Waveapps.com payment tokens #4618
Description
Please review the Community Note before submitting
Description
Request a new detector for Wave API payment tokens that appear in environment variables and configs. The tokens have distinct wave_sn_prod_ and wave_ci_prod_ prefixes and should be treated as sensitive secrets.
Preferred Solution
Add a detector that flags both wave_sn_prod_ and wave_ci_prod_ tokens. These tokens are commonly stored in variables like WAVE_SN_PAYMENT_TOKEN and WAVE_CI_PAYMENT_TOKEN and should be detected with equal severity. A regex like the following is likely sufficient (tune length as needed):
(?:WAVE_(?:SN|CI)_PAYMENT_TOKEN\s*[:=]\s*)?(wave_(?:sn|ci)_prod_[A-Za-z0-9_-]{30,})
Expected output should identify the token value and (optionally) the variable name if present.
Additional Context
Wave’s public API is GraphQL at https://gql.waveapps.com/graphql/public. Requests are HTTP POST with JSON body containing query (and optional variables) and use Authorization: Bearer <ACCESS_TOKEN> for auth. These payment tokens are used for Wave API authentication and can show up in CI/CD or server configs.