From 6df80f7947bc475f89209afdfa15493403306f7e Mon Sep 17 00:00:00 2001 From: Shahzad Haider Date: Wed, 21 Jan 2026 12:50:38 +0500 Subject: [PATCH 1/4] added detector for artifactory reference tokens --- .../artifactoryreferencetoken.go | 168 ++++++++++++++ ...ifactoryreferencetoken_integration_test.go | 165 ++++++++++++++ .../artifactoryreferencetoken_test.go | 206 ++++++++++++++++++ pkg/engine/defaults/defaults.go | 2 + pkg/pb/detectorspb/detectors.pb.go | 27 +++ proto/detectors.proto | 1 + 6 files changed, 569 insertions(+) create mode 100644 pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go create mode 100644 pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_integration_test.go create mode 100644 pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_test.go diff --git a/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go b/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go new file mode 100644 index 000000000000..4e8a4547aa04 --- /dev/null +++ b/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go @@ -0,0 +1,168 @@ +package artifactoryreferencetoken + +import ( + "context" + "errors" + "fmt" + "io" + "net/http" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/cache/simple" + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client + detectors.DefaultMultiPartCredentialProvider + detectors.EndpointSetter +} + +var ( + // Ensure the Scanner satisfies the interface at compile time. + _ detectors.Detector = (*Scanner)(nil) + _ detectors.EndpointCustomizer = (*Scanner)(nil) + + defaultClient = common.SaneHttpClient() + + // Reference tokens are base64-encoded strings starting with "reftkn:01|::" + // The base64 encoding of "reftkn" is "cmVmdGtu", total length is always 64 characters + tokenPat = regexp.MustCompile(`\b(cmVmdGtu[A-Za-z0-9]{56})\b`) + urlPat = regexp.MustCompile(`\b([A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]\.jfrog\.io)`) + + invalidHosts = simple.NewCache[struct{}]() + errNoHost = errors.New("no such host") +) + +func (Scanner) CloudEndpoint() string { return "" } + +// Keywords are used for efficiently pre-filtering chunks. +func (s Scanner) Keywords() []string { + return []string{"cmVmdGtu"} +} + +func (s Scanner) getClient() *http.Client { + if s.client != nil { + return s.client + } + + return defaultClient +} + +// FromData will find and optionally verify Artifactory Reference tokens in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + var uniqueTokens, uniqueUrls = make(map[string]struct{}), make(map[string]struct{}) + + for _, match := range tokenPat.FindAllStringSubmatch(dataStr, -1) { + uniqueTokens[match[1]] = struct{}{} + } + + foundUrls := make([]string, 0) + for _, match := range urlPat.FindAllStringSubmatch(dataStr, -1) { + foundUrls = append(foundUrls, match[1]) + } + + // Add found + configured endpoints to the list + for _, endpoint := range s.Endpoints(foundUrls...) { + // If any configured endpoint has `https://` remove it because we append that during verification + endpoint = strings.TrimPrefix(endpoint, "https://") + uniqueUrls[endpoint] = struct{}{} + } + + for token := range uniqueTokens { + for url := range uniqueUrls { + if invalidHosts.Exists(url) { + delete(uniqueUrls, url) + continue + } + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Raw: []byte(token), + RawV2: []byte(token + url), + } + + if verify { + isVerified, verificationErr := verifyToken(ctx, s.getClient(), url, token) + s1.Verified = isVerified + if verificationErr != nil { + if errors.Is(verificationErr, errNoHost) { + invalidHosts.Set(url, struct{}{}) + continue + } + + s1.SetVerificationError(verificationErr, token) + } + + if isVerified { + s1.AnalysisInfo = map[string]string{ + "domain": url, + "token": token, + } + } + } + + results = append(results, s1) + } + } + + return results, nil +} + +func verifyToken(ctx context.Context, client *http.Client, host, token string) (bool, error) { + // https://jfrog.com/help/r/jfrog-rest-apis/get-token-by-id + req, err := http.NewRequestWithContext(ctx, http.MethodGet, + "https://"+host+"/access/api/v1/tokens/me", http.NoBody) + if err != nil { + return false, err + } + + req.Header.Set("Authorization", "Bearer "+token) + resp, err := client.Do(req) + if err != nil { + if strings.Contains(err.Error(), "no such host") { + return false, errNoHost + } + return false, err + } + + defer func() { + _, _ = io.Copy(io.Discard, resp.Body) + _ = resp.Body.Close() + }() + + switch resp.StatusCode { + case http.StatusOK: + // JFrog returns 200 with HTML for invalid subdomains, so we need to check Content-Type + contentType := resp.Header.Get("Content-Type") + if strings.Contains(contentType, "application/json") { + return true, nil + } + // HTML response indicates invalid subdomain/redirect - treat as invalid host + return false, errNoHost + case http.StatusForbidden: + // 403 - the authenticated principal has no permissions to get the token + return true, nil + case http.StatusUnauthorized: + // 401 - invalid/expired token + return false, nil + default: + // 404 - endpoint not found (possibly wrong URL or old Artifactory version) + // 302 and 500+ + return false, fmt.Errorf("unexpected HTTP response status %d", resp.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_ArtifactoryReferenceToken +} + +func (s Scanner) Description() string { + return "JFrog Artifactory is a binary repository manager. Reference tokens are 64-character access tokens that can be used to authenticate API requests, providing access to repositories, builds, and artifacts." +} diff --git a/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_integration_test.go b/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_integration_test.go new file mode 100644 index 000000000000..2bb1daa226b7 --- /dev/null +++ b/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_integration_test.go @@ -0,0 +1,165 @@ +//go:build detectors +// +build detectors + +package artifactoryreferencetoken + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestArtifactoryreferencetoken_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors6") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + + instanceURL := testSecrets.MustGetField("ARTIFACTORY_URL") + secret := testSecrets.MustGetField("ARTIFACTORYREFERENCETOKEN") + inactiveSecret := testSecrets.MustGetField("ARTIFACTORYREFERENCETOKEN_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a artifactoryreferencetoken secret %s and domain %s within", secret, instanceURL)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a artifactoryreferencetoken secret %s and domain %s within but not valid", inactiveSecret, instanceURL)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a artifactoryreferencetoken secret %s and domain %s within", secret, instanceURL)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(302, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a artifactoryreferencetoken secret %s and domain %s within", secret, instanceURL)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tt.s.UseFoundEndpoints(true) + + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Artifactoryreferencetoken.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "RawV2", "verificationError", "primarySecret", "AnalysisInfo") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Artifactoryreferencetoken.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_test.go b/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_test.go new file mode 100644 index 000000000000..39be5e0fabb8 --- /dev/null +++ b/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_test.go @@ -0,0 +1,206 @@ +package artifactoryreferencetoken + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/require" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestArtifactoryReferenceToken_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + + tests := []struct { + name string + input string + cloudEndpoint string + useCloudEndpoint bool + useFoundEndpoint bool + want []string + }{ + { + name: "valid pattern - environment variable", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] Connected to trufflehog.jfrog.io + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEtrufflehog.jfrog.io", + }, + }, + { + name: "valid pattern - config file", + input: ` + artifactory: + url: https://trufflehog.jfrog.io + reference_token: cmVmdGtuOjAxOjE3NjkxNjY0NjE6RE2ZeXpdsU1sOENUUG1RqXqDawNeMrJaTapu + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjE3NjkxNjY0NjE6RE2ZeXpdsU1sOENUUG1RqXqDawNeMrJaTaputrufflehog.jfrog.io", + }, + }, + { + name: "valid pattern - curl command", + input: ` + curl -H "Authorization: Bearer cmVmdGtuOjAxOjE3NzE0OTkzNzY6RG9OS0QxOHVLduRyyUtNrneMwqt6a33TNUZV" \ + https://trufflehog.jfrog.io/artifactory/api/system/ping + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjE3NzE0OTkzNzY6RG9OS0QxOHVLduRyyUtNrneMwqt6a33TNUZVtrufflehog.jfrog.io", + }, + }, + { + name: "valid pattern - with cloud endpoint", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] Response received: 200 OK + `, + cloudEndpoint: "cloudendpoint.jfrog.io", + useCloudEndpoint: true, + useFoundEndpoint: false, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEcloudendpoint.jfrog.io", + }, + }, + { + name: "valid pattern - with cloud and found endpoints", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] trufflehog.jfrog.io + [INFO] Response received: 200 OK + `, + cloudEndpoint: "cloudendpoint.jfrog.io", + useCloudEndpoint: true, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEcloudendpoint.jfrog.io", + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEtrufflehog.jfrog.io", + }, + }, + { + name: "valid pattern - with disabled found endpoints", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] trufflehog.jfrog.io + [INFO] Response received: 200 OK + `, + cloudEndpoint: "cloudendpoint.jfrog.io", + useCloudEndpoint: true, + useFoundEndpoint: false, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEcloudendpoint.jfrog.io", + }, + }, + { + name: "valid pattern - with https in configured endpoint", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] Response received: 200 OK + `, + cloudEndpoint: "https://cloudendpoint.jfrog.io", + useCloudEndpoint: true, + useFoundEndpoint: false, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEcloudendpoint.jfrog.io", + }, + }, + { + name: "finds multiple tokens", + input: ` + # Primary token + export ARTIFACTORY_TOKEN=cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + # Backup token + export ARTIFACTORY_TOKEN_BACKUP=cmVmdGtuOjAxOjE3NjkxNjY0NjE6RE2ZeXpdsU1sOENUUG1RqXqDawNeMrJaTapu + export ARTIFACTORY_URL=https://trufflehog.jfrog.io + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEtrufflehog.jfrog.io", + "cmVmdGtuOjAxOjE3NjkxNjY0NjE6RE2ZeXpdsU1sOENUUG1RqXqDawNeMrJaTaputrufflehog.jfrog.io", + }, + }, + { + name: "invalid pattern - too short", + input: ` + [DEBUG] Using token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6SHORT + [INFO] URL: trufflehog.jfrog.io + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: nil, + }, + { + name: "invalid pattern - wrong prefix", + input: ` + [DEBUG] Using token: aBcDeFgHOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] URL: trufflehog.jfrog.io + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: nil, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + // Configure endpoint customizer based on test case + d.UseFoundEndpoints(test.useFoundEndpoint) + d.UseCloudEndpoint(test.useCloudEndpoint) + if test.useCloudEndpoint && test.cloudEndpoint != "" { + d.SetCloudEndpoint(test.cloudEndpoint) + } + + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 && len(test.want) > 0 { + t.Errorf("keywords were not matched: %v", d.Keywords()) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + require.NoError(t, err) + + if len(results) != len(test.want) { + t.Errorf("expected %d results, got %d", len(test.want), len(results)) + for _, r := range results { + t.Logf("got: %s", string(r.RawV2)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index efba1ce8295d..512a6efaa47d 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -47,6 +47,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/appsynergy" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/apptivo" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/artifactory" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/artifactoryreferencetoken" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/artsy" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/asanaoauth" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/asanapersonalaccesstoken" @@ -910,6 +911,7 @@ func buildDetectorList() []detectors.Detector { &appsynergy.Scanner{}, &apptivo.Scanner{}, &artifactory.Scanner{}, + &artifactoryreferencetoken.Scanner{}, &artsy.Scanner{}, &asanaoauth.Scanner{}, &asanapersonalaccesstoken.Scanner{}, diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index 0d9abb0bad2b..a9d5d67d21cc 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1146,7 +1146,11 @@ const ( DetectorType_PhraseAccessToken DetectorType = 1037 DetectorType_Photoroom DetectorType = 1038 DetectorType_JWT DetectorType = 1039 +<<<<<<< HEAD DetectorType_OpenAIAdmin DetectorType = 1040 +======= + DetectorType_ArtifactoryReferenceToken DetectorType = 1040 +>>>>>>> 6d52ba80b (added detector for artifactory reference tokens) ) // Enum value maps for DetectorType. @@ -2188,7 +2192,11 @@ var ( 1037: "PhraseAccessToken", 1038: "Photoroom", 1039: "JWT", +<<<<<<< HEAD 1040: "OpenAIAdmin", +======= + 1040: "ArtifactoryReferenceToken", +>>>>>>> 6d52ba80b (added detector for artifactory reference tokens) } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3227,7 +3235,11 @@ var ( "PhraseAccessToken": 1037, "Photoroom": 1038, "JWT": 1039, +<<<<<<< HEAD "OpenAIAdmin": 1040, +======= + "ArtifactoryReferenceToken": 1040, +>>>>>>> 6d52ba80b (added detector for artifactory reference tokens) } ) @@ -3681,7 +3693,11 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, +<<<<<<< HEAD 0x10, 0x04, 0x2a, 0xd7, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, +======= + 0x10, 0x04, 0x2a, 0xe5, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, +>>>>>>> 6d52ba80b (added detector for artifactory reference tokens) 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4757,6 +4773,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x6c, 0x74, 0x41, 0x75, 0x74, 0x68, 0x10, 0x8c, 0x08, 0x12, 0x16, 0x0a, 0x11, 0x50, 0x68, 0x72, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x8d, 0x08, 0x12, 0x0e, 0x0a, 0x09, 0x50, 0x68, 0x6f, 0x74, 0x6f, 0x72, 0x6f, 0x6f, 0x6d, 0x10, 0x8e, +<<<<<<< HEAD 0x08, 0x12, 0x08, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x10, 0x8f, 0x08, 0x12, 0x10, 0x0a, 0x0b, 0x4f, 0x70, 0x65, 0x6e, 0x41, 0x49, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x10, 0x90, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, @@ -4764,6 +4781,16 @@ var file_detectors_proto_rawDesc = []byte{ 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +======= + 0x08, 0x12, 0x08, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x10, 0x8f, 0x08, 0x12, 0x1e, 0x0a, 0x19, 0x41, + 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, + 0x6e, 0x63, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x90, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, + 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, + 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, + 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, +>>>>>>> 6d52ba80b (added detector for artifactory reference tokens) } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index 1876fe8c8e66..d0d282b58409 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1050,6 +1050,7 @@ enum DetectorType { Photoroom = 1038; JWT = 1039; OpenAIAdmin = 1040; + ArtifactoryReferenceToken = 1040; } message Result { From 5045d85e511381d023320a14ef652bbd7aa6942e Mon Sep 17 00:00:00 2001 From: Shahzad Haider Date: Wed, 21 Jan 2026 13:22:13 +0500 Subject: [PATCH 2/4] add artifactory reference token detector to the no cloud endpoints list --- pkg/engine/engine_test.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/pkg/engine/engine_test.go b/pkg/engine/engine_test.go index ed46cba9ed23..58a33dcd9fab 100644 --- a/pkg/engine/engine_test.go +++ b/pkg/engine/engine_test.go @@ -1373,12 +1373,22 @@ func TestEngineInitializesCloudProviderDetectors(t *testing.T) { assert.NoError(t, err) var count int + noCloudEndpointDetectors := map[detectorspb.DetectorType]struct{}{ + detectorspb.DetectorType_ArtifactoryAccessToken: {}, + detectorspb.DetectorType_ArtifactoryReferenceToken: {}, + detectorspb.DetectorType_TableauPersonalAccessToken: {}, + // these do not have any cloud endpoint + } + for _, det := range e.detectors { if endpoints, ok := det.(interface{ Endpoints(...string) []string }); ok { id := config.GetDetectorID(det) - if len(endpoints.Endpoints()) == 0 && det.Type() != detectorspb.DetectorType_ArtifactoryAccessToken && det.Type() != detectorspb.DetectorType_TableauPersonalAccessToken { // artifactory and tableau does not have any cloud endpoint - t.Fatalf("detector %q Endpoints() is empty", id.String()) + if len(endpoints.Endpoints()) == 0 { + if _, ok := noCloudEndpointDetectors[det.Type()]; !ok { + t.Fatalf("detector %q Endpoints() is empty", id.String()) + } } + count++ } } From 9ecd554a77c19341e3281010b6d8db41dd939f21 Mon Sep 17 00:00:00 2001 From: Shahzad Haider Date: Wed, 4 Feb 2026 14:10:32 +0500 Subject: [PATCH 3/4] address mustansir feedback; remove the invalid host deletion --- .../artifactoryreferencetoken/artifactoryreferencetoken.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go b/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go index 4e8a4547aa04..e69ca0cb4bbd 100644 --- a/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go +++ b/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go @@ -78,7 +78,6 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result for token := range uniqueTokens { for url := range uniqueUrls { if invalidHosts.Exists(url) { - delete(uniqueUrls, url) continue } From bbae3a731492c7bb24e96d109e18ddf5462174ed Mon Sep 17 00:00:00 2001 From: Shahzad Haider Date: Thu, 12 Feb 2026 12:36:01 +0500 Subject: [PATCH 4/4] fix rebase issues --- pkg/pb/detectorspb/detectors.pb.go | 36 ++++++------------------------ proto/detectors.proto | 2 +- 2 files changed, 8 insertions(+), 30 deletions(-) diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index a9d5d67d21cc..6b348d46baae 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1146,11 +1146,8 @@ const ( DetectorType_PhraseAccessToken DetectorType = 1037 DetectorType_Photoroom DetectorType = 1038 DetectorType_JWT DetectorType = 1039 -<<<<<<< HEAD DetectorType_OpenAIAdmin DetectorType = 1040 -======= - DetectorType_ArtifactoryReferenceToken DetectorType = 1040 ->>>>>>> 6d52ba80b (added detector for artifactory reference tokens) + DetectorType_ArtifactoryReferenceToken DetectorType = 1041 ) // Enum value maps for DetectorType. @@ -2192,11 +2189,8 @@ var ( 1037: "PhraseAccessToken", 1038: "Photoroom", 1039: "JWT", -<<<<<<< HEAD 1040: "OpenAIAdmin", -======= - 1040: "ArtifactoryReferenceToken", ->>>>>>> 6d52ba80b (added detector for artifactory reference tokens) + 1041: "ArtifactoryReferenceToken", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3235,11 +3229,8 @@ var ( "PhraseAccessToken": 1037, "Photoroom": 1038, "JWT": 1039, -<<<<<<< HEAD "OpenAIAdmin": 1040, -======= - "ArtifactoryReferenceToken": 1040, ->>>>>>> 6d52ba80b (added detector for artifactory reference tokens) + "ArtifactoryReferenceToken": 1041, } ) @@ -3693,11 +3684,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, -<<<<<<< HEAD - 0x10, 0x04, 0x2a, 0xd7, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, -======= - 0x10, 0x04, 0x2a, 0xe5, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, ->>>>>>> 6d52ba80b (added detector for artifactory reference tokens) + 0x10, 0x04, 0x2a, 0xf7, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4773,24 +4760,15 @@ var file_detectors_proto_rawDesc = []byte{ 0x6c, 0x74, 0x41, 0x75, 0x74, 0x68, 0x10, 0x8c, 0x08, 0x12, 0x16, 0x0a, 0x11, 0x50, 0x68, 0x72, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x8d, 0x08, 0x12, 0x0e, 0x0a, 0x09, 0x50, 0x68, 0x6f, 0x74, 0x6f, 0x72, 0x6f, 0x6f, 0x6d, 0x10, 0x8e, -<<<<<<< HEAD 0x08, 0x12, 0x08, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x10, 0x8f, 0x08, 0x12, 0x10, 0x0a, 0x0b, 0x4f, - 0x70, 0x65, 0x6e, 0x41, 0x49, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x10, 0x90, 0x08, 0x42, 0x3d, 0x5a, + 0x70, 0x65, 0x6e, 0x41, 0x49, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x10, 0x90, 0x08, 0x12, 0x1e, 0x0a, + 0x19, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x52, 0x65, 0x66, 0x65, + 0x72, 0x65, 0x6e, 0x63, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x91, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -======= - 0x08, 0x12, 0x08, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x10, 0x8f, 0x08, 0x12, 0x1e, 0x0a, 0x19, 0x41, - 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, - 0x6e, 0x63, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x90, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, - 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, - 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, - 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, - 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, ->>>>>>> 6d52ba80b (added detector for artifactory reference tokens) } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index d0d282b58409..b0cc5b834abf 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1050,7 +1050,7 @@ enum DetectorType { Photoroom = 1038; JWT = 1039; OpenAIAdmin = 1040; - ArtifactoryReferenceToken = 1040; + ArtifactoryReferenceToken = 1041; } message Result {