fix(detectors): support 84-character Azure OpenAI API keys

mangod12 · mangod12 · commit e902991addb5 · 2026-05-21T22:01:59.000+05:30
Azure OpenAI now issues API keys that are 84 alphanumeric characters in addition to the original 32-character lowercase hex format. The existing regex only matched `[a-f0-9]{32}`, missing the newer keys. Changes: - Expand key pattern to match both 32-char and 84-char keys - Accept mixed-case alphanumeric characters (not just lowercase hex) - Fix Redacted field to use relative indexing for both key lengths - Add test cases for 84-char keys (env var, curl, Python SDK, invalid) Fixes #4389
diff --git a/pkg/detectors/azure_openai/azure_openai.go b/pkg/detectors/azure_openai/azure_openai.go
@@ -31,7 +31,7 @@ var (
 	// TODO: Investigate custom `azure-api.net` endpoints.
 	// https://github.com/openai/openai-python#microsoft-azure-openai
 	azureUrlPat = regexp.MustCompile(`(?i)([a-z0-9-]+\.openai\.azure\.com)`)
-	azureKeyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"api[_.-]?key", "openai[_.-]?key"}) + `\b(?-i:([a-f0-9]{32}))\b`)
+	azureKeyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"api[_.-]?key", "openai[_.-]?key"}) + `\b(?-i:([a-zA-Z0-9]{32}|[a-zA-Z0-9]{84}))\b`)
 
 	invalidServices = simple.NewCache[struct{}]()
 )
@@ -76,7 +76,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 	for token := range tokens {
 		s1 := detectors.Result{
 			DetectorType: s.Type(),
-			Redacted:     token[:3] + "..." + token[25:],
+			Redacted:     token[:3] + "..." + token[len(token)-4:],
 			Raw:          []byte(token),
 			SecretParts:  map[string]string{"key": token},
 		}
diff --git a/pkg/detectors/azure_openai/azure_openai_test.go b/pkg/detectors/azure_openai/azure_openai_test.go
@@ -79,6 +79,34 @@ func TestAzureOpenAI_Pattern(t *testing.T) {
 					}`,
 			want: []string{"57d2de35873840b5ad59d742e90e974e"},
 		},
+		{
+			name: "84-character key - environment variable",
+			input: `export OPENAI_API_BASE=https://myservice-east.openai.azure.com/
+					export OPENAI_API_KEY=uQ9XsjB7aM2eVt5rL1pZcW6yGk4nF8oHd3RzXaYbT7vUjKmQeP5fNwL9oS2tH1rJ3pZxDkMvYeWq0bAs`,
+			want: []string{"uQ9XsjB7aM2eVt5rL1pZcW6yGk4nF8oHd3RzXaYbT7vUjKmQeP5fNwL9oS2tH1rJ3pZxDkMvYeWq0bAs"},
+		},
+		{
+			name: "84-character key - curl command",
+			input: `curl -X POST "https://prod-openai.openai.azure.com/openai/deployments/gpt-4o-mini/chat/completions?api-version=2025-01-01-preview" \
+					-H "Content-Type: application/json" \
+					-H "api-key: Rk7mTz3nWx9pLq2vBs5yJd8cFg1hNa6oUi4eXwYrKbQjVm0tPl5sDf3gHn7kMz9aRcWx2bYu4eL"`,
+			want: []string{"Rk7mTz3nWx9pLq2vBs5yJd8cFg1hNa6oUi4eXwYrKbQjVm0tPl5sDf3gHn7kMz9aRcWx2bYu4eL"},
+		},
+		{
+			name: "84-character key - Python SDK",
+			input: `from openai import AzureOpenAI
+					client = AzureOpenAI(
+						azure_endpoint="https://team-ai.openai.azure.com/",
+						api_key="Ht5mNr9wXz3pLq7vBs2yJd6cFg8hKa1oUi4eTxYrQbMjVn0kPl5sDf3gRn7wMz9aXcWx2bYu4eLk0q",
+					)`,
+			want: []string{"Ht5mNr9wXz3pLq7vBs2yJd6cFg8hKa1oUi4eTxYrQbMjVn0kPl5sDf3gRn7wMz9aXcWx2bYu4eLk0q"},
+		},
+		{
+			name: "invalid - 50 character key (wrong length)",
+			input: `OPENAI_API_KEY=uQ9XsjB7aM2eVt5rL1pZcW6yGk4nF8oHd3RzXaYbT7vUjKm
+					https://test.openai.azure.com/`,
+			want: []string{},
+		},
 	}
 
 	for _, test := range tests {
