From d67566f30b6b248dd99a2d0a1cd8f22497b59025 Mon Sep 17 00:00:00 2001
From: Djordje Lukic <djordje.lukic@docker.com>
Date: Fri, 29 May 2026 22:54:14 +0200
Subject: [PATCH] Add rule for daytona api keys

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
---
 portcullis_test.go | 1 +
 rules.go           | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/portcullis_test.go b/portcullis_test.go
index 6452223..80693de 100644
--- a/portcullis_test.go
+++ b/portcullis_test.go
@@ -249,6 +249,7 @@ func TestContainsRecognisesKnownTokens(t *testing.T) {
 		{"flutterwave_live_secret", "FLWSECK-" + strings.Repeat("a", 32) + "-X"},
 		{"slack_workflow_webhook", "https://hooks.slack.com/workflows/T" + strings.Repeat("A", 10) + "/A" + strings.Repeat("B", 10) + "/" + strings.Repeat("1", 18) + "/" + strings.Repeat("a", 24)},
 		{"sourcegraph_cody_key", "slk_" + strings.Repeat("a", 64)},
+		{"daytona_api_key", "dtn_" + strings.Repeat("a", 64)},
 		// GitHub App stateless installation token (post-2026 rollout).
 		// `ghs_` prefix + JWT (header.payload.signature). Built at
 		// runtime so the literal token never sits on a single source
diff --git a/rules.go b/rules.go
index 8a8b075..b99ca63 100644
--- a/rules.go
+++ b/rules.go
@@ -1912,6 +1912,12 @@ var rules = sync.OnceValue(func() []rule {
 			expression: `slk_[a-f0-9]{64}`,
 			keywords:   []string{"slk_"},
 		},
+		{
+			// daytona-api-key. Daytona API keys carry the `dtn_`
+			// prefix followed by a 64-character lowercase-hex body.
+			expression: `dtn_[a-f0-9]{64}`,
+			keywords:   []string{"dtn_"},
+		},
 	}
 })