Skip to content

feat(detectors): add JumpCloud API Key v2 detector (jca_ prefix)#4975

Open
mangod12 wants to merge 2 commits into
trufflesecurity:mainfrom
mangod12:feat/jumpcloud-v2-detector
Open

feat(detectors): add JumpCloud API Key v2 detector (jca_ prefix)#4975
mangod12 wants to merge 2 commits into
trufflesecurity:mainfrom
mangod12:feat/jumpcloud-v2-detector

Conversation

@mangod12
Copy link
Copy Markdown

@mangod12 mangod12 commented May 21, 2026
edited by cursor Bot
Loading

Description

Add a new v2 detector for JumpCloud API keys that use the jca_ prefix format (reference).

Why: The existing v1 detector matches generic 40-character alphanumeric strings only when the keyword "jumpcloud" is nearby, which can lead to false positives. JumpCloud's new API key format uses a jca_ prefix, making keys self-identifying and significantly reducing false positives.

What:

  • Restructured jumpcloud detector into v1/ and v2/ subdirectories
  • Added Versioner interface to both v1 and v2 scanners
  • v2 pattern: jca_[a-zA-Z0-9]{36} (40 chars total)
  • v2 keyword: jca_ (self-identifying, no context needed)
  • Same verification endpoint: GET https://console.jumpcloud.com/api/v2/systemgroups with x-api-key header
  • Deduplicates matches and drains response body for connection reuse
  • Registered both versions in defaults.go

Key Format

  • Total length: 40 characters
  • Prefix: jca_ (4 characters)
  • Key part: 36 alphanumeric characters
  • Pattern: jca_[a-zA-Z0-9]{36}

Test plan

  • Pattern tests: 4 valid cases (env var, config file, code usage, dedup) + 4 invalid cases (too short, too long, special chars, no prefix)
  • Follows existing v2 detector patterns (buildkite/v2, elevenlabs/v2)
  • make test-community (Go not available locally — CI will verify)

Checklist

  • Tests passing (make test-community)?
  • Lint passing (make lint)?

Fixes #4624

Note

Medium Risk
Adds a new JumpCloud detector and changes default detector registration, which will affect what secrets are flagged and may increase verification HTTP calls during scans.

Overview
Adds a new JumpCloud v2 detector that matches self-identifying API keys with the jca_ prefix, deduplicates matches, and performs stricter verification response handling (including draining response bodies) while recording the detector version in result metadata.

Refactors the existing JumpCloud detector into jumpcloud/v1 and registers both v1 and v2 scanners in defaults.go, with v1 updated to implement Version()/Versioner for multi-version support.

Reviewed by Cursor Bugbot for commit 49a8ddf. Bugbot is set up for automated code reviews on this repo. Configure here.

@mangod12
feat(detectors): add JumpCloud API Key v2 detector (jca_ prefix)
b833426 
Add a new v2 detector for JumpCloud API keys that use the `jca_` prefix
format. The new format is self-identifying (40 chars: `jca_` + 36
alphanumeric), reducing false positives compared to the v1 detector
which relies on the keyword "jumpcloud" near a generic 40-char string.

Changes:
- Restructure jumpcloud detector into v1/v2 subdirectories
- Add Versioner interface to v1 scanner
- Create v2 scanner with `jca_[a-zA-Z0-9]{36}` pattern
- Add pattern tests with realistic input scenarios
- Use same verification endpoint (JumpCloud systemgroups API)
- Deduplicate matches and drain response body for connection reuse
- Register both v1 and v2 in defaults.go

Fixes trufflesecurity#4624
@mangod12 mangod12 requested review from a team and Copilot May 21, 2026 16:17
@mangod12 mangod12 requested a review from a team as a code owner May 21, 2026 16:17
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 21, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

Copilot AI reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

cursor[bot]
cursor Bot reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit b833426. Configure here.

Comment thread pkg/detectors/jumpcloud/v2/jumpcloud_test.go Outdated
@mangod12 mangod12 mentioned this pull request May 21, 2026
Open
@mangod12 @claude
fix(test): correct test key length to match 36-char regex
49a8ddf 
The "valid pattern - config file" test key had 39 alphanumeric
characters after the jca_ prefix, but the regex requires exactly 36.
Trimmed to 36 so the pattern match succeeds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add JumpCloud API Key v2 detector (jca_ prefix format)

3 participants

@mangod12 @CLAassistant