trufflesecurity/trufflehog

Waveapps.com payment tokens

Open

#4618 opened on Dec 27, 2025

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Go (26,285 stars) (2,397 forks)batch import
enhancementgood first issuepkg/detectors

Description

Please review the Community Note before submitting

Description

Request a new detector for Wave API payment tokens that appear in environment variables and configs. The tokens have distinct wave_sn_prod_ and wave_ci_prod_ prefixes and should be treated as sensitive secrets.

Preferred Solution

Add a detector that flags both wave_sn_prod_ and wave_ci_prod_ tokens. These tokens are commonly stored in variables like WAVE_SN_PAYMENT_TOKEN and WAVE_CI_PAYMENT_TOKEN and should be detected with equal severity. A regex like the following is likely sufficient (tune length as needed):

(?:WAVE_(?:SN|CI)_PAYMENT_TOKEN\s*[:=]\s*)?(wave_(?:sn|ci)_prod_[A-Za-z0-9_-]{30,})

Expected output should identify the token value and (optionally) the variable name if present.

Additional Context

Wave’s public API is GraphQL at https://gql.waveapps.com/graphql/public. Requests are HTTP POST with JSON body containing query (and optional variables) and use Authorization: Bearer <ACCESS_TOKEN> for auth. These payment tokens are used for Wave API authentication and can show up in CI/CD or server configs.

References

Contributor guide

Tech stack
gorest api
Domain
securityapibackend
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Go programming basicsfamiliarity with secret detection patternsunderstanding of trufflehog's detector architecture
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
65
Research direction
To implement this detector, first study existing detectors in the trufflehog codebase, for example in the `pkg/detectors/` directory. Create a new detector file (e.g., `wave.go`) that implements the `Detector` interface. Use the provided regex pattern `(?:WAVE (?:SN|CI) PAYMENT TOKEN\s*[:=]\s*)?(wave (?:sn|ci) prod [A Za z0-9 ]{30,})` to match the tokens. Ensure both `wave sn prod ` and `wave ci prod ` prefixes are captured. Write unit tests with sample tokens and verify detection. Optionally, add the detector to the registry in `pkg/detectors/detectors.go`. The issue references Wave's authentication documentation, which should be consulted for token format validation.