Skip to content

Fix Anthropic API key detector shape#7

Merged
santhsecurity merged 1 commit into
santhsecurity:mainfrom
Eraminel01:fix/anthropic-api03-variable-length
May 29, 2026
Merged

Fix Anthropic API key detector shape#7
santhsecurity merged 1 commit into
santhsecurity:mainfrom
Eraminel01:fix/anthropic-api03-variable-length

Conversation

@Eraminel01

@Eraminel01 Eraminel01 commented May 29, 2026

Copy link
Copy Markdown
Contributor

Updates the Anthropic API key detector to match current observed sk-ant-api03- key shapes.

The previous regex required one fixed segment layout:

sk-ant-api03-[A-Za-z0-9_-]{93}-[A-Za-z0-9_-]{6}AA`n
That misses revoked real-world keys whose body length/segment layout differs. This keeps the distinctive sk-ant-api03- prefix and allows a variable URL-safe token body:

sk-ant-api03-[A-Za-z0-9_-]{80,120}`n
Also updates the Anthropic contract fixtures with revoked real key shapes.

Summary by CodeRabbit

  • Improvements
    • Enhanced Anthropic API key detector to support variable-length token patterns, improving detection accuracy and flexibility.
  • Tests
    • Updated detector test cases to align with the expanded token pattern coverage.
  • Chores
    • Updated repository pointer metadata for a test asset (no plaintext or config content changes).

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 29, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 29d6e5eb-fbb3-4bc1-8ff2-121e1840bec8

📥 Commits

Reviewing files that changed from the base of the PR and between 93ebdf4 and 7b598b0.

📒 Files selected for processing (2)
  • crates/scanner/tests/contracts/anthropic-api-key.toml
  • detectors/anthropic-api-key.toml
✅ Files skipped from review due to trivial changes (1)
  • crates/scanner/tests/contracts/anthropic-api-key.toml
🚧 Files skipped from review as they are similar to previous changes (1)
  • detectors/anthropic-api-key.toml

📝 Walkthrough

Walkthrough

This PR updates the Anthropic API key detector to match variable-length tokens instead of a fixed-length pattern. The regex pattern in detectors/anthropic-api-key.toml is broadened with corresponding documentation updates, test example changes, and test contract metadata revisions.

Changes

Anthropic API Key Detector Pattern Expansion

Layer / File(s) Summary
Detector pattern and documentation update
detectors/anthropic-api-key.toml
Header comment is updated to remove fixed character counts and describe variable-length token bodies. Regex pattern is broadened from fixed-length segments to a single variable-length range {80,120} to match more Anthropic API key formats.
Test coverage alignment
detectors/anthropic-api-key.toml, crates/scanner/tests/contracts/anthropic-api-key.toml
Test positive example key is replaced with a different sk-ant-api03-... token consistent with the new variable-length regex. LFS test contract metadata (oid hash and size) is updated accordingly.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 A detector grows more generous,
From rigid bounds to flowing streams,
Variable-length keys now shine so bright,
Tests hop along in step and sight,
The scanner nods and hops with delight!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Fix Anthropic API key detector shape' directly and clearly describes the main change: updating the Anthropic API key detector regex to match variable-length key shapes instead of a fixed two-segment layout.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@detectors/anthropic-api-key.toml`:
- Line 14: The current regex in detectors/anthropic-api-key.toml (the regex
entry matching "sk-ant-api03-[A-Za-z0-9_-]{80,120}") can match inside longer
tokens; update that regex to add non-token boundary anchors using negative
lookbehind and lookahead so the pattern only matches when not immediately
preceded or followed by URL-safe token characters (e.g., use (?<![A-Za-z0-9_-])
before the prefix and (?![A-Za-z0-9_-]) after the quantified class) to prevent
substring overmatching.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f08aed82-55e8-4995-be5e-b243127cc7f2

📥 Commits

Reviewing files that changed from the base of the PR and between 4ac1652 and 93ebdf4.

📒 Files selected for processing (2)
  • crates/scanner/tests/contracts/anthropic-api-key.toml
  • detectors/anthropic-api-key.toml


[[detector.patterns]]
regex = 'sk-ant-api03-[A-Za-z0-9_-]{93}-[A-Za-z0-9_-]{6}AA'
regex = 'sk-ant-api03-[A-Za-z0-9_-]{80,120}'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add token boundaries to avoid substring overmatching.

Line 14 can match inside longer URL-safe blobs, which increases false positives. Add non-token boundaries around the key pattern.

Proposed fix
-regex = 'sk-ant-api03-[A-Za-z0-9_-]{80,120}'
+regex = '(?<![A-Za-z0-9_-])sk-ant-api03-[A-Za-z0-9_-]{80,120}(?![A-Za-z0-9_-])'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
regex = 'sk-ant-api03-[A-Za-z0-9_-]{80,120}'
regex = '(?<![A-Za-z0-9_-])sk-ant-api03-[A-Za-z0-9_-]{80,120}(?![A-Za-z0-9_-])'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@detectors/anthropic-api-key.toml` at line 14, The current regex in
detectors/anthropic-api-key.toml (the regex entry matching
"sk-ant-api03-[A-Za-z0-9_-]{80,120}") can match inside longer tokens; update
that regex to add non-token boundary anchors using negative lookbehind and
lookahead so the pattern only matches when not immediately preceded or followed
by URL-safe token characters (e.g., use (?<![A-Za-z0-9_-]) before the prefix and
(?![A-Za-z0-9_-]) after the quantified class) to prevent substring overmatching.

@Eraminel01 Eraminel01 force-pushed the fix/anthropic-api03-variable-length branch from 93ebdf4 to 7b598b0 Compare May 29, 2026 00:25
@santhsecurity santhsecurity merged commit ec00d32 into santhsecurity:main May 29, 2026
1 check passed
santhsecurity pushed a commit that referenced this pull request May 29, 2026
Bump workspace version 0.5.35 -> 0.5.36 and the four pinned internal
crate deps. Update README demo banner and the KEYHOG_VERSION / GitHub
Action / pre-commit example pins to v0.5.36 so they match the tag.

Ships: incremental never-cache-finding-bearing-files fix, hook fail-open,
PR #7 anthropic-key shape + boundary tests, and the e2e lockdowns for
hook/keyhogignore/UTF-16/incremental from the deep-coherence pass.
@santhsecurity

Copy link
Copy Markdown
Owner

Hi eraminel01,

Thank you for your contribution and welcome to the Team! Also, congrats on being the first external contributor to KeyHog. I will update with thanks for the contribution.md soon!

-santh

santhsecurity pushed a commit that referenced this pull request May 29, 2026
…h fixes

Clean-checkout CI was red for two structural reasons, both fixed here:

- keyhog-sources git source shared a gix 0.77 `Repository` (Send, NOT
  Sync) across a Rayon `into_par_iter`, so a fresh
  `cargo build -p keyhog-sources --features git` failed with 7
  `RefCell<…> cannot be shared between threads` errors. Local builds only
  passed on a cached artifact. Made the blob loop serial (correct; KH-58
  re-parallelization via per-thread `gix::open` tracked as follow-up).
- Workspace-wide `cargo fmt` (the fmt gate was failing across many files).

Lean CI / embeddable build profile (`--no-default-features --features ci`):
- New cli `ci` feature: full 891-detector corpus + ML + entropy +
  decode-through + multiline, but NO Hyperscan (kills the ~1.7s cold-start
  -> ~0.85s and dropping), NO GPU/vyre drivers, NO live-verify, NO TUI,
  NO Ghidra, NO git/web/cloud backends (filesystem + stdin cover `scan .`).
- keyhog-sources now declares `dashmap` directly (was only transitively
  present, breaking reduced-feature builds) and sets `default-features =
  false` at the WORKSPACE level so members' `default-features = false`
  is actually honored (cargo ignores it otherwise).
- codewalk 0.2.5 `FileEntry { is_binary }` set in the explicit-include path.

Detection truth (all_tests: 32 -> 0 known failures):
- Boundary reassembly dedup is now detector-aware (offset+detector+hash),
  so co-located findings from distinct detectors are no longer dropped on
  the cross-chunk path (parity with in-chunk scan).
- Corpus de-duplication: shopify-access-token narrowed to shpca_ (admin/
  storefront own shpat_/shpss_); cloudflare-workers WORKERS made mandatory
  so plain cloudflare_api_token= belongs only to cloudflare-api-token.
- Concat reassembly: template-literal string interpolation (`${"x"}`),
  Rust concat!(), and `${a}${b}` cross-line variable resolution.
- twilio-auth-token boundary test uses its required AccountSid companion;
  heroku/homoglyph fixtures corrected to real-shape tokens.

Cold-start: HS DB cache moved from /tmp (wiped each reboot) to a persistent
XDG cache dir so the compile is paid once per machine, not once per boot.

Docs: README documents CI never needs a GPU + a concrete CI recipe;
CONTRIBUTING credits PR #7 (Edyard / @Eraminel01).
santhsecurity pushed a commit that referenced this pull request May 30, 2026
Applies the round 1 base64-protobuf FP-killer fixes from the investigator findings on the three owned files in this partition.

shape_gates.rs::looks_like_standard_base64_blob: drop the strict +/-required clause; admit pure-alphanumeric mult-of-4 base64 in [40, 80] when alphabet diversity is >= 32 distinct alnum chars, and admit padded-no-punct base64 ending in = or ==. Covers cause #1 (25 FPs from pure-alnum) and cause #4 (6 FPs from padded-no-punct shapes).

decode_structure.rs::looks_like_uniform_base64_blob: lower window floor from 60 to 44 (cause #7), add high-diversity admit (cause #2). Adds decoded_is_base64_blob helper for k8s data: double-base64 wrapper detection (cause #6) - decodes outer once and checks whether the inner bytes are themselves all-base64-alphabet of length >= 32.

confidence/penalties.rs::apply_post_ml_penalties: wire decoded_is_base64_blob into the generic-* (non-named) arm with the same 0.02 slam as the uniform-blob and encoded-binary gates. Named detectors continue to bypass.

Expected FP delta on base64-protobuf category: -52 (collapses the v32 surviving cluster). Each fix paired with positive truth + negative twin inline tests in the same file. Builds clean under both default and lean (no-default-features --features ml,entropy,decode,multiline) flags.
santhsecurity pushed a commit that referenced this pull request May 31, 2026
santhsecurity pushed a commit that referenced this pull request May 31, 2026
Bump workspace version 0.5.35 -> 0.5.36 and the four pinned internal
crate deps. Update README demo banner and the KEYHOG_VERSION / GitHub
Action / pre-commit example pins to v0.5.36 so they match the tag.

Ships: incremental never-cache-finding-bearing-files fix, hook fail-open,
PR #7 anthropic-key shape + boundary tests, and the e2e lockdowns for
hook/keyhogignore/UTF-16/incremental from the deep-coherence pass.
santhsecurity pushed a commit that referenced this pull request May 31, 2026
…h fixes

Clean-checkout CI was red for two structural reasons, both fixed here:

- keyhog-sources git source shared a gix 0.77 `Repository` (Send, NOT
  Sync) across a Rayon `into_par_iter`, so a fresh
  `cargo build -p keyhog-sources --features git` failed with 7
  `RefCell<…> cannot be shared between threads` errors. Local builds only
  passed on a cached artifact. Made the blob loop serial (correct; KH-58
  re-parallelization via per-thread `gix::open` tracked as follow-up).
- Workspace-wide `cargo fmt` (the fmt gate was failing across many files).

Lean CI / embeddable build profile (`--no-default-features --features ci`):
- New cli `ci` feature: full 891-detector corpus + ML + entropy +
  decode-through + multiline, but NO Hyperscan (kills the ~1.7s cold-start
  -> ~0.85s and dropping), NO GPU/vyre drivers, NO live-verify, NO TUI,
  NO Ghidra, NO git/web/cloud backends (filesystem + stdin cover `scan .`).
- keyhog-sources now declares `dashmap` directly (was only transitively
  present, breaking reduced-feature builds) and sets `default-features =
  false` at the WORKSPACE level so members' `default-features = false`
  is actually honored (cargo ignores it otherwise).
- codewalk 0.2.5 `FileEntry { is_binary }` set in the explicit-include path.

Detection truth (all_tests: 32 -> 0 known failures):
- Boundary reassembly dedup is now detector-aware (offset+detector+hash),
  so co-located findings from distinct detectors are no longer dropped on
  the cross-chunk path (parity with in-chunk scan).
- Corpus de-duplication: shopify-access-token narrowed to shpca_ (admin/
  storefront own shpat_/shpss_); cloudflare-workers WORKERS made mandatory
  so plain cloudflare_api_token= belongs only to cloudflare-api-token.
- Concat reassembly: template-literal string interpolation (`${"x"}`),
  Rust concat!(), and `${a}${b}` cross-line variable resolution.
- twilio-auth-token boundary test uses its required AccountSid companion;
  heroku/homoglyph fixtures corrected to real-shape tokens.

Cold-start: HS DB cache moved from /tmp (wiped each reboot) to a persistent
XDG cache dir so the compile is paid once per machine, not once per boot.

Docs: README documents CI never needs a GPU + a concrete CI recipe;
CONTRIBUTING credits PR #7 (Edyard / @Eraminel01).
santhsecurity pushed a commit that referenced this pull request May 31, 2026
Applies the round 1 base64-protobuf FP-killer fixes from the investigator findings on the three owned files in this partition.

shape_gates.rs::looks_like_standard_base64_blob: drop the strict +/-required clause; admit pure-alphanumeric mult-of-4 base64 in [40, 80] when alphabet diversity is >= 32 distinct alnum chars, and admit padded-no-punct base64 ending in = or ==. Covers cause #1 (25 FPs from pure-alnum) and cause #4 (6 FPs from padded-no-punct shapes).

decode_structure.rs::looks_like_uniform_base64_blob: lower window floor from 60 to 44 (cause #7), add high-diversity admit (cause #2). Adds decoded_is_base64_blob helper for k8s data: double-base64 wrapper detection (cause #6) - decodes outer once and checks whether the inner bytes are themselves all-base64-alphabet of length >= 32.

confidence/penalties.rs::apply_post_ml_penalties: wire decoded_is_base64_blob into the generic-* (non-named) arm with the same 0.02 slam as the uniform-blob and encoded-binary gates. Named detectors continue to bypass.

Expected FP delta on base64-protobuf category: -52 (collapses the v32 surviving cluster). Each fix paired with positive truth + negative twin inline tests in the same file. Builds clean under both default and lean (no-default-features --features ml,entropy,decode,multiline) flags.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants