Merge branch 'main' into posthog-analyzer-impl

* main:
  [Feat] Added Mux API Analyzer (trufflesecurity#4128)
  fixed name of netlify analyzer in cli output (trufflesecurity#4140)
  fix(discordwebhook): Update Discord webhook detector to support 19-digit IDs (trufflesecurity#4133)
  [Feat] Added New AccuWeather Detector Version (trufflesecurity#4114)
  [Feat] Added Ngrok API Key Analyzer (trufflesecurity#4110)
  Improved JDBC Detector Regex (trufflesecurity#4109)
  [Feat] Detector implementation for Azure Configuration Connection String Key (trufflesecurity#3939)
  test(sources/s3): fix missing region error (trufflesecurity#4131)
  feat(sources/s3): migrate to AWS SDK v2 (trufflesecurity#4069)
  Update PreCommit.md (trufflesecurity#4112)
  Exclusion of FalsePositive GH's usernames in PrivateKeyDetector (trufflesecurity#4046)
  Monday App Analyzer (trufflesecurity#4120)
  [Feat] Detector implementation for Azure API Management Direct Management Key (trufflesecurity#3938)
  Fastly Analyzer (trufflesecurity#4082)
  Postman Code Uses Consistent Casing for Id Var Names (trufflesecurity#4124)
  Normalize UID to Uid in Postman Code (trufflesecurity#4125)
  postman_client.IDNameUUID becomes IdNameUid (trufflesecurity#4123)
  Fixed Kontent Detector (trufflesecurity#4122)

# Conflicts:
#	pkg/analyzer/analyzers/analyzers.go
#	pkg/analyzer/cli.go

Author: abmussani

PreCommit.md

@@ -97,7 +97,7 @@ repos:
         description: Detect secrets in your data.
         entry: bash -c 'trufflehog git file://. --since-commit HEAD --results=verified,unknown --fail'
         language: system
-        stages: ["commit", "push"]
+        stages: ["pre-commit", "pre-push"]
 ```
 
 2. Install the pre-commit hook:

go.mod

@@ -19,10 +19,11 @@ require (
 	github.com/adrg/strutil v0.3.1
 	github.com/alecthomas/kingpin/v2 v2.4.0
 	github.com/avast/apkparser v0.0.0-20250307094510-e2100ee9c0f5
-	github.com/aws/aws-sdk-go v1.55.6
 	github.com/aws/aws-sdk-go-v2 v1.36.3
 	github.com/aws/aws-sdk-go-v2/config v1.29.14
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.67
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.75
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.79.3
 	github.com/aws/aws-sdk-go-v2/service/sns v1.34.4
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19
 	github.com/aws/smithy-go v1.22.3
@@ -150,12 +151,16 @@ require (
 	github.com/andybalholm/brotli v1.1.1 // indirect
 	github.com/apache/arrow/go/v14 v14.0.2 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
@@ -231,7 +236,6 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jpillora/s3 v1.1.4 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/kjk/lzma v0.0.0-20161016003348-3fd93898850d // indirect

go.sum

@@ -95,6 +95,10 @@ const (
 	AnalyzerTypeFigma
 	AnalyzerTypePlaid
 	AnalyzerTypeNetlify
+	AnalyzerTypeFastly
+	AnalyzerTypeMonday
+	AnalyzerTypeNgrok
+	AnalyzerTypeMux
 	AnalyzerTypePosthog
 	// Add new items here with AnalyzerType prefix
 )
@@ -136,6 +140,10 @@ var analyzerTypeStrings = map[AnalyzerType]string{
 	AnalyzerTypeFigma:         "Figma",
 	AnalyzerTypePlaid:         "Plaid",
 	AnalyzerTypeNetlify:       "Netlify",
+	AnalyzerTypeFastly:        "Fastly",
+	AnalyzerTypeMonday:        "Monday",
+	AnalyzerTypeNgrok:         "Ngrok",
+	AnalyzerTypeMux:           "Mux",
 	AnalyzerTypePosthog:       "Posthog",
 	// Add new mappings here
 }

pkg/analyzer/analyzers/analyzers.go

@@ -0,0 +1,185 @@
+//go:generate generate_permissions permissions.yaml permissions.go fastly
+package fastly
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/fatih/color"
+	"github.com/jedib0t/go-pretty/v6/table"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/config"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+)
+
+var _ analyzers.Analyzer = (*Analyzer)(nil)
+
+type Analyzer struct {
+	Cfg *config.Config
+}
+
+func (a Analyzer) Type() analyzers.AnalyzerType {
+	return analyzers.AnalyzerTypeFastly
+}
+
+func (a Analyzer) Analyze(_ context.Context, credInfo map[string]string) (*analyzers.AnalyzerResult, error) {
+	key, exist := credInfo["key"]
+	if !exist {
+		return nil, fmt.Errorf("key not found in credential info")
+	}
+
+	// analyze permissions
+	info, err := AnalyzePermissions(a.Cfg, key)
+	if err != nil {
+		return nil, err
+	}
+
+	// secret info to analyzer
+	return secretInfoToAnalyzerResult(info), nil
+}
+
+func AnalyzeAndPrintPermissions(cfg *config.Config, key string) {
+	info, err := AnalyzePermissions(cfg, key)
+	if err != nil {
+		// just print the error in cli and continue as a partial success
+		color.Red("[x] Error : %s", err.Error())
+	}
+
+	if info == nil {
+		color.Red("[x] Error : %s", "No information found")
+		return
+	}
+
+	color.Green("[!] Valid Fastly API key\n\n")
+
+	if info.TokenInfo.hasGlobalScope() {
+		printUserInfo(info.UserInfo)
+	}
+
+	printScopes(info.TokenInfo.Scopes)
+
+	if len(info.Resources) > 0 {
+		printResources(info.Resources)
+	}
+
+	color.Yellow("\n[i] Expires: %s", info.TokenInfo.ExpiresAt)
+}
+
+func AnalyzePermissions(cfg *config.Config, key string) (*SecretInfo, error) {
+	// create http client
+	client := analyzers.NewAnalyzeClient(cfg)
+
+	var secretInfo = &SecretInfo{}
+
+	// capture the token details
+	if err := captureTokenInfo(client, key, secretInfo); err != nil {
+		return nil, err
+	}
+
+	/*
+		Fastly defines four types of permissions. Two of these are related specifically to purging:
+
+		- If a token has either `purge_select` or `purge_all` access, it is limited to calling purge-related APIs only.
+		- If a token has `global` or `global:read` access, it can call APIs that retrieve resource and user information.
+	*/
+
+	if !secretInfo.TokenInfo.hasGlobalScope() {
+		return secretInfo, nil
+	}
+
+	// capture the user information
+	if err := captureUserInfo(client, key, secretInfo); err != nil {
+		return nil, err
+	}
+
+	// capture the resources
+	if err := captureResources(client, key, secretInfo); err != nil {
+		// return secretInfo as well in case of error for partial success
+		return secretInfo, err
+	}
+
+	return secretInfo, nil
+}
+
+// secretInfoToAnalyzerResult translate secret info to Analyzer Result
+func secretInfoToAnalyzerResult(info *SecretInfo) *analyzers.AnalyzerResult {
+	if info == nil {
+		return nil
+	}
+
+	result := analyzers.AnalyzerResult{
+		AnalyzerType: analyzers.AnalyzerTypeFastly,
+		Metadata:     map[string]any{},
+		Bindings:     make([]analyzers.Binding, 0),
+	}
+
+	// extract information from resource to create bindings and append to result bindings
+	for _, resource := range info.Resources {
+		binding := analyzers.Binding{
+			Resource: *secretInfoResourceToAnalyzerResource(resource),
+			Permission: analyzers.Permission{
+				Value: info.TokenInfo.Scope,
+			},
+		}
+
+		if resource.Parent != nil {
+			binding.Resource.Parent = secretInfoResourceToAnalyzerResource(*resource.Parent)
+		}
+
+		result.Bindings = append(result.Bindings, binding)
+
+	}
+
+	return &result
+}
+
+// secretInfoResourceToAnalyzerResource translate secret info resource to analyzer resource for binding
+func secretInfoResourceToAnalyzerResource(resource FastlyResource) *analyzers.Resource {
+	analyzerRes := analyzers.Resource{
+		// make fully qualified name unique
+		FullyQualifiedName: resource.Type + "/" + resource.ID,
+		Name:               resource.Name,
+		Type:               resource.Type,
+		Metadata:           map[string]any{},
+	}
+
+	for key, value := range resource.Metadata {
+		analyzerRes.Metadata[key] = value
+	}
+
+	return &analyzerRes
+}
+
+// cli print functions
+func printUserInfo(user User) {
+	color.Yellow("[i] User Information:")
+	t := table.NewWriter()
+	t.SetOutputMirror(os.Stdout)
+	t.AppendHeader(table.Row{"ID", "Name", "Login", "Role", "Last Active At"})
+	t.AppendRow(table.Row{color.GreenString(user.ID), color.GreenString(user.Name), color.GreenString(user.Login), color.GreenString(user.Role), color.GreenString(user.LastActiveAt)})
+
+	t.Render()
+}
+
+func printScopes(scopes []string) {
+	color.Yellow("[i] Scopes:")
+	t := table.NewWriter()
+	t.SetOutputMirror(os.Stdout)
+	t.AppendHeader(table.Row{"Scopes"})
+	for _, scope := range scopes {
+		t.AppendRow(table.Row{color.GreenString(scope)})
+	}
+	t.Render()
+}
+
+func printResources(resources []FastlyResource) {
+	color.Yellow("[i] Resources:")
+	t := table.NewWriter()
+	t.SetOutputMirror(os.Stdout)
+	t.AppendHeader(table.Row{"Name", "Type"})
+	for _, resource := range resources {
+		t.AppendRow(table.Row{color.GreenString(resource.Name), color.GreenString(resource.Type)})
+	}
+
+	t.Render()
+}

pkg/analyzer/analyzers/fastly/fastly.go

@@ -0,0 +1,102 @@
+package fastly
+
+import (
+	_ "embed"
+	"encoding/json"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/config"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+)
+
+//go:embed result_output.json
+var expectedOutput []byte
+
+func TestAnalyzer_Analyze(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute*5)
+	defer cancel()
+	testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors3")
+	if err != nil {
+		t.Fatalf("could not get test secrets from GCP: %s", err)
+	}
+
+	key := testSecrets.MustGetField("FASTLYPERSONALTOKEN_TOKEN")
+
+	tests := []struct {
+		name    string
+		key     string
+		want    []byte // JSON string
+		wantErr bool
+	}{
+		{
+			name:    "valid fastly token",
+			key:     key,
+			want:    expectedOutput,
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := Analyzer{Cfg: &config.Config{}}
+			got, err := a.Analyze(ctx, map[string]string{"key": tt.key})
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Analyzer.Analyze() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			// Bindings need to be in the same order to be comparable
+			sortBindings(got.Bindings)
+
+			// Marshal the actual result to JSON
+			gotJSON, err := json.Marshal(got)
+			if err != nil {
+				t.Fatalf("could not marshal got to JSON: %s", err)
+			}
+
+			// Parse the expected JSON string
+			var wantObj analyzers.AnalyzerResult
+			if err := json.Unmarshal([]byte(tt.want), &wantObj); err != nil {
+				t.Fatalf("could not unmarshal want JSON string: %s", err)
+			}
+
+			// Bindings need to be in the same order to be comparable
+			sortBindings(wantObj.Bindings)
+
+			// Marshal the expected result to JSON (to normalize)
+			wantJSON, err := json.Marshal(wantObj)
+			if err != nil {
+				t.Fatalf("could not marshal want to JSON: %s", err)
+			}
+
+			// Compare the JSON strings
+			if string(gotJSON) != string(wantJSON) {
+				// Pretty-print both JSON strings for easier comparison
+				var gotIndented, wantIndented []byte
+				gotIndented, err = json.MarshalIndent(got, "", " ")
+				if err != nil {
+					t.Fatalf("could not marshal got to indented JSON: %s", err)
+				}
+				wantIndented, err = json.MarshalIndent(wantObj, "", " ")
+				if err != nil {
+					t.Fatalf("could not marshal want to indented JSON: %s", err)
+				}
+				t.Errorf("Analyzer.Analyze() = %s, want %s", gotIndented, wantIndented)
+			}
+		})
+	}
+}
+
+// Helper function to sort bindings
+func sortBindings(bindings []analyzers.Binding) {
+	sort.SliceStable(bindings, func(i, j int) bool {
+		if bindings[i].Resource.FullyQualifiedName == bindings[j].Resource.FullyQualifiedName {
+			return bindings[i].Permission.Value < bindings[j].Permission.Value
+		}
+		return bindings[i].Resource.FullyQualifiedName < bindings[j].Resource.FullyQualifiedName
+	})
+}