[INS-334] Octopus Deploy detector#4787
Open
MuneebUllahKhan222 wants to merge 5 commits intotrufflesecurity:mainfrom
Open
[INS-334] Octopus Deploy detector#4787MuneebUllahKhan222 wants to merge 5 commits intotrufflesecurity:mainfrom
MuneebUllahKhan222 wants to merge 5 commits intotrufflesecurity:mainfrom
Conversation
amanfcp
approved these changes
Mar 4, 2026
Contributor
amanfcp
left a comment
amanfcp
left a comment
There was a problem hiding this comment.
LGTM!
A couple of non-blocking comments..
rosecodym
reviewed
Mar 4, 2026
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
shahzadhaider1
requested changes
Mar 13, 2026
Contributor
shahzadhaider1
left a comment
shahzadhaider1
left a comment
There was a problem hiding this comment.
Let's add the detector to the engine defaults as well
Expanded the description of Octopus Deploy to include additional functionalities related to API keys.
shahzadhaider1
approved these changes
Apr 14, 2026
MuneebUllahKhan222
added
the
review/product-eng
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds the Octopus Deploy API Key Detector for TruffleHog.
It scans for Octopus Deploy API tokens (prefix
API-with 29–34 uppercase alphanumerics) and optionally verifies them via the official API.Regex:
\b(API-[A-Z0-9]{29,34})\bVerification
For verification, we use the Octopus Deploy Users API:
/api/users/me. We send a GET request with the token in theX-Octopus-ApiKey: <token>header. A response code of 200 OK means the token is valid. 401 means it is invalid or revoked, and 403 means it is valid but has insufficient permissions.This API endpoint is part of the official Octopus Deploy API and can be used safely for verification. It is read-only and does not perform any destructive actions.
Corpora Test
The detector does not appear in the list.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Adds a new detector that can make outbound HTTP verification calls to Octopus Deploy cloud instances; incorrect matching/verification behavior could impact scan performance or false-positive/negative rates.
Overview
Adds a new
octopusdeploydetector that finds Octopus Deploy Cloud hostnames and API keys, emitting results keyed asurl:tokenand optionally verifying tokens by callingGET /api/users/mewith theX-Octopus-ApiKeyheader.Registers the new detector in the default detector list and introduces a new
DetectorType_OctopusDeployenum value inproto/detectors.proto(with regenerateddetectors.pb.go). Includes unit, integration, and benchmark coverage for matching and verification error handling.Reviewed by Cursor Bugbot for commit 8e4cb9b. Bugbot is set up for automated code reviews on this repo. Configure here.