TruffleHog Version
3.95.3
Trace Output
N/A — issue is reproducible from the detector regex alone; no scan trace needed.
Expected Behavior
The AzureAppConfigConnectionString detector should match Azure App Configuration access-key connection strings in the canonical format produced by Azure:
Endpoint=https://<store>.azconfig.io;Id=<prefix>:<base64>;Secret=<base64>
The Id portion is documented as <prefix>:<base64>, where <prefix> typically contains letters, digits, and hyphens. The detector should flag this as a finding.
Actual Behavior
The detector silently misses real Azure App Configuration access keys because the Id character class in the regex only allows the base64 alphabet ([a-zA-Z0-9+\/=]). Any real-world Id value containing - or : (which is every Azure-issued key, since the colon separates prefix from base64 body) fails to match, and no finding is emitted.
Current pattern in pkg/detectors/azureappconfigconnectionstring/azureappconfigconnectionstring.go:
connectionStringPat = regexp.MustCompile(`Endpoint=(https:\/\/[a-zA-Z0-9-]+\.azconfig\.io);Id=([a-zA-Z0-9+\/=]+);Secret=([a-zA-Z0-9+\/=]+)`)
Proposed fix — extend the Id character class to include : and -:
connectionStringPat = regexp.MustCompile(`Endpoint=(https:\/\/[a-zA-Z0-9-]+\.azconfig\.io);Id=([a-zA-Z0-9+\/:=-]+);Secret=([a-zA-Z0-9+\/=]+)`)
Steps to Reproduce
-
Save the following representative (fake) connection string to a file, e.g. /tmp/azconfig.txt:
Endpoint=https://myappconfig001.azconfig.io;Id=aB1c-d2-e3:+XyZ12345AbCdEfGhIjKl;Secret=MnOpQrSt67UvWxYz89AbCdEf0123GhIjKlMnOpQrStUvWxYz1234=
The Id (aB1c-d2-e3:+XyZ12345AbCdEfGhIjKl) matches the canonical Azure-issued format: hyphenated prefix, :, base64 body.
-
Run trufflehog against the file with verification disabled to isolate the regex behavior:
trufflehog filesystem /tmp/azconfig.txt --no-update --json --no-verification
-
Observe unverified_secrets: 0 — the detector emits no finding even though the string is a syntactically valid Azure App Configuration connection string.
-
Apply the regex change above and rebuild; the same input now produces an AzureAppConfigConnectionString finding as expected.
Environment
- Version: trufflehog 3.95.3
Additional Context
The fix is a minimal character-class extension on a single regex; the verification logic downstream already handles arbitrary Id/Secret byte content correctly, so no other changes are required. Happy to open a PR with the fix and a detector unit test covering the hyphen/colon Id shape if useful.
References
pkg/detectors/azureappconfigconnectionstring/azureappconfigconnectionstring.go — current detector
TruffleHog Version
3.95.3
Trace Output
N/A — issue is reproducible from the detector regex alone; no scan trace needed.
Expected Behavior
The
AzureAppConfigConnectionStringdetector should match Azure App Configuration access-key connection strings in the canonical format produced by Azure:The
Idportion is documented as<prefix>:<base64>, where<prefix>typically contains letters, digits, and hyphens. The detector should flag this as a finding.Actual Behavior
The detector silently misses real Azure App Configuration access keys because the
Idcharacter class in the regex only allows the base64 alphabet ([a-zA-Z0-9+\/=]). Any real-worldIdvalue containing-or:(which is every Azure-issued key, since the colon separates prefix from base64 body) fails to match, and no finding is emitted.Current pattern in
pkg/detectors/azureappconfigconnectionstring/azureappconfigconnectionstring.go:Proposed fix — extend the
Idcharacter class to include:and-:Steps to Reproduce
Save the following representative (fake) connection string to a file, e.g.
/tmp/azconfig.txt:The
Id(aB1c-d2-e3:+XyZ12345AbCdEfGhIjKl) matches the canonical Azure-issued format: hyphenated prefix,:, base64 body.Run trufflehog against the file with verification disabled to isolate the regex behavior:
Observe
unverified_secrets: 0— the detector emits no finding even though the string is a syntactically valid Azure App Configuration connection string.Apply the regex change above and rebuild; the same input now produces an
AzureAppConfigConnectionStringfinding as expected.Environment
Additional Context
The fix is a minimal character-class extension on a single regex; the verification logic downstream already handles arbitrary
Id/Secretbyte content correctly, so no other changes are required. Happy to open a PR with the fix and a detector unit test covering the hyphen/colonIdshape if useful.References
pkg/detectors/azureappconfigconnectionstring/azureappconfigconnectionstring.go— current detector