support boxsdk > v4

.pre-commit-config.yaml

@@ -37,7 +37,7 @@ repos:
       # You are encouraged to use static refs such as tags, instead of branch name
       #
       # Running "pre-commit autoupdate" would automatically updates rev to latest tag
-      rev: 0.13.1+ibm.63.dss
+      rev: 0.13.1+ibm.64.dss
       hooks:
           - id: detect-secrets # pragma: whitelist secret
             # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options.

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "test_data/.*|tests/.*|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-02T20:03:24Z",
+  "generated_at": "2026-03-27T23:43:18Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -242,7 +242,7 @@
       }
     ]
   },
-  "version": "0.13.1+ibm.63.dss",
+  "version": "0.13.1+ibm.64.dss",
   "word_list": {
     "file": null,
     "hash": null

detect_secrets/__init__.py

@@ -1 +1 @@
-VERSION = '0.13.1+ibm.64.dss'
+VERSION = '0.13.1+ibm.65.dss'

detect_secrets/plugins/box.py

@@ -1,5 +1,14 @@
-from boxsdk import Client
-from boxsdk import JWTAuth
+try:
+    from boxsdk import Client
+    from boxsdk import JWTAuth
+
+    BOX_SDK_FLAVOR = 'legacy'
+except ImportError:
+    from box_sdk_gen import BoxClient as Client
+    from box_sdk_gen import BoxJWTAuth as JWTAuth
+    from box_sdk_gen import JWTConfig
+
+    BOX_SDK_FLAVOR = 'generated'
 
 from .base import RegexBasedDetector
 from detect_secrets.core.constants import VerifiedResult
@@ -106,17 +115,33 @@ def get_box_user(
     clientid, token, enterpriseid,
     publickeyid, passphrase, privatekey,
 ):
-    auth = JWTAuth(
-        client_id=clientid,
-        client_secret=token,
-        enterprise_id=enterpriseid,
-        jwt_key_id=publickeyid,
-        rsa_private_key_passphrase=passphrase.encode(),
-        rsa_private_key_data=privatekey,
-    )
     try:
+        if BOX_SDK_FLAVOR == 'legacy':
+            auth = JWTAuth(
+                client_id=clientid,
+                client_secret=token,
+                enterprise_id=enterpriseid,
+                jwt_key_id=publickeyid,
+                rsa_private_key_passphrase=passphrase.encode(),
+                rsa_private_key_data=privatekey,
+            )
+            client = Client(auth)
+
+            return client.user().get().name
+
+        auth = JWTAuth(
+            config=JWTConfig(
+                client_id=clientid,
+                client_secret=token,
+                enterprise_id=enterpriseid,
+                jwt_key_id=publickeyid,
+                private_key_passphrase=passphrase,
+                private_key=privatekey,
+            ),
+        )
         client = Client(auth)
-        return client.user().get().name
+
+        return client.users.get_user_me().name
     except Exception:
         return None
 

requirements-dev.txt

@@ -13,7 +13,7 @@ tox-pip-extensions
 tox>=3.8
 unidiff
 ibm_db
-boxsdk[jwt]<4.0.0
+boxsdk[jwt]
 pyahocorasick
 tabulate
 binaryornot

setup.py

@@ -26,7 +26,7 @@
         'pyyaml',
         'requests',
         'urllib3>2.4.0',
-        'boxsdk[jwt]<4.0.0',
+        'boxsdk[jwt]',
         'packaging',
         'tabulate',
         'binaryornot',

tests/plugins/box_test.py

@@ -3,6 +3,7 @@
 
 from detect_secrets.core.constants import VerifiedResult
 from detect_secrets.core.potential_secret import PotentialSecret
+from detect_secrets.plugins.box import BOX_SDK_FLAVOR
 from detect_secrets.plugins.box import BoxDetector
 from detect_secrets.plugins.box import find_other_factor
 from detect_secrets.plugins.box import get_box_user
@@ -38,12 +39,27 @@ def test_analyze_line(self, payload, should_flag):
     @patch('detect_secrets.plugins.box.Client')
     def test_get_box_user(self, mock_box, mock_jwt):
         mock_box.return_value.user.return_value.get.return_value.name = 'Testy'
+        mock_box.return_value.users.get_user_me.return_value.name = 'Testy'
 
         assert get_box_user(
             BOX_CLIENT_ID, BOX_CLIENT_SECRET, BOX_ENTERPRISE_ID,
             BOX_PUBLIC_KEY_ID, BOX_PASSPHRASE, BOX_PRIVATE_KEY,
         ) == 'Testy'
 
+    @patch('detect_secrets.plugins.box.JWTAuth')
+    def test_get_box_user_auth_format(self, mock_jwt):
+        with patch('detect_secrets.plugins.box.Client'):
+            get_box_user(
+                BOX_CLIENT_ID, BOX_CLIENT_SECRET, BOX_ENTERPRISE_ID,
+                BOX_PUBLIC_KEY_ID, BOX_PASSPHRASE, BOX_PRIVATE_KEY,
+            )
+
+        kwargs = mock_jwt.call_args.kwargs
+        if BOX_SDK_FLAVOR == 'legacy':
+            assert kwargs['rsa_private_key_passphrase'] == BOX_PASSPHRASE.encode()
+        else:
+            assert 'config' in kwargs
+
     @patch('detect_secrets.plugins.box.JWTAuth')
     @patch('detect_secrets.plugins.box.Client')
     def test_get_box_user_invalid_creds(self, mock_box, mock_jwt):
@@ -58,6 +74,7 @@ def test_get_box_user_invalid_creds(self, mock_box, mock_jwt):
     @patch('detect_secrets.plugins.box.Client')
     def test_verify(self, mock_box, mock_jwt):
         mock_box.return_value.user.return_value.get.return_value.name = 'Testy'
+        mock_box.return_value.users.get_user_me.return_value.name = 'Testy'
 
         potential_secret = PotentialSecret('test box', 'test filename', BOX_CLIENT_SECRET)
 

user-config/.pre-commit-config.yaml

@@ -10,7 +10,7 @@ repos:
     # You are encouraged to use static refs such as tags, instead of branch name
     #
     # Running "pre-commit autoupdate" automatically updates rev to latest tag
-    rev: 0.13.1+ibm.64.dss
+    rev: 0.13.1+ibm.65.dss
     hooks:
       - id: detect-secrets # pragma: whitelist secret
         # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options.