trufflesecurity · mustansir14 · May 6, 2026 · May 11, 2026 · May 11, 2026 · May 11, 2026
@@ -17,53 +17,46 @@ import (
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detector_typepb"
 )
 
-type Scanner struct{ client *http.Client }
-
-// Ensure the Scanner satisfies the interface at compile time.
-var _ detectors.Detector = (*Scanner)(nil)
-
-var (
-	defaultClient = common.SaneHttpClient()
-	// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
-	keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"wandb"}) + `\b([0-9a-f]{40})\b`)
-)
+// BaseScanner is a base struct embedded by versioned scanners. It holds the HTTP client and
+// shared detection/verification logic.
+type BaseScanner struct {
+	Client *http.Client
+}
 
-// Keywords are used for efficiently pre-filtering chunks.
-// Use identifiers in the secret preferably, or the provider name.
-func (s Scanner) Keywords() []string { return []string{"wandb"} }
+var defaultClient = common.SaneHttpClient()
 
-// FromData will find and optionally verify Weightsandbiases secrets in a given set of bytes.
-func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
+// FromData finds and optionally verifies WeightsAndBiases secrets in data using the provided
+// pattern. version is included in ExtraData of each result.
+func (s BaseScanner) FromData(ctx context.Context, verify bool, data []byte, keyPat *regexp.Regexp, version int) ([]detectors.Result, error) {
 	dataStr := string(data)
-
 	uniqueMatches := make(map[string]struct{})
 	for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) {
 		uniqueMatches[match[1]] = struct{}{}
 	}
 
+	var results []detectors.Result
 	for match := range uniqueMatches {
-		s1 := detectors.Result{
+		r := detectors.Result{
 			DetectorType: detector_typepb.DetectorType_WeightsAndBiases,
 			Raw:          []byte(match),
 			SecretParts:  map[string]string{"key": match},
 		}
 
 		if verify {
-			client := s.client
-			if client == nil {
-				client = defaultClient
-			}
-
-			isVerified, extraData, verificationErr := verifyMatch(ctx, client, match)
-			s1.Verified = isVerified
-			s1.ExtraData = extraData
-			s1.SetVerificationError(verificationErr, match)
+			isVerified, extraData, verificationErr := s.verifyMatch(ctx, match)
+			r.Verified = isVerified
+			r.ExtraData = extraData
+			r.SetVerificationError(verificationErr, match)
 		}
 
-		results = append(results, s1)
-	}
+		if r.ExtraData == nil {
+			r.ExtraData = make(map[string]string)
+		}
+		r.ExtraData["version"] = strconv.Itoa(version)
 
-	return
+		results = append(results, r)
+	}
+	return results, nil
 }
 
 type viewerResponse struct {
@@ -77,7 +70,16 @@ type viewerResponse struct {
 	} `json:"data"`
 }
 
-func verifyMatch(ctx context.Context, client *http.Client, token string) (bool, map[string]string, error) {
+// verifyMatch checks the credential against the W&B GraphQL /graphql endpoint using the viewer query,
+// which requires no special permissions. A 200 with a non-empty username means the token is valid;
+// 401 means invalid or revoked.
+// Docs: https://docs.wandb.ai/ref/graphql
+func (s BaseScanner) verifyMatch(ctx context.Context, token string) (bool, map[string]string, error) {
+	client := s.Client
+	if client == nil {
+		client = defaultClient
+	}
+
 	query := `{"query": "query Viewer { viewer { id username email admin } }"}`
 
 	const baseURL = "https://api.wandb.ai/graphql"
@@ -124,10 +126,10 @@ func verifyMatch(ctx context.Context, client *http.Client, token string) (bool,
 	}
 }
 
-func (s Scanner) Description() string {
+func (s BaseScanner) Description() string {
 	return "Weights & Biases is a Machine Learning Operations (MLOps) platform that helps track experiments, version datasets, evaluate model performance, and collaborate with team members"
 }
 
-func (s Scanner) Type() detector_typepb.DetectorType {
+func (s BaseScanner) Type() detector_typepb.DetectorType {
 	return detector_typepb.DetectorType_WeightsAndBiases
 }
@@ -0,0 +1,29 @@
+package weightsandbiases
+
+import (
+	"context"
+
+	regexp "github.com/wasilibs/go-re2"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	base "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/weightsandbiases"
+)
+
+type Scanner struct {
+	base.BaseScanner
+}
+
+// Ensure the Scanner satisfies the interface at compile time.
+var _ detectors.Detector = (*Scanner)(nil)
+var _ detectors.Versioner = (*Scanner)(nil)
+
+var keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"wandb"}) + `\b([0-9a-f]{40})\b`)
+
+func (s Scanner) Version() int { return 1 }
+
+func (s Scanner) Keywords() []string { return []string{"wandb"} }
+
+func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) ([]detectors.Result, error) {
+	return s.BaseScanner.FromData(ctx, verify, data, keyPat, s.Version())
+}
+
@@ -14,6 +14,7 @@ import (
 
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	base "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/weightsandbiases"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detector_typepb"
 )
 
@@ -56,6 +57,7 @@ func TestWeightsandbiases_FromChunk(t *testing.T) {
 						"admin":    "false",
 						"email":    "source-integrations@trufflesec.com",
 						"username": "source-integrations",
+						"version":  "1",
 					},
 				},
 			},
@@ -74,6 +76,7 @@ func TestWeightsandbiases_FromChunk(t *testing.T) {
 				{
 					DetectorType: detector_typepb.DetectorType_WeightsAndBiases,
 					Verified:     false,
+					ExtraData:    map[string]string{"version": "1"},
 				},
 			},
 			wantErr:             false,
@@ -93,7 +96,7 @@ func TestWeightsandbiases_FromChunk(t *testing.T) {
 		},
 		{
 			name: "found, would be verified if not for timeout",
-			s:    Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)},
+			s:    Scanner{BaseScanner: base.BaseScanner{Client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}},
 			args: args{
 				ctx:    context.Background(),
 				data:   []byte(fmt.Sprintf("You can find a weightsandbiases secret wandb %s within", secret)),
@@ -103,14 +106,15 @@ func TestWeightsandbiases_FromChunk(t *testing.T) {
 				{
 					DetectorType: detector_typepb.DetectorType_WeightsAndBiases,
 					Verified:     false,
+					ExtraData:    map[string]string{"version": "1"},
 				},
 			},
 			wantErr:             false,
 			wantVerificationErr: true,
 		},
 		{
 			name: "found, verified but unexpected api surface",
-			s:    Scanner{client: common.ConstantResponseHttpClient(404, "")},
+			s:    Scanner{BaseScanner: base.BaseScanner{Client: common.ConstantResponseHttpClient(404, "")}},
 			args: args{
 				ctx:    context.Background(),
 				data:   []byte(fmt.Sprintf("You can find a weightsandbiases secret wandb %s within", secret)),
@@ -120,6 +124,7 @@ func TestWeightsandbiases_FromChunk(t *testing.T) {
 				{
 					DetectorType: detector_typepb.DetectorType_WeightsAndBiases,
 					Verified:     false,
+					ExtraData:    map[string]string{"version": "1"},
 				},
 			},
 			wantErr:             false,
@@ -138,11 +143,14 @@ func TestWeightsandbiases_FromChunk(t *testing.T) {
 				if len(got[i].Raw) == 0 {
 					t.Fatalf("no raw secret present: \n %+v", got[i])
 				}
+				if len(got[i].SecretParts) == 0 {
+					t.Fatalf("no secret parts present: \n %+v", got[i])
+				}
 				if (got[i].VerificationError() != nil) != tt.wantVerificationErr {
 					t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError())
 				}
 			}
-			ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError")
+			ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError", "primarySecret", "SecretParts")
 			if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" {
 				t.Errorf("Weightsandbiases.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
 			}

@@ -0,0 +1,31 @@
+package weightsandbiases
+
+import (
+	"context"
+
+	regexp "github.com/wasilibs/go-re2"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	base "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/weightsandbiases"
+)
+
+type Scanner struct {
+	base.BaseScanner
+}
+
+// Ensure the Scanner satisfies the interface at compile time.
+var _ detectors.Detector = (*Scanner)(nil)
+var _ detectors.Versioner = (*Scanner)(nil)
+
+// wandb_v1_<27 alphanumeric chars>_<49 alphanumeric chars>
+// Example: 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
+var keyPat = regexp.MustCompile(`\b(wandb_v1_[A-Za-z0-9]{27}_[A-Za-z0-9]{49})\b`)
+
+func (s Scanner) Version() int { return 2 }
+
+func (s Scanner) Keywords() []string { return []string{"wandb_v1_"} }
+
+func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) ([]detectors.Result, error) {
+	return s.BaseScanner.FromData(ctx, verify, data, keyPat, s.Version())
+}
+