Feature Request: Detector for Framework Secret Keys (Symfony, Laravel, Django, Rails) #4687
Description
Community Note
Please vote on this issue by adding a 👍 reaction to help prioritize this request.
Description
Many popular web frameworks use application secret keys that are critical for security (session signing, CSRF protection, encryption). These secrets are often accidentally committed in .env files or configuration files and represent a significant security risk.
Currently, TruffleHog does not detect these framework-specific secrets. Adding detectors for them would help catch a common class of security vulnerabilities.
Frameworks and Patterns
| Framework | Variable | Pattern | Example |
|---|---|---|---|
| Symfony | APP_SECRET |
[a-f0-9]{32,} |
APP_SECRET=a1b2c3d4e5f6... |
| Laravel | APP_KEY |
base64:[A-Za-z0-9+/=]{44} |
APP_KEY=base64:wJalrXUtn... |
| Django | SECRET_KEY |
[^\s'"]{50,} |
SECRET_KEY='django-insecure-...' |
| Rails | SECRET_KEY_BASE |
[a-f0-9]{64,128} |
SECRET_KEY_BASE=abc123... |
Security Impact
These secrets enable attackers to:
- Forge session cookies - Impersonate any user
- Bypass CSRF protection - Execute state-changing actions
- Decrypt sensitive data - Access encrypted cookies/tokens
- RCE in some cases - Laravel's encrypted cookies can lead to RCE via deserialization
Real-world Context
During a security audit of a GitHub organization, I found multiple exposed APP_SECRET values in .env files that TruffleHog did not detect. These secrets were in git history and still active.
Preferred Solution
Add new detectors for framework secret keys with:
- Pattern matching based on the well-defined formats above
- Keyword context to reduce false positives (e.g., require
APP_SECRET=prefix) - File path hints (
.env,settings.py,config/app.php, etc.)
Since these secrets cannot be verified via API, they would be "unverified" detectors but with high confidence due to the strict patterns.
Implementation Notes
Based on the Adding Detectors documentation:
- These would be unverified detectors (no API to validate against)
- High signal patterns with low false positive rates
- Could be implemented as a single "FrameworkSecretKey" detector with version support, or as separate detectors per framework
Additional Context
Sourcing Guidelines compliance:
- ✅ These frameworks host data (sessions, user data)
- ✅ Many have paid services (Laravel Forge, Symfony Cloud, etc.)
Example regex for Symfony:
var keyPat = regexp.MustCompile(`APP_SECRET[=:]\s*['"]?([a-f0-9]{32,})['"]?`)