Skip to content

[INS-345] Add New Relic Insights Query Key detector#4781

Open
mustansir14 wants to merge 2 commits intotrufflesecurity:mainfrom
mustansir14:INS-345-Detector-Visible-New-Relic-Query-Key
Open

[INS-345] Add New Relic Insights Query Key detector#4781
mustansir14 wants to merge 2 commits intotrufflesecurity:mainfrom
mustansir14:INS-345-Detector-Visible-New-Relic-Query-Key

Conversation

@mustansir14
Copy link
Contributor

@mustansir14 mustansir14 commented Mar 3, 2026
edited by cursor bot
Loading

Description:

This PR adds the New Relic Insights Query Key Detector.

Regex:
Key: \b(NRIQ-[a-zA-Z0-9-_]{25})
Account ID: detectors.PrefixRegex([]string{"relic", "account", "id"}) + '\b(\d{4,10})\b'
The key is the actual credential but account ID is required for verification because the verification endpoint requires an account ID in the path, and there is no other deterministic way to verify the credential without specifying the valid account ID (invalid or malformed account IDs return the same response as an invalid key)

Verification:
For verification, we use the Insights Query API with a simple select query: https://insights-api.newrelic.com/v1/accounts/[account_id]/query?nrql=SELECT%%201.
We send a GET request. A response code of 200 means the key is valid. 401 means it is an invalid/rotated key.
Note: For EU region keys, the host should be insights-api.eu.newrelic.com

Corpora Test:
The detector does not appear in the list.
image
image

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Note

Cursor Bugbot is generating a summary for commit 713d4e0. Configure here.

@mustansir14 mustansir14 requested a review from a team March 3, 2026 11:02
@mustansir14 mustansir14 requested review from a team as code owners March 3, 2026 11:02
cursor[bot]
cursor bot reviewed Mar 3, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Mar 3, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

pkg/detectors/newrelicinsightsquerykey/newrelicinsightsquerykey.go
uniqueAccountIDMatches[match[1]] = struct{}{}
}

for _, keyMatch := range keyMatches {
Copy link

@cursor cursor bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Key matches not deduplicated unlike other multi-part detectors

Medium Severity

Account ID matches are deduplicated into uniqueAccountIDMatches, but keyMatches is iterated directly from FindAllStringSubmatch without deduplication. Other multi-part detectors in the codebase (e.g., adobeio, airbrakeprojectkey, airship) consistently deduplicate both parts into maps before the nested loops. This inconsistency means duplicate keys in scanned data produce duplicate results and redundant verification API calls.

Fix in Cursor Fix in Web

Copy link
Contributor Author

@mustansir14 mustansir14 Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intended. The idea is to report multiple results if the key appears in multiple places, so that the user can remove it from all of those places.

Account ID matches are deduplicated because they are not the primary credential.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mustansir14