New Detector for Heroku

[Chemo850]

Description

Heroku OAuth2 tokens are used to authorize and grant access to Heroku accounts and applications. They allow third parties to provide services like monitoring and scaling applications, and they can also be used for personal scripts or integrations. The initial Heroku pattern was just a 128 bit UUID which made it difficult to identify. Heroku has since introduced two additional prefixed patterns. The current Trufflehog rule library only contains V1 pattern and does not contain either the V2 or V3 patterns for these Oauth2 tokens. The regex patterns below represent the exact pattern for both new token versions.

Heroku Version 2

HRKU-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}

Heroku Version 3

HRKU-[0-9a-zA-Z_-]{60}

Preferred Solution

New versions of the patterns be added to the existing rule to comprehensively scan for Heroku secrets.

References

https://devcenter.heroku.com/articles/oauth#prefixed-oauth-tokens

[kashifkhan0771]

Thank you, @Chemo850, for opening the issue for this. I've added a ticket to our backlog, and we'll prioritize this enhancement as soon as we have the bandwidth.

[shahzadhaider1]

Hi @Chemo850,

I just wanted to share that while we’ll aim to address it when the team has available bandwidth, we also welcome contributions from the community. If you or anyone else is interested in taking this on, we’d be happy to support your efforts.

You can follow our guide on how to add a new detector to get started.

Thanks again for helping improve TruffleHog!