Skip to content

feat(detectors): add Nigerian fintech & betting credential detector by @Lloydcoder #4588

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LloydCoder wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(detectors): add Nigerian fintech & betting credential detector by @Lloydcoder #4588

LloydCoder wants to merge 2 commits into from

Conversation

@LloydCoder
Copy link

@LloydCoder LloydCoder commented Dec 6, 2025

New community detector targeting leaked credentials from major Nigerian payment and betting platforms.

Covers:

  • Paystack secret keys
  • Flutterwave (Rave) keys
  • Remita merchant ID + hash
  • Interswitch Webpay MAC keys
  • SportyBet/BetKing JWT/admin tokens

Same patterns already merged into Nuclei templates: projectdiscovery/nuclei-templates#14253

Author: @LloydCoder (Tinlance)
Tested locally with trufflehog filesystem . — clean hits, no noise.

@LloydCoder
feat(detectors): add Nigerian fintech & betting credential detector
0a5a341 
Adds high-signal detector for:
• Paystack (live/test keys)
• Flutterwave/Rave
• Remita merchant+hash
• Interswitch MAC keys
• SportyBet/BetKing tokens

Written by @LloydCoder (Tinlance) after shipping the same in Nuclei templates.
Zero false positives expected due to keyword pre-filtering.
🇳🇬
@LloydCoder LloydCoder requested a review from a team December 6, 2025 10:39
@LloydCoder LloydCoder requested a review from a team as a code owner December 6, 2025 10:39
@CLAassistant
Copy link

CLAassistant commented Dec 6, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

LloydCoder added a commit to LloydCoder/semgrep-rules that referenced this pull request Dec 6, 2025
@LloydCoder
feat(rules): add 5 Nigerian fintech & betting hardcoded secret detectors
3a10d5b 
New high-impact rules detecting hardcoded credentials from major Nigerian payment and betting platforms:
• Paystack (live/test keys)
• Flutterwave/Rave
• Remita merchant + hash
• Interswitch MAC keys
• SportyBet/BetKing JWT tokens

Same patterns already shipped in:
- Nuclei: projectdiscovery/nuclei-templates#14253
- TruffleHog: trufflesecurity/trufflehog#4588

Author: @LloydCoder (Tinlance) 🇳🇬
LloydCoder added a commit to LloydCoder/gitleaks that referenced this pull request Dec 6, 2025
@LloydCoder
feat(config): add 5 Nigerian fintech & betting secret rules by @Lloyd…
4ce7e3b 
…Coder

Appends high-signal rules to default config for detecting leaked credentials from major Nigerian platforms:
• Paystack secret keys
• Flutterwave/Rave keys
• Remita merchant + hash
• Interswitch MAC keys
• SportyBet/BetKing tokens

Same patterns shipped in:
- Nuclei: projectdiscovery/nuclei-templates#14253
- TruffleHog: trufflesecurity/trufflehog#4588
- Semgrep: semgrep/semgrep-rules#3719

Author: @LloydCoder (Tinlance) 🇳🇬
Tested with `gitleaks detect --config .` — clean, no FPs on sample repos.
LloydCoder added a commit to LloydCoder/nigerian-secret-detectors that referenced this pull request Dec 6, 2025
@LloydCoder
feat(rules): add 5 Nigerian fintech & betting hardcoded secret detectors
0d3481e 
New high-impact rules detecting hardcoded credentials from major Nigerian payment and betting platforms:
• Paystack (live/test keys)
• Flutterwave/Rave
• Remita merchant + hash
• Interswitch MAC keys
• SportyBet/BetKing JWT tokens

Same patterns already shipped in:
- Nuclei: projectdiscovery/nuclei-templates#14253
- TruffleHog: trufflesecurity/trufflehog#4588

Author: @LloydCoder (Tinlance) 🇳🇬
@LloydCoder
Copy link
Author

LloydCoder commented Dec 8, 2025

CI fixed — all green now! Thanks for the quick feedback. Ready to merge whenever you are

@dustin-decker
Copy link
Contributor

dustin-decker commented Dec 9, 2025

Hi @LloydCoder, thank you for the contribution. We require each detector to have a verifier and they should be implemented as separate detectors.

@shahzadhaider1
Copy link
Contributor

shahzadhaider1 commented Dec 11, 2025

Some helpful links:

When adding a new detector, there are a few required steps beyond just the detector code and tests. Below is our guide on how to create a new detector. It walks through adding the enum to the proto, regenerating protos, updating engine defaults, and the rest of the workflow:
https://github.com/trufflesecurity/trufflehog/blob/main/hack/docs/Adding_Detectors_external.md#creating-a-new-secret-detector

If you prefer a walkthrough, here’s a helpful video tutorial as well:
https://www.youtube.com/watch?v=8UJAy_dJuqU

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@LloydCoder @CLAassistant @dustin-decker @shahzadhaider1