Skip to content

veles: add SendGrid API key detector and validator#1654

Merged
copybara-service[bot] merged 7 commits intogoogle:mainfrom
Alearner12:add-sendgrid-detector
Feb 13, 2026
Merged

veles: add SendGrid API key detector and validator#1654
copybara-service[bot] merged 7 commits intogoogle:mainfrom
Alearner12:add-sendgrid-detector

Conversation

@Alearner12
Copy link
Contributor

Add a new Veles secret detector for Twilio SendGrid API keys.

SendGrid API keys have a distinctive format:

  • Prefix: SG.
  • Total Length: 69 characters
  • Structure: SG.<22 chars key_id>.<43 chars key_secret>

Detector:

  • Uses regex pattern to match SendGrid API key format
  • Implements veles.Detector interface via simpletoken.Detector

Validator:

  • Validates keys against SendGrid's /v3/user/account endpoint
  • 200 OK or 403 Forbidden -> valid key (exists and active)
  • 401 Unauthorized -> invalid key (expired/revoked)
  • Uses Bearer token authentication

Tests include:

  • True positive cases (valid key formats)
  • True negative cases (invalid formats, wrong prefix, etc.)
  • Validator HTTP response handling
  • Context cancellation handling
  • Authorization header verification

@google-cla
Copy link

google-cla bot commented Jan 11, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Add a new Veles secret detector for Twilio SendGrid API keys.

SendGrid API keys have a distinctive format:
- Prefix: SG.
- Total Length: 69 characters
- Structure: SG.<22 chars key_id>.<43 chars key_secret>

Detector:
- Uses regex pattern to match SendGrid API key format
- Implements veles.Detector interface via simpletoken.Detector

Validator:
- Validates keys against SendGrid's /v3/user/account endpoint
- 200 OK or 403 Forbidden -> valid key (exists and active)
- 401 Unauthorized -> invalid key (expired/revoked)
- Uses Bearer token authentication

Tests include:
- True positive cases (valid key formats)
- True negative cases (invalid formats, wrong prefix, etc.)
- Validator HTTP response handling
- Context cancellation handling
- Authorization header verification
@Alearner12 Alearner12 force-pushed the add-sendgrid-detector branch from fe0f05d to b86518a Compare January 11, 2026 08:14
- Add sendgrid.NewDetector() to SecretDetectors in extractor/filesystem/list/list.go
- Add sendgrid.NewValidator() to SecretsValidate in enricher/enricherlist/list.go

This ensures the SendGrid detector is discoverable as a SCALIBR plugin
and can be enabled via --plugins=secrets/sendgrid flag.
Copy link
Collaborator

@erikvarga erikvarga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like some tests are failing (I think the modified scan_result.pb.go wasn't uploaded)

- Add acceptance tests using velestest.AcceptDetector
- Remove unused methods (SecretType, Provider, String) and their tests
- Add proto support (scan_result.proto message, secret.go conversion)
- Clarify 403 response handling in validator comment
- Remove duplicate TestValidator_InvalidRequest test
@Alearner12 Alearner12 force-pushed the add-sendgrid-detector branch from 5efc991 to 3661d47 Compare January 19, 2026 10:42
Alearner12 and others added 2 commits January 19, 2026 16:13
- Add package comment to validator.go (ST1000)
- Fix unchecked error in validator_test.go (errcheck)
- Regenerate scan_result.pb.go with SendGridAPIKey types
@Alearner12
Copy link
Contributor Author

@erikvarga All feedback addressed , Ready for review when you get a chance. Thanks!

@copybara-service copybara-service bot merged commit a7bdc92 into google:main Feb 13, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants