Skip to content

feat(detectors): add Dynatrace token detector#5085

Open
beer4code wants to merge 1 commit into
trufflesecurity:mainfrom
beer4code:feat/dynatrace-detector
Open

feat(detectors): add Dynatrace token detector#5085
beer4code wants to merge 1 commit into
trufflesecurity:mainfrom
beer4code:feat/dynatrace-detector

Conversation

@beer4code

@beer4code beer4code commented Jun 28, 2026

Copy link
Copy Markdown

Summary

Adds a detector for Dynatrace API tokens, personal access tokens, and platform tokens (shape dt0<x><nn>.<public-id>.<secret>, e.g. dt0c01, dt0s16).

  • Token regex matches the 3-segment structure with word boundaries.
  • Tenant pairing. A token is scoped to a Dynatrace tenant whose URL usually appears in the same chunk. The detector pairs each token with every discovered SaaS tenant host (cartesian, like azure_cosmosdb / cexio detectors).
  • Host normalization. The 3rd-gen UI apps subdomain only a very limited platform API, so it is normalized to the environment API host before the request: prod ...apps.dynatrace.com...live.dynatrace.com; dev/sprint drop the extra apps label.
  • Token-only emission. When no tenant URL is in the chunk, the token is still reported as an unverified finding.
  • Tenant is surfaced in ExtraData (visible in plain output) and SecretParts/RawV2.

Verification

  • POST https://{tenant}/api/v2/apiTokens/lookup with Authorization: Api-Token <token>.
    • 200 → verified
    • 403 → verified but token lacks permissions to lookup scopes (this case has been thoroughly tested with live tokens)
    • 401 → unverified, or other status / transport errors → surfaced via SetVerificationError (reported as unknown).

Testing

  • Unit tests (dynatrace_test.go): regex coverage, host normalization (live/apps/dev/sprint variants), redaction (secret masked), and verification status mapping via mock clients (200/403/401/5xx/transport error).
  • Integration test: Verified manually. Since Dynatrace is a paid product, trufflehog skips tests when credentials aren't configured (loads a dedicated dynatrace secret; runnable locally via TEST_SECRET_FILE).
  • Manual end-to-end: all implemented combinations have been verified against actual sprint and live tenants.

Registered as DetectorType_Dynatrace = 741 (already reserved in the proto; removed from excludedFromDefaultList).

Checklist:

  • Tests passing (make test-community)
  • Lint passing (make lint this requires golangci-lint)

Note

Low Risk
Additive detector-only change with tests; verification performs outbound calls to customer Dynatrace tenants when verify mode is on, consistent with other API-key detectors.

Overview
Adds a Dynatrace secret scanner for API/PAT/platform tokens (dt0… three-segment form) and wires it into the default engine as DetectorType_Dynatrace (741), dropping the proto “not yet implemented” note and removing it from excludedFromDefaultList.

Detection uses keyword dt0, regex for tokens and SaaS tenant hosts, and cartesian pairing of each token with every tenant in the chunk (tenant in ExtraData / RawV2). Tokens without a tenant in the chunk are still reported unverified. Verification POSTs to /api/v2/apiTokens/lookup on a normalized API host (appslive / stripped on labs); 200 and 403 count as verified, 401 as invalid, and other HTTP/transport failures surface via SetVerificationError. Secret segments are redacted in output.

Unit tests cover patterns, host normalization, redaction, and mocked verification; an optional integration test runs when dynatrace test secrets are configured.

Reviewed by Cursor Bugbot for commit 02d5637. Bugbot is set up for automated code reviews on this repo. Configure here.

@beer4code beer4code requested a review from a team June 28, 2026 21:53
@beer4code beer4code requested review from a team as code owners June 28, 2026 21:53
@CLAassistant

CLAassistant commented Jun 28, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants