[INS-335] Added AWS Appsync Detector#4803
Open
MuneebUllahKhan222 wants to merge 2 commits intotrufflesecurity:mainfrom
Open
[INS-335] Added AWS Appsync Detector#4803MuneebUllahKhan222 wants to merge 2 commits intotrufflesecurity:mainfrom
MuneebUllahKhan222 wants to merge 2 commits intotrufflesecurity:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds the AWS AppSync API Key Detector for TruffleHog.
It scans for AWS AppSync GraphQL API keys (prefix
da2-followed by 26 lowercase alphanumeric characters) and associated AppSync GraphQL endpoints, and optionally verifies them via the AppSync GraphQL API.API Key Regex:
\b(da2-[a-z0-9]{26})\bEndpoint Regex:
https:\/\/[a-z0-9]{26}\.appsync-api\.[a-z0-9-]+\.amazonaws\.com\/graphqlVerification
For verification, we send a POST request to the detected AppSync GraphQL endpoint using the API key in the
x-api-key: <key>header. The request executes a minimal read-only GraphQL query:query { __typename }A response code of 200 OK indicates the API key is valid for the endpoint.
A response code of 401 Unauthorized or 403 Forbidden indicates the key is invalid, expired, or does not have permission to access the API.
This verification request is safe because it only executes a read-only GraphQL query and does not perform any mutations or state-changing operations.
Corpora Test
The detector does not appear in the list.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Introduces new network verification behavior (HTTP POST to discovered endpoints) and expands the detector enum/list; risk is mainly around false positives/verification edge cases and added outbound calls.
Overview
Adds a new
AWSAppSyncdetector that matches AppSync API keys (da2-…) and AppSync GraphQL endpoints, emits findings asendpoint:key(RawV2), and optionally verifies candidates by POSTing a minimal__typenamequery withx-api-key.Wires the detector into the default detector list and extends
detectorspb.DetectorType/proto/detectors.protowithAWSAppSync(1043). Includes unit, integration (build-tagged), and benchmark coverage for matching and verification outcomes.Written by Cursor Bugbot for commit c55c1e1. This will update automatically on new commits. Configure here.