=inventory;user=sa;password=S4_Admin!

# Azure Redis (no username)
myapp-cache.redis.cache.windows.net:6380,password=aB1cD2eF3gH4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3a4b5,ssl=True,abortConnect=False

# MongoDB without database
mongodb://readonly:ViewOnly_2024@analytics.mongodb.example.com:27017

Example output

$ trufflehog filesystem --directory /tmp/fake_secrets.txt --no-verification 2>/dev/null
Found unverified result 🐷🔑❓
Detector Type: MongoDB
Decoder Type: PLAIN
Raw result: mongodb://readonly:ViewOnly_2024@analytics.mongodb.example.com:27017
Rotation_guide: https://howtorotate.com/docs/tutorials/mongo/
Host: analytics.mongodb.example.com:27017
Username: readonly
File: /tmp/fake_secrets.txt
Line: 23

Found unverified result 🐷🔑❓
Detector Type: MongoDB
Decoder Type: PLAIN
Raw result: mongodb://admin:SuperSecret123@mongo.prod.example.com:27017/customers
Rotation_guide: https://howtorotate.com/docs/tutorials/mongo/
Host: mongo.prod.example.com:27017
Username: admin
Database: customers
File: /tmp/fake_secrets.txt
Line: 2

Found unverified result 🐷🔑❓
Detector Type: Postgres
Decoder Type: PLAIN
Raw result: postgresql://etluser:Etl_Pass_99@warehouse.example.com:5432
Sslmode: <unset>
Host: warehouse.example.com
Username: etluser
Database: datawarehouse
File: /tmp/fake_secrets.txt
Line: 14

Found unverified result 🐷🔑❓
Detector Type: Postgres
Decoder Type: PLAIN
Raw result: postgresql://dbadmin:P4ssw0rd!@pg-primary.internal:5432
Sslmode: require
Host: pg-primary.internal
Username: dbadmin
Database: analytics
File: /tmp/fake_secrets.txt
Line: 5

Found unverified result 🐷🔑❓
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:sqlserver://sqlbox.corp.local:1433;database=inventory;user=sa;password=S4_Admin!
Host: sqlbox.corp.local:1433
Username: sa
Database: inventory
File: /tmp/fake_secrets.txt
Line: 17

Found unverified result 🐷🔑❓
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:mysql://appuser:MyS3cret@mysql-db.example.com:3306/orders
Host: tcp(mysql-db.example.com:3306)
Username: appuser
Database: orders
File: /tmp/fake_secrets.txt
Line: 11

Found unverified result 🐷🔑❓
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:postgresql://etluser:Etl_Pass_99@warehouse.example.com:5432/datawarehouse
Host: warehouse.example.com:5432
Username: etluser
Database: datawarehouse
File: /tmp/fake_secrets.txt
Line: 14

---

Note

Low Risk
Low risk metadata-only change: adds parsed host/username/database fields to detector results and expands unit coverage. Minor behavioral nuance: JDBC now attempts parsing even when not verifying, but verification flow remains effectively the same when parsing fails.

Overview
Adds parsed connection metadata to database detector findings by populating Result.ExtraData with host, username, and (when available) database for JDBC, MongoDB, Postgres, and Redis.

JDBC now attempts to parse connection info even when verify=false (to fill ExtraData), while still skipping unsupported subprotocols only when verification is requested. Comprehensive new unit tests assert ExtraData extraction across common URI/connection-string formats and ensure existing fields like MongoDB rotation_guide and Postgres sslmode remain present.

^{Written by Cursor Bugbot for commit 252be3e. This will update automatically on new commits. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

This PR enhances database connection string detectors by surfacing parsed connection metadata (host, username, database) via Result.ExtraData, improving downstream triage and identification of detected credentials.

Changes:

• Redis: populate ExtraData from the parsed Redis URL.
• Postgres: add host, username, and database into ExtraData while preserving existing sslmode.
• MongoDB + JDBC: expose parsed connection fields in ExtraData and add focused tests validating the new metadata.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pkg/detectors/redis/redis.go	Adds ExtraData population from parsed Redis URLs via a helper.
pkg/detectors/redis/redis_test.go	Adds test coverage asserting host/username in ExtraData.
pkg/detectors/postgres/postgres.go	Extends existing ExtraData to include host/username/database alongside sslmode.
pkg/detectors/postgres/postgres_test.go	Adds tests validating new Postgres ExtraData fields and preserving sslmode.
pkg/detectors/mongodb/mongodb.go	Preserves rotation_guide and adds host/user/database fields into ExtraData.
pkg/detectors/mongodb/mongodb_test.go	Adds tests verifying MongoDB ExtraData fields are populated.
pkg/detectors/jdbc/jdbc.go	Parses JDBC connection info to populate ExtraData even when verify=false.
pkg/detectors/jdbc/jdbc_test.go	Adds tests covering ExtraData extraction and unsupported subprotocol behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.