Supporting detectors where the base api URL isn't a static value

[kstilwell]

Some API secrets are going to be tied to APIs that have more than one base API URL (e.g. you have your own instance of an online service and the URL of that service is the base URL for your API). It would be great if there was a way to support a detector for this scenario.

Two ways to approach this come to my mind:

1. The ability to specific a base API url for a specific detector as part of the configuration of a trufflehog run; the detector would not be used unless this base api URL was configured.

2. The ability to search for base api URLs via "proximity strings" much the same way as it is done for secrets. If a specific detector finds a base api URL AND also finds a possible secret then it would attempt to verify the secret via that base api URL (this could be a combinatorial thing with multiple secrets and multiple possible base API urls found).

3. Another category for a detector secret found beyond Verified and not Verified to reflect a possible secret that can't automatically be verified (maybe this already exists?)

If there is a way this is currently supported please point me in the direction of a detector that does it. Thanks for reading!

[dustin-decker]

Approach 1 will be coming to our commercial offering of TruffleHog later this year.

Some detectors do approach 2, especially if the service provider uses a subdomain per tenant. Here is an example of one: https://github.com/trufflesecurity/trufflehog/blob/ea95e886ba366541ac08959d4e9d4e49d02c6863/pkg/detectors/auth0managementapitoken/auth0managementapitoken.go#L26