trufflesecurity · nabeelalam · Oct 29, 2025
@@ -3,6 +3,7 @@ package pagerdutyapikey
 import (
 	"context"
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 
@@ -84,6 +85,20 @@ func verifyPagerdutyapikey(ctx context.Context, client *http.Client, token strin
 	switch res.StatusCode {
 	case http.StatusOK:
 		return true, nil
+	case http.StatusForbidden:
+		bodyBytes, err := io.ReadAll(res.Body)
+		if err != nil {
+			return false, err
+		}
+		bodyStr := string(bodyBytes)
+
+		// 403 with "Access Denied" and "2010" means valid credentials with insufficient permissions.
+		// Ref: https://developer.pagerduty.com/docs/errors
+		if strings.Contains(bodyStr, "Access Denied") && strings.Contains(bodyStr, "2010") {
+			return true, nil
+		}
+
+		return false, fmt.Errorf("response status forbidden 403: %s", bodyStr)
 	case http.StatusUnauthorized:
 		return false, nil
 	default:

@@ -132,7 +132,7 @@ func TestPagerDutyApiKey_FromChunk(t *testing.T) {
 					t.Errorf("PagerDutyApiKey.FromData() verificationError = %v, wantVerificationErr %v", got[i].VerificationError(), tt.wantVerificationErr)
 				}
 			}
-			ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError")
+			ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError", "primarySecret")
 			if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" {
 				t.Errorf("PagerDutyApiKey.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
 			}