Add Together AI secret detector#4943
Add Together AI secret detector#4943asivaprasad09 wants to merge 1 commit intotrufflesecurity:mainfrom
Conversation
Adds a detector for Together AI API keys (tgp_v1_ format). Verifies keys via GET /v1/models endpoint.
|
Akshara Sivaprasad seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Reviewed by Cursor Bugbot for commit 4298c97. Configure here.
| @@ -0,0 +1,138 @@ | |||
| package togetherai | |||
There was a problem hiding this comment.
Test missing build tag will break regular CI
Medium Severity
The test file calls common.GetSecret to fetch secrets from GCP but is missing the //go:build detectors build tag. Every other test file in the project that calls common.GetSecret has this build tag and is named *_integration_test.go. Without the tag, this test will be compiled and run during regular go test invocations (without -tags=detectors), failing immediately because GCP access is not available in that context.
Reviewed by Cursor Bugbot for commit 4298c97. Configure here.
| func TestTogetherAI_FromData(t *testing.T) { | ||
| ctx, cancel := context.WithTimeout(context.Background(), time.Millisecond) | ||
| defer cancel() | ||
| testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") |
There was a problem hiding this comment.
1ms context timeout causes GCP secret fetch failure
Medium Severity
The context created with time.Millisecond timeout is passed to common.GetSecret. Inside GetSecret, a derived context with context.WithTimeout(ctx, time.Second*10) inherits the parent's shorter deadline. This means the GCP secretmanager call will fail with "context deadline exceeded" almost immediately. Other integration tests use time.Second*5 for this purpose. The short-timeout context intended for the "timeout" test case needs to be separate from the one used for secret retrieval.
Reviewed by Cursor Bugbot for commit 4298c97. Configure here.
2 participants
Summary
tgp_v1_format)GET https://api.together.xyz/v1/modelsdefaults.goand proto asTogetherAI = 1049SecretPartswith"key"per detector conventionsTest plan
go test ./pkg/detectors/togetherai/... -tags=detectorspasses all 4 cases (found+verified, found+unverified, not found, timeout)Note
Low Risk
Low risk: adds a new detector and enum wiring with a simple read-only verification call; main risk is potential false positives/verification network flakiness impacting scan performance.
Overview
Adds a new
togetheraisecret detector that identifies Together AI API keys in thetgp_v1_format and (optionally) verifies them viaGET https://api.together.xyz/v1/modelsusing a Bearer token.Registers the detector in the default detector list and introduces a new
DetectorType_TogetherAIenum value (TogetherAI = 1049) in the proto/generated bindings, along with unit tests and a benchmark covering verified/unverified/not-found/timeout cases.Reviewed by Cursor Bugbot for commit 4298c97. Bugbot is set up for automated code reviews on this repo. Configure here.