Add Persona (withpersona.com) API key detector#4851
Add Persona (withpersona.com) API key detector#4851segiddins wants to merge 1 commit intotrufflesecurity:mainfrom
Conversation
Add a new detector for Persona identity verification platform API keys.
Keys follow the format persona_{sandbox|production}_<UUID> and are
verified against the Persona API permissions endpoint.
Extracts metadata on verification: key type, organization, environment,
API key ID, name, permissions, and expiration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
|
| for k, v := range extraData { | ||
| s1.ExtraData[k] = v | ||
| } | ||
| s1.AnalysisInfo = map[string]string{"key": keyMatch} |
There was a problem hiding this comment.
No need for analysis, as there is currently no Analyzer available for this secret type.
| func verifyPersonaKey(ctx context.Context, client *http.Client, key string) (bool, map[string]string, error) { | ||
| req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://withpersona.com/api/v1/api-keys/permissions", http.NoBody) | ||
| if err != nil { | ||
| return false, nil, nil |
There was a problem hiding this comment.
Is there a reason we’re not returning the error here?
There was a problem hiding this comment.
Thanks for the tests. This is great.
One small suggestion: it would be nice to follow the convention of separating unit tests and integration tests (you can check out this example for reference).
Also, for handling keys in tests, the “Testing the Detector” guide is a helpful resource to follow.
| case http.StatusUnauthorized, http.StatusForbidden: | ||
| return false, nil, nil |
There was a problem hiding this comment.
According to the Persona API error codes documentation a 403 Forbidden response indicates that credentials are valid but lack permission for this call.
I'm not sure how accurate it would be to unverify these credentials in this case.
| s1.Verified = isVerified | ||
| s1.SetVerificationError(err, keyMatch) | ||
|
|
||
| if isVerified { | ||
| for k, v := range extraData { | ||
| s1.ExtraData[k] = v | ||
| } | ||
| s1.AnalysisInfo = map[string]string{"key": keyMatch} | ||
| } |
There was a problem hiding this comment.
As pointed out, no need to populate AnalysisInfo here.
This whole block can be simplified to:
s1.Verified = isVerified
s1.ExtraData = extraData
s1.SetVerificationError(err, keyMatch)
4 participants
Description:
Adds a new detector for Persona API keys. Persona is an identity verification platform; leaked API keys can expose sensitive PII, government IDs, and verification results.
Key format:
persona_sandbox_<uuid>/persona_production_<uuid>Verification:
GET https://withpersona.com/api/v1/api-keys/permissionswith Bearer authI work at Persona.
Closes #4850
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Medium risk because it introduces a new network-backed verification path and extends the shared
DetectorTypeprotobuf enum, which can impact compatibility if downstream consumers rely on enum values.Overview
Adds a new
personadetector that matchespersona_sandbox_<uuid>/persona_production_<uuid>keys and, whenverifyis enabled, calls Persona’sapi-keys/permissionsendpoint to mark findings as verified and enrichExtraData(org/env IDs, key metadata, permissions, expiration).Registers the detector in
pkg/engine/defaultsso it runs by default, and extendsproto/detectors.proto+ generateddetectors.pb.gowith a newDetectorType_Personaenum value, with accompanying pattern/verification tests.Written by Cursor Bugbot for commit 45d3510. This will update automatically on new commits. Configure here.