Request Method Customization in Custom Detector

[effortlessdevsec]

Currently, TruffleHog custom detectors do not support customization of the HTTP request method (e.g., GET, POST, PUT, DELETE) used during outbound validation. This limits compatibility with certain APIs that require specific request methods for validation or scanning workflows.

Preferred Solution

Add support for specifying the HTTP method in the custom detector configuration. For example:

custom_detector:
  name: MyDetector
  request:
    method: POST
    url: https://api.example.com/validate
    headers:
      Authorization: Bearer {{API_KEY}}
    body:
      key: "{{secret}}"

If the method field is omitted, it should default to GET to preserve backward compatibility. TruffleHog should then use the specified HTTP method when calling the external service.

Additional Context

Many API providers (e.g., AWS STS, Vault, or custom internal tools) require specific HTTP methods (often POST or PUT) to validate secrets or tokens. Without support for method customization, these integrations cannot be fully utilized with TruffleHog's custom detectors.

TruffleHog Custom Detector Documentation

[kashifkhan0771]

Thank you for opening this issue, @effortlessdevsec. I’ll discuss it with the internal team and get back to you.

[nabeelalam]

Hey @effortlessdevsec. Thanks for opening up the discussion.

The ability to specify the HTTP method along with the endpoint (and other customizations) is actually under consideration by the team, although we don't currently have a timeline for it.

In the meantime, if you need this functionality right away, have you considered using a custom verification server in order to achieve what you're describing?

Happy to help if you'd like further guidance on setting it up.