Please review the Community Note before submitting

Note: This issue description contains examples of 6 DatadogToken false positive patterns:

• Placeholder values (e.g., 11111111111111111111111111111111)
• Base64-encoded certificate substrings (e.g., AoF2zTjTAfBgNVHSMEGDAWgBRAlpydcy)
• URL-encoded service names (e.g., 3Amy-app-service-name-asia)
• NPM integrity hash substrings (e.g., nvbRupSjMvqzwnQN0qwCmOxITt1cfywA)
• Go module checksum substrings (e.g., PsspsfO4wZsSqL8l658yAUo7lFUSnPD0)
• SOPS-encrypted data substrings (e.g., l5zvI7lM7rrkPUjzWCj5OZGb1CDPW1FT)

Scanning this issue file with TruffleHog 3.92.4 will trigger multiple false positive detections. The base64-certificate case is demonstrated via screenshot and the full test file in the steps below.

TruffleHog Version

3.92.4

Trace Output

Not applicable - this is a false positive issue, not a crash or error. The detector is working but producing incorrect results.

Expected Behavior

The DatadogToken detector should not flag legitimate code identifiers, checksums, encrypted data, or test values as potential secrets. It should only detect actual Datadog API and Application keys, which typically:

• Contain a mix of letters, numbers, and possibly underscores
• Have higher entropy (random character distribution)
• Don't follow common code naming conventions
• Are not part of checksums, hashes, or encrypted data

Actual Behavior

The DatadogToken detector flags any 32-character or 40-character alphanumeric string near the keywords "datadog" or "dd" as a potential secret, including:

• URL-encoded service names in paths (e.g., service%3Amy-app-service-name-asia)
• NPM package integrity hashes (e.g., nvbRupSjMvqzwnQN0qwCmOxITt1cfywA from sha512-...==)
• Go module checksums (e.g., PsspsfO4wZsSqL8l658yAUo7lFUSnPD0 from h1:...=)
• SOPS-encrypted data (e.g., l5zvI7lM7rrkPUjzWCj5OZGb1CDPW1FT from ENC[AES256_GCM,data:...])
• Test/placeholder values (e.g., 11111111111111111111111111111111)
• Base64-encoded certificates (e.g., AoF2zTjTAfBgNVHSMEGDAWgBRAlpydcy from caBundle)

Example False Positives:

1. URL-encoded Service Name:

# File: config.yaml
links:
  - type: datadog
    url: https://app.datadoghq.com/apm/entity/service%3Amy-app-service-name-asia

Detected: 3Amy-app-service-name-asia (32+ chars) - This is a URL-encoded service name, not a secret.

2. NPM Package Integrity Hash:

{
  "name": "@datadog/dd-trace",
  "integrity": "sha512-XRUeBZ5zBWLYgSANMpThFddrZZkEbGHgUdt5UJjZfnlN9BGCiUBrf+nvbRupSjMvqzwnQN0qwCmOxITt1cfywA=="
}

Detected: nvbRupSjMvqzwnQN0qwCmOxITt1cfywA (32 chars) - This is part of an npm package integrity hash, not a secret.

3. Go Module Checksum:

gopkg.in/DataDog/dd-trace-go.v1 v1.53.0 h1:Rc2Z3tspHI+PsspsfO4wZsSqL8l658yAUo7lFUSnPD0=

Detected: PsspsfO4wZsSqL8l658yAUo7lFUSnPD0 (32 chars) - This is part of a Go module checksum, not a secret.

4. SOPS-encrypted Data:

stringData:
  datadog_application_key: ENC[AES256_GCM,data:l5zvI7lM7rrkPUjzWCj5OZGb1CDPW1FT/...,iv:...,tag:...,type:str]

Detected: l5zvI7lM7rrkPUjzWCj5OZGb1CDPW1FT (32 chars) - This is encrypted ciphertext, not a secret.

5. Test/Placeholder Value:

vars:
  datadog_api_key: "11111111111111111111111111111111"

Detected: 11111111111111111111111111111111 (32 chars) - This is a test/placeholder value, not a secret.

6. Base64-encoded Certificate:

spec:
  provider:
    vault:
      caBundle: <base64-encoded-certificate-data>

Detected: AoF2zTjTAfBgNVHSMEGDAWgBRAlpydcy (32 chars) - This is part of a base64-encoded certificate, not a secret.

Note: The certificate example above is truncated and not reproducible from this format. See the screenshot below showing the actual detection, or use the full test file in the "Steps to Reproduce" section for accurate reproduction.

Steps to Reproduce

1. Copy the test file content from the "Test File" section below and save it as all_false_positives.yaml.
2. Run: trufflehog filesystem --no-update all_false_positives.yaml.
3. Observe 5 false positive detections from this file (the 6th, base64-certificate pattern, is shown via screenshot).

Alternatively: You can copy the entire contents of this issue and create a test file from whole content and scan it.

Test File: all_false_positives.yaml ✅ Reproducible

# Test file containing all 6 false positive patterns for DatadogToken detector
# Run: trufflehog filesystem --no-update all_false_positives.yaml
# Expected: 5 false positive detections from this file (the 6th, base64-certificate pattern, is shown via screenshot)

# 1. Placeholder value
vars:
  datadog_api_key: "11111111111111111111111111111111"

# 2. Base64-encoded certificate
spec:
  provider:
    vault:
      caBundle: <base64-encoded-certificate-data>

# 3. URL-encoded service name
links:
  - icon: dashboard
    title: test
    type: datadog
    url: https://app.datadoghq.com/apm/entity/service%3Agrp-merchant-merchant-service-asia
  - icon: dashboard
    title: test
    type: datadog
    url: https://app.datadoghq.com/logs?query=service%3Agrp-merchant-merchant-service-asia

# 4. SOPS-encrypted data
stringData:
  datadog_application_key: ENC[AES256_GCM,data:l5zvI7lM7rrkPUjzWCj5OZGb1CDPW1FT/UyKBHBnBCH2r0LC,iv:V92clA16qDrlgmuW5WRJ7cmEM+3oGkQQ1b1Iy4yjPx4=,tag:0Mz+6QiYCLNE8lgfwqTr5A==,type:str]

# 5. Go module checksum (in comments to show the pattern)
# gopkg.in/DataDog/dd-trace-go.v1 v1.53.0 h1:Rc2Z3tspHI+PsspsfO4wZsSqL8l658yAUo7lFUSnPD0=
# github.com/DataDog/datadog-go/v5 v5.1.1 h1:JLZ6s2K1pG2h9GkvEvMdEGqMDyVLEAccdX5TltWcLMU=

# 6. NPM integrity hash (in comments to show the pattern)
# {
#   "name": "@datadog/dd-trace",
#   "integrity": "sha512-XRUeBZ5zBWLYgSANMpThFddrZZkEbGHgUdt5UJjZfnlN9BGCiUBrf+nvbRupSjMvqzwnQN0qwCmOxITt1cfywA=="
# }

Expected Output: When scanned with TruffleHog 3.92.4, this single file will trigger 5 false positive detections:

• ✅ 11111111111111111111111111111111 - Placeholder value
• AoF2zTjTAfBgNVHSMEGDAWgBRAlpydcy - Base64 certificate substring - This is visible in screenshot
• ✅ 3Amy-app-service-name-asia- - URL-encoded service name substring
• ✅ l5zvI7lM7rrkPUjzWCj5OZGb1CDPW1FT - SOPS-encrypted data substring
• ✅ PsspsfO4wZsSqL8l658yAUo7lFUSnPD0 - Go module checksum substring (from commented line)
• ✅ nvbRupSjMvqzwnQN0qwCmOxITt1cfywA - NPM integrity hash substring (from commented line)

The 6th pattern, a base64 certificate substring such as AoF2zTjTAfBgNVHSMEGDAWgBRAlpydcy, is demonstrated in the certificate example and supporting screenshot above.

Note: The Go module checksum and NPM integrity hash patterns are included as comments in the YAML file. In real codebases, these would appear in go.sum and package-lock.json files respectively, and will trigger false positives when scanned alongside datadog-related files.

This issue description file itself will trigger 5 of the 6 false positive detections when scanned; the remaining base64-certificate case is shown via screenshot, demonstrating the problem in real-time.

Environment

• OS: macOS
• Version: 3.92.4

Additional Context

The detector currently uses these patterns:

appPat = regexp.MustCompile(detectors.PrefixRegex([]string{"datadog", "dd"}) + `\b([a-zA-Z-0-9]{40})\b`)
apiPat = regexp.MustCompile(detectors.PrefixRegex([]string{"datadog", "dd"}) + `\b([a-zA-Z-0-9]{32})\b`)

These patterns are too broad and match legitimate code identifiers, checksums, and encrypted data.

Proposed Solution:
Add false positive filters to exclude:

1. Only letters (no digits) - Real API keys typically contain digits
2. Repeated characters - Test/placeholder values like all 1s
3. NPM integrity hashes - Patterns like sha512-...==
4. Go module checksums - Patterns like h1:...=
5. URL-encoded paths - Patterns containing %3A or URL structures
6. SOPS-encrypted data - Patterns like ENC[AES256_GCM,data:...]
7. Base64-encoded certificates - Patterns with caBundle or certificate markers

Expected Outcome After Fix:

• ✅ URL-encoded service name substrings → Filtered (URL-encoded path, letters-only)
• ✅ nvbRupSjMvqzwnQN0qwCmOxITt1cfywA → Filtered (NPM integrity hash pattern)
• ✅ PsspsfO4wZsSqL8l658yAUo7lFUSnPD0 → Filtered (Go module checksum pattern)
• ✅ l5zvI7lM7rrkPUjzWCj5OZGb1CDPW1FT → Filtered (SOPS-encrypted pattern)
• ✅ 11111111111111111111111111111111 → Filtered (repeated characters)
• ✅ AoF2zTjTAfBgNVHSMEGDAWgBRAlpydcy → Filtered (base64 certificate pattern)
• ✅ Real Datadog API keys with digits → Still detected

Impact:

• Creates noise in scan results
• Requires manual review and filtering
• Reduces trust in the detector's accuracy
• Wastes verification API calls

References

• None