- updated make endpoint regex

- updated verifyMatch to prepend https:// and append /api/v2/
- updated keywords for api_token and mcp_token
- replaced FindAllString() instead of FindAllStringSubmatch()
- updated FromData to only return results if an endpoint is configured or found
- removed duplicate endpoint slice length validation and changed verifyMatch() argument type to be a string instead of a slice of strings
- added a trailing empty line in api_token_test.go to pass gofmt checks

Co-authored-by: Kashif Khan <[email protected]>
Co-authored-by: Jeff Rowell <[email protected]>

Author: Jeff-Rowell

pkg/detectors/make/api_token/api_token.go

@@ -28,15 +28,15 @@ var (
 	// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
 	keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"make"}) + `\b([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})\b`)
 	// Pattern to match Make.com URLs in the data
-	urlPat = regexp.MustCompile(`\b(eu|us)[12]\.make\.(com|celonis)\.com`)
+	urlPat = regexp.MustCompile(`\b(eu|us)[12]\.make\.(com|celonis\.com)`)
 )
 
 func (Scanner) CloudEndpoint() string { return "" }
 
 // Keywords are used for efficiently pre-filtering chunks.
 // Use identifiers in the secret preferably, or the provider name.
 func (s Scanner) Keywords() []string {
-	return []string{"make"}
+	return []string{"make.com", "make.celonis.com"}
 }
 
 // FromData will find and optionally verify Make secrets in a given set of bytes.
@@ -49,43 +49,35 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 	}
 
 	// Extract Make URLs from the data
-	var foundURLs []string
-	for _, match := range urlPat.FindAllStringSubmatch(dataStr, -1) {
-		foundURLs = append(foundURLs, match[0])
-	}
+	foundURLs := urlPat.FindAllString(dataStr, -1)
 
 	// Get endpoints using EndpointCustomizer
 	endpoints := s.Endpoints(foundURLs...)
 
-	for match := range uniqueMatches {
-		if len(endpoints) > 0 {
-			// Create results for each endpoint
-			for _, endpoint := range endpoints {
-				s1 := detectors.Result{
-					DetectorType: detectorspb.DetectorType_MakeApiToken,
-					Raw:          []byte(match),
-					RawV2:        []byte(match + ":" + endpoint),
-				}
-
-				if verify {
-					client := s.client
-					if client == nil {
-						client = defaultClient
-					}
-
-					isVerified, extraData, verificationErr := verifyMatch(ctx, client, match, []string{endpoint})
-					s1.Verified = isVerified
-					s1.ExtraData = extraData
-					s1.SetVerificationError(verificationErr, match)
-				}
+	// Skip creating results if no endpoints are available
+	if len(endpoints) == 0 {
+		return
+	}
 
-				results = append(results, s1)
-			}
-		} else {
-			// No endpoints configured or found, return unverified result
+	for match := range uniqueMatches {
+		// Create results for each endpoint
+		for _, endpoint := range endpoints {
 			s1 := detectors.Result{
 				DetectorType: detectorspb.DetectorType_MakeApiToken,
 				Raw:          []byte(match),
+				RawV2:        []byte(match + ":" + endpoint),
+			}
+
+			if verify {
+				client := s.client
+				if client == nil {
+					client = defaultClient
+				}
+
+				isVerified, extraData, verificationErr := verifyMatch(ctx, client, match, endpoint)
+				s1.Verified = isVerified
+				s1.ExtraData = extraData
+				s1.SetVerificationError(verificationErr, match)
 			}
 
 			results = append(results, s1)
@@ -95,28 +87,16 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 	return
 }
 
-func verifyMatch(ctx context.Context, client *http.Client, token string, endpoints []string) (bool, map[string]string, error) {
-	if len(endpoints) == 0 {
-		return false, nil, nil
-	}
-
-	var lastErr error
-	for _, endpoint := range endpoints {
-		verified, err := tryURL(ctx, client, endpoint, token)
-		if verified {
-			return true, nil, nil
-		}
-		if err != nil {
-			lastErr = err
-			continue
-		}
-		// Continue to next URL on determinate failures (401)
+func verifyMatch(ctx context.Context, client *http.Client, token string, endpoint string) (bool, map[string]string, error) {
+	verified, err := tryURL(ctx, client, fmt.Sprintf("https://%s/api/v2/", endpoint), token)
+	if verified {
+		return true, nil, nil
 	}
-
-	// If we got here, either all endpoints failed or we had errors
-	if lastErr != nil {
-		return false, nil, lastErr
+	if err != nil {
+		// Indeterminate failure (network error, etc.)
+		return false, nil, err
 	}
+	// Determinate failure (401)
 	return false, nil, nil
 }
 

pkg/detectors/make/api_token/api_token_integration_test.go

@@ -45,7 +45,7 @@ func TestMake_FromChunk(t *testing.T) {
 			s:    Scanner{},
 			args: args{
 				ctx:    context.Background(),
-				data:   []byte(fmt.Sprintf("You can find a make secret %s and endpoint https://us2.make.com/api/v2/", secret)),
+				data:   []byte(fmt.Sprintf("You can find a make secret %s and endpoint us2.make.com", secret)),
 				verify: true,
 			},
 			want: []detectors.Result{
@@ -62,7 +62,7 @@ func TestMake_FromChunk(t *testing.T) {
 			s:    Scanner{},
 			args: args{
 				ctx:    context.Background(),
-				data:   []byte(fmt.Sprintf("You can find a make secret %s and endpoint https://us2.make.com/api/v2/ but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation
+				data:   []byte(fmt.Sprintf("You can find a make secret %s and endpoint us2.make.com but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation
 				verify: true,
 			},
 			want: []detectors.Result{
@@ -91,7 +91,7 @@ func TestMake_FromChunk(t *testing.T) {
 			s:    Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)},
 			args: args{
 				ctx:    context.Background(),
-				data:   []byte(fmt.Sprintf("You can find a make secret %s and endpoint https://us2.make.com/api/v2/", secret)),
+				data:   []byte(fmt.Sprintf("You can find a make secret %s and endpoint us2.make.com", secret)),
 				verify: true,
 			},
 			want: []detectors.Result{
@@ -108,7 +108,7 @@ func TestMake_FromChunk(t *testing.T) {
 			s:    Scanner{client: common.ConstantResponseHttpClient(404, "")},
 			args: args{
 				ctx:    context.Background(),
-				data:   []byte(fmt.Sprintf("You can find a make secret %s and endpoint https://us2.make.com/api/v2/", secret)),
+				data:   []byte(fmt.Sprintf("You can find a make secret %s and endpoint us2.make.com", secret)),
 				verify: true,
 			},
 			want: []detectors.Result{

pkg/detectors/make/api_token/api_token_test.go

@@ -31,18 +31,18 @@ func TestMakeApiToken_Pattern(t *testing.T) {
 			`,
 			useCloudEndpoint: false,
 			useFoundEndpoint: true,
-			want:             []string{"bbb94d50-239f-4609-9569-63ea15eb0996:https://eu1.make.com/api/v2/"},
+			want:             []string{"bbb94d50-239f-4609-9569-63ea15eb0996:eu1.make.com"},
 		},
 		{
 			name: "valid pattern with configured endpoint",
 			input: `
-				# make api token
+				# make.com api token
 				MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996
 			`,
-			cloudEndpoint:    "https://us1.make.com/api/v2/",
+			cloudEndpoint:    "us1.make.com",
 			useCloudEndpoint: true,
 			useFoundEndpoint: false,
-			want:             []string{"bbb94d50-239f-4609-9569-63ea15eb0996:https://us1.make.com/api/v2/"},
+			want:             []string{"bbb94d50-239f-4609-9569-63ea15eb0996:us1.make.com"},
 		},
 		{
 			name: "valid pattern with both found and configured endpoints",
@@ -51,12 +51,12 @@ func TestMakeApiToken_Pattern(t *testing.T) {
 				MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996
 				URL: https://eu1.make.com/api/v2/
 			`,
-			cloudEndpoint:    "https://us1.make.com/api/v2/",
+			cloudEndpoint:    "us1.make.com",
 			useCloudEndpoint: true,
 			useFoundEndpoint: true,
 			want: []string{
-				"bbb94d50-239f-4609-9569-63ea15eb0996:https://us1.make.com/api/v2/",
-				"bbb94d50-239f-4609-9569-63ea15eb0996:https://eu1.make.com/api/v2/",
+				"bbb94d50-239f-4609-9569-63ea15eb0996:us1.make.com",
+				"bbb94d50-239f-4609-9569-63ea15eb0996:eu1.make.com",
 			},
 		},
 		{
@@ -66,42 +66,40 @@ func TestMakeApiToken_Pattern(t *testing.T) {
 				MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996
 				URL: https://eu1.make.com/api/v2/
 			`,
-			cloudEndpoint:    "https://us1.make.com/api/v2/",
+			cloudEndpoint:    "us1.make.com",
 			useCloudEndpoint: true,
 			useFoundEndpoint: false,
 			want: []string{
-				"bbb94d50-239f-4609-9569-63ea15eb0996:https://us1.make.com/api/v2/",
+				"bbb94d50-239f-4609-9569-63ea15eb0996:us1.make.com",
 			},
 		},
 		{
 			name: "valid pattern with celonis domain",
 			input: `
 				# make api token
 				MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996
-				URL: https://us1.make.celonis.com/api/v2/
+				URL: us1.make.celonis.com
 			`,
 			useCloudEndpoint: false,
 			useFoundEndpoint: true,
 			want: []string{
-				"bbb94d50-239f-4609-9569-63ea15eb0996:https://us1.make.celonis.com/api/v2/",
+				"bbb94d50-239f-4609-9569-63ea15eb0996:us1.make.celonis.com",
 			},
 		},
 		{
 			name: "no endpoints configured or found",
 			input: `
-				# make api token
+				# make.com api token
 				MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996
 			`,
 			useCloudEndpoint: false,
 			useFoundEndpoint: false,
-			want: []string{
-				"bbb94d50-239f-4609-9569-63ea15eb0996",
-			},
+			want: nil,
 		},
 		{
 			name: "invalid pattern",
 			input: `
-				# make api token
+				# make.com api token
 				MAKE_TOKEN: invalid-token-format
 			`,
 			useFoundEndpoint: true,
@@ -157,4 +155,4 @@ func TestMakeApiToken_Pattern(t *testing.T) {
 			}
 		})
 	}
-}
+}

pkg/detectors/make/mcp_token/mcp_token.go

@@ -29,16 +29,17 @@ var (
 // Keywords are used for efficiently pre-filtering chunks.
 // Use identifiers in the secret preferably, or the provider name.
 func (s Scanner) Keywords() []string {
-	return []string{"make", "mcp"}
+	return []string{"make.com", "make.celonis.com"}
 }
 
 // FromData will find and optionally verify Makemcptoken secrets in a given set of bytes.
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	dataStr := string(data)
 
+	matches := keyPat.FindAllString(dataStr, -1)
 	uniqueMatches := make(map[string]struct{})
-	for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) {
-		uniqueMatches[match[0]] = struct{}{}
+	for _, match := range matches {
+		uniqueMatches[match] = struct{}{}
 	}
 
 	for match := range uniqueMatches {
@@ -84,7 +85,7 @@ func verifyMatch(ctx context.Context, client *http.Client, url string) (bool, ma
 	case http.StatusOK:
 		return true, nil, nil
 	case http.StatusUnauthorized:
-		// The secret is determinately not verified (invalid token)
+		// Determinate failure (401)
 		return false, nil, nil
 	default:
 		// Any other status code is an indeterminate failure