From 74f5a741619b08fbab0f8a6e449b195a8a5ef58b Mon Sep 17 00:00:00 2001 From: moeedrehman135 Date: Wed, 8 Apr 2026 20:04:35 +0500 Subject: [PATCH 1/3] feat: add Rancher/Cattle token detector - Add regex pattern for CATTLE_TOKEN/RANCHER_API_TOKEN format - Require server context (CATTLE_SERVER/RANCHER_URL) to reduce false positives - Add HTTP verification against Rancher v3 API - Add pattern tests - Register detector in defaults.go Closes #4622 --- pkg/detectors/rancher/rancher.go | 77 + pkg/detectors/rancher/rancher_test.go | 102 ++ pkg/engine/defaults/defaults.go | 4 +- pkg/pb/detectorspb/detectors.pb.go | 3 + proto/detectors.proto | 2189 +++++++++++++------------ 5 files changed, 1280 insertions(+), 1095 deletions(-) create mode 100644 pkg/detectors/rancher/rancher.go create mode 100644 pkg/detectors/rancher/rancher_test.go diff --git a/pkg/detectors/rancher/rancher.go b/pkg/detectors/rancher/rancher.go new file mode 100644 index 000000000000..adb29ee113f1 --- /dev/null +++ b/pkg/detectors/rancher/rancher.go @@ -0,0 +1,77 @@ +package rancher + +import ( + "context" + "net/http" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct{} + +var _ detectors.Detector = (*Scanner)(nil) + +var ( + tokenPattern = regexp.MustCompile( + `(?i)(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[^\w]{1,4}([a-z0-9]{54,64})`, + ) + serverPattern = regexp.MustCompile( + `(?i)(?:CATTLE_SERVER|RANCHER_URL|rancher\.[a-z0-9-]+\.[a-z]{2,})`, + ) +) + +func (s Scanner) Keywords() []string { + return []string{"cattle_token", "rancher_token", "rancher_api_token", "cattle_bootstrap_password"} +} + +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + if !serverPattern.MatchString(dataStr) { + return + } + + matches := tokenPattern.FindAllStringSubmatch(dataStr, -1) + for _, match := range matches { + if len(match) < 2 { + continue + } + token := match[1] + + result := detectors.Result{ + DetectorType: detectorspb.DetectorType_Rancher, + Raw: []byte(token), + } + + if verify { + client := common.SaneHttpClient() + req, err := http.NewRequestWithContext(ctx, "GET", "https://rancher.example.com/v3", nil) + if err != nil { + continue + } + req.Header.Set("Authorization", "Bearer "+token) + res, err := client.Do(req) + if err == nil { + res.Body.Close() + if res.StatusCode == http.StatusOK { + result.Verified = true + } + } + } + + results = append(results, result) + } + return +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_Rancher +} + +func (s Scanner) Description() string { + return "Rancher is a Kubernetes management platform. Rancher API tokens can be used to gain full cluster admin access." +} diff --git a/pkg/detectors/rancher/rancher_test.go b/pkg/detectors/rancher/rancher_test.go new file mode 100644 index 000000000000..a0863bb8c053 --- /dev/null +++ b/pkg/detectors/rancher/rancher_test.go @@ -0,0 +1,102 @@ +package rancher + +import ( + "context" + "fmt" + "testing" + + "github.com/google/go-cmp/cmp" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +var ( + validPattern = "RANCHER_URL=https://rancher.example.com\nRANCHER_API_TOKEN=kubeadmin5f8a3b2c1d9e4f7a6b0c5d2e8f1a4b7c3d6e9f2a5b8c1d4e7f0a3b6" + invalidPattern = "RANCHER_API_TOKEN=shorttoken123" + keyword = "rancher_api_token" +) + +func TestRancher_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + tests := []struct { + name string + input string + want []string + }{ + { + name: "valid pattern with server context", + input: fmt.Sprintf("%s", validPattern), + want: []string{"kubeadmin5f8a3b2c1d9e4f7a6b0c5d2e8f1a4b7c3d6e9f2a5b8c1d4e7f0a3b6"}, + }, + { + name: "invalid pattern - token too short", + input: fmt.Sprintf("%s token = '%s'", keyword, invalidPattern), + want: []string{}, + }, + { + name: "no server context - should not detect", + input: "RANCHER_API_TOKEN=kubeadmin5f8a3b2c1d9e4f7a6b0c5d2e8f1a4b7c3d6e9f2a5b8c1d4e7f0a3b6", + want: []string{}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index f483433e3d2b..f4178559e060 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -723,6 +723,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/storychief" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/strava" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/streak" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rancher" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/stripe" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/stripepaymentintent" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/stripo" @@ -1612,7 +1613,8 @@ func buildDetectorList() []detectors.Detector { &storychief.Scanner{}, &strava.Scanner{}, &streak.Scanner{}, - &stripe.Scanner{}, + &rancher.Scanner{}, + &stripe.Scanner{}, &stripepaymentintent.Scanner{}, &stripo.Scanner{}, &stytch.Scanner{}, diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index 3ec2468eb95d..f2b09e702a7e 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1152,6 +1152,7 @@ const ( DetectorType_ArtifactoryReferenceToken DetectorType = 1042 DetectorType_DatadogApikey DetectorType = 1043 DetectorType_ShopifyOAuth DetectorType = 1044 + DetectorType_Rancher DetectorType = 1045 ) // Enum value maps for DetectorType. @@ -2198,6 +2199,7 @@ var ( 1042: "ArtifactoryReferenceToken", 1043: "DatadogApikey", 1044: "ShopifyOAuth", + 1045: "Rancher", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3241,6 +3243,7 @@ var ( "ArtifactoryReferenceToken": 1042, "DatadogApikey": 1043, "ShopifyOAuth": 1044, + "Rancher": 1045, } ) diff --git a/proto/detectors.proto b/proto/detectors.proto index 88829dd17d3c..28fd0875a65c 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1,1095 +1,1096 @@ -syntax = "proto3"; - -package detectors; - -option go_package = "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"; - -enum DecoderType { - UNKNOWN = 0; - PLAIN = 1; - BASE64 = 2; - UTF16 = 3; - ESCAPED_UNICODE = 4; -} - -enum DetectorType { - Alibaba = 0; - AMQP = 1; // Not yet implemented - AWS = 2; - Azure = 3; - Circle = 4; - Coinbase = 5; - GCP = 6; - Generic = 7; - Github = 8; - Gitlab = 9; - JDBC = 10; - RazorPay = 11; - SendGrid = 12; - Slack = 13; - Square = 14; - PrivateKey = 15; - Stripe = 16; - URI = 17; - Dropbox = 18; - Heroku = 19; - Mailchimp = 20; - Okta = 21; - OneLogin = 22; - PivotalTracker = 23; - SquareApp = 25; - Twilio = 26; - Test = 27; - TravisCI = 29; - SlackWebhook = 30; - PaypalOauth = 31; - PagerDutyApiKey = 32; - Firebase = 33; // Not yet implemented - Mailgun = 34; - HubSpot = 35; - GitHubApp = 36; - CircleCI = 37; // Not yet implemented - WpEngine = 38; // Not yet implemented - DatadogToken = 39; - FacebookOAuth = 40; - AsanaPersonalAccessToken = 41; - AmplitudeApiKey = 42; - BitLyAccessToken = 43; - CalendlyApiKey = 44; - ZapierWebhook = 45; - YoutubeApiKey = 46; - SalesforceOauth2 = 47; // Not yet implemented - TwitterApiSecret = 48; // Not yet implemented - NpmToken = 49; - NewRelicPersonalApiKey = 50; - AirtableApiKey = 51 [deprecated = true]; - AkamaiToken = 52; // Not yet implemented - AmazonMWS = 53; // Not yet implemented - KubeConfig = 54; // Not yet implemented - Auth0oauth = 55; - Bitfinex = 56; - Clarifai = 57; - CloudflareGlobalApiKey = 58; - CloudflareCaKey = 59; - Confluent = 60; - ContentfulDelivery = 61; // Not yet implemented - DatabricksToken = 62; - DigitalOceanSpaces = 63; // Not yet implemented - DigitalOceanToken = 64; - DiscordBotToken = 65; - DiscordWebhook = 66; - EtsyApiKey = 67 [deprecated = true]; - FastlyPersonalToken = 68; - GoogleOauth2 = 69; - ReCAPTCHA = 70; // Not yet implemented - GoogleApiKey = 71 [deprecated = true]; - Hunter = 72; - IbmCloudUserKey = 73; - Netlify = 74; - Vonage = 75; // Not yet implemented - EquinixOauth = 76; // Not yet implemented - Paystack = 77; - PlaidToken = 78; // Not yet implemented - PlaidKey = 79; - Plivo = 80; - Postmark = 81; - PubNubPublishKey = 82; - PubNubSubscriptionKey = 83; - PusherChannelKey = 84; - ScalewayKey = 85; - SendinBlueV2 = 86; - SentryToken = 87; - ShodanKey = 88; - SnykKey = 89; - SpotifyKey = 90; - TelegramBotToken = 91; - TencentCloudKey = 92; // Not yet implemented - TerraformCloudPersonalToken = 93; - TrelloApiKey = 94; - ZendeskApi = 95; - MaxMindLicense = 96; - AirtableMetadataApiKey = 97; // Not yet implemented - AsanaOauth = 98; - RapidApi = 99; - CloudflareApiToken = 100; - Webex = 101; - FirebaseCloudMessaging = 102; // Not yet implemented - ContentfulPersonalAccessToken = 103; - MapBox = 104; - MailJetBasicAuth = 105; - MailJetSMS = 106; - HubSpotApiKey = 107; - HubSpotOauth = 108; // Not yet implemented - SslMate = 109; - Auth0ManagementApiToken = 110; - MessageBird = 111; - ElasticEmail = 112; - FigmaPersonalAccessToken = 113; - MicrosoftTeamsWebhook = 114; - GitHubOld = 115; // Not yet implemented - VultrApiKey = 116; - Pepipost = 117; - Postman = 118; - CloudsightKey = 119; // Not yet implemented - JiraToken = 120; - NexmoApiKey = 121; - SegmentApiKey = 122; - SumoLogicKey = 123; - PushBulletApiKey = 124; - AirbrakeProjectKey = 125; - AirbrakeUserKey = 126; - PendoIntegrationKey = 127; // Not yet implemented - SplunkOberservabilityToken = 128; - LokaliseToken = 129; - Calendarific = 130; - Jumpcloud = 131; - IpStack = 133; - Notion = 134; - DroneCI = 135; - AdobeIO = 136; - TwelveData = 137; - D7Network = 138; - ScrapingBee = 139; - KeenIO = 140; - Wakatime = 141; // Not yet implemented - Buildkite = 142; - Verimail = 143; - Zerobounce = 144; - Mailboxlayer = 145; - Fastspring = 146; // Not yet implemented - Paddle = 147; // Not yet implemented - Sellfy = 148; // Not yet implemented - FixerIO = 149; - ButterCMS = 150; - Taxjar = 151; - Avalara = 152; // Not yet implemented - Helpscout = 153; - ElasticPath = 154; // Not yet implemented - Zeplin = 155; - Intercom = 156; - Mailmodo = 157; - CannyIo = 158; - Pipedrive = 159; - Vercel = 160; - PosthogApp = 161; - SinchMessage = 162; - Ayrshare = 163; - HelpCrunch = 164; - LiveAgent = 165; - Beamer = 166; - WeChatAppKey = 167; // Not yet implemented - LineMessaging = 168; - UberServerToken = 169; // Not yet implemented - AlgoliaAdminKey = 170; - FullContact = 171; // Not yet implemented - Mandrill = 172; - Flutterwave = 173; - MattermostPersonalToken = 174; - Cloudant = 175; // Not yet implemented - LineNotify = 176; - LinearAPI = 177; - Ubidots = 178; - Anypoint = 179; - Dwolla = 180; - ArtifactoryAccessToken = 181; - Surge = 182; // Not yet implemented - Sparkpost = 183; - GoCardless = 184; - Codacy = 185; - Kraken = 186; - Checkout = 187; - Kairos = 188; // Not yet implemented - ClockworkSMS = 189; - Atlassian = 190; // Not yet implemented - LaunchDarkly = 191; - Coveralls = 192; - Linode = 193; // Not yet implemented - WePay = 194; - PlanetScale = 195; - Doppler = 196; - Agora = 197; - Samsara = 198; // Not yet implemented - FrameIO = 199; - RubyGems = 200; - OpenAI = 201; - SurveySparrow = 202; - Simvoly = 203; - Survicate = 204; - Omnisend = 205; - Groovehq = 206; - Newsapi = 207; - Chatbot = 208; - ClickSendsms = 209; - Getgist = 210; - CustomerIO = 211; - ApiDeck = 212; - Nftport = 213; - Copper = 214; - Close = 215; - Myfreshworks = 216; - Salesflare = 217; - Webflow = 218; - Duda = 219; // Not yet implemented - Yext = 220; // Not yet implemented - ContentStack = 221; // Not yet implemented - StoryblokAccessToken = 222; - GraphCMS = 223; - Checkmarket = 224; // Not yet implemented - Convertkit = 225; - CustomerGuru = 226; - Kaleyra = 227; // Not yet implemented - Mailerlite = 228; - Qualaroo = 229; - SatismeterProjectkey = 230; - SatismeterWritekey = 231; - Simplesat = 232; - SurveyAnyplace = 233; - SurveyBot = 234; - Webengage = 235; // Not yet implemented - ZonkaFeedback = 236; - Delighted = 237; - Feedier = 238; - Abyssale = 239; - Magnetic = 240; - Nytimes = 241 [deprecated = true]; - Polygon = 242; - Powrbot = 243; - ProspectIO = 244 [deprecated = true]; - Skrappio = 245; - Monday = 246; - Smartsheets = 247; - Wrike = 248; - Float = 249; - Imagekit = 250; - Integromat = 251 [deprecated = true]; - Salesblink = 252; - Bored = 253; // Not yet implemented - Campayn = 254; - Clinchpad = 255; - CompanyHub = 256; - Debounce = 257; - Dyspatch = 258; - Guardianapi = 259; - Harvest = 260; - Moosend = 261; - OpenWeather = 262; - Siteleaf = 263; - Squarespace = 264; - FlowFlu = 265; - Nimble = 266; - LessAnnoyingCRM = 267; - Nethunt = 268; - Apptivo = 269; - CapsuleCRM = 270; - Insightly = 271; - Kylas = 272; - OnepageCRM = 273; - User = 274; - ProspectCRM = 275; - ReallySimpleSystems = 276; - Airship = 277; - Artsy = 278; - Yandex = 279; - Clockify = 280; - Dnscheck = 281; - EasyInsight = 282; - Ethplorer = 283; - Everhour = 284; - Fulcrum = 285; - GeoIpifi = 286; - Jotform = 287; - Refiner = 288; - Timezoneapi = 289; - TogglTrack = 290; - Vpnapi = 291; - Workstack = 292; - Apollo = 293; - Eversign = 294; // Not yet implemented - Juro = 295; - KarmaCRM = 296; - Metrilo = 297; - Pandadoc = 298; - RevampCRM = 299; - Salescookie = 300; - Alconost = 301; - Blogger = 302; - Accuweather = 303; - Opengraphr = 304 [deprecated = true]; - Rawg = 305; - Riotgames = 306; // Not yet implemented - Clientary = 307; - Stormglass = 308; - Tomtom = 309; - Twitch = 310; - Documo = 311; - Cloudways = 312; // Not yet implemented - Veevavault = 313; // Not yet implemented - KiteConnect = 314; // Not yet implemented - ShopeeOpenPlatform = 315; // Not yet implemented - TeamViewer = 316; // Not yet implemented - Bulbul = 317; - CentralStationCRM = 318; - Teamgate = 319; - Axonaut = 320; - Tyntec = 321; - Appcues = 322; - Autoklose = 323; - Cloudplan = 324; - Dotdigital = 325; - GetEmail = 326; - GetEmails = 327; - Kontent = 328; - Leadfeeder = 329; - Raven = 330; - RocketReach = 331; - Uplead = 332; - Brandfetch = 333; - Clearbit = 334; - Crowdin = 335; - Mapquest = 336; - Noticeable = 337; - Onbuka = 338; // Not yet implemented - Todoist = 339; - Storychief = 340; - LinkedIn = 341; // Not yet implemented - YouSign = 342; - Docker = 343; - Telesign = 344; // Not yet implemented - Spoonacular = 345; - Aerisweather = 346; // Not yet implemented - Alphavantage = 347; // Not yet implemented - Imgur = 348; // Not yet implemented - Imagga = 349; - SMSApi = 350; // Not yet implemented - Distribusion = 351; // Not yet implemented - Blablabus = 352 [deprecated = true]; - WordsApi = 353; // Not yet implemented - Currencylayer = 354; - Html2Pdf = 355; - IPGeolocation = 356; - Owlbot = 357; - Cloudmersive = 358; - Dynalist = 359; - ExchangeRateAPI = 360; - HolidayAPI = 361; - Ipapi = 362; - Marketstack = 363; - Nutritionix = 364; - Swell = 365; - ClickupPersonalToken = 366; - Nitro = 367 [deprecated = true]; - Rev = 368; - RunRunIt = 369; - Typeform = 370; - Mixpanel = 371; - Tradier = 372; - Verifier = 373; - Vouchery = 374; - Alegra = 375; - Audd = 376; - Baremetrics = 377; - Coinlib = 378; - ExchangeRatesAPI = 379; - CurrencyScoop = 380; - FXMarket = 381; - CurrencyCloud = 382; - GetGeoAPI = 383; - Abstract = 384; - Billomat = 385; - Dovico = 386; - Bitbar = 387; - Bugsnag = 388; - AssemblyAI = 389; - AdafruitIO = 390; - Apify = 391; - CoinGecko = 392; // Not yet implemented - CryptoCompare = 393; - Fullstory = 394; - HelloSign = 395; - Loyverse = 396; - NetCore = 397; // Not yet implemented - SauceLabs = 398; - AlienVault = 399; - Apiflash = 401; - Coinlayer = 402; - CurrentsAPI = 403; - DataGov = 404; - Enigma = 405; - FinancialModelingPrep = 406; - Geocodio = 407; - HereAPI = 408; - Macaddress = 409 [deprecated = true]; - OOPSpam = 410; - ProtocolsIO = 411; - ScraperAPI = 412; - SecurityTrails = 413; - TomorrowIO = 414; - WorldCoinIndex = 415; - FacePlusPlus = 416; - Voicegain = 417; - Deepgram = 418; - VisualCrossing = 419; - Finnhub = 420; - Tiingo = 421; - RingCentral = 422; - Finage = 423; - Edamam = 424; - HypeAuditor = 425; // Not yet implemented - Gengo = 426; - Front = 427; - Fleetbase = 428; - Bubble = 429; // Not yet implemented - Bannerbear = 430; - Adzuna = 431; - BitcoinAverage = 432; - CommerceJS = 433; - DetectLanguage = 434; - FakeJSON = 435 [deprecated = true]; - Graphhopper = 436; - Lexigram = 437; - LinkPreview = 438; - Numverify = 439; - ProxyCrawl = 440; - ZipCodeAPI = 441; - Cometchat = 442; // Not yet implemented - Keygen = 443; // Not yet implemented - Mixcloud = 444; // Not yet implemented - TatumIO = 445; - Tmetric = 446; - Lastfm = 447 [deprecated = true]; - Browshot = 448; - JSONbin = 449; // Not yet implemented - LocationIQ = 450; - ScreenshotAPI = 451; - WeatherStack = 452; - Amadeus = 453; - FourSquare = 454; - Flickr = 455; - ClickHelp = 456; - Ambee = 457; - Api2Cart = 458; - Hypertrack = 459; - KakaoTalk = 460; // Not yet implemented - RiteKit = 461; - Shutterstock = 462; - Text2Data = 463 [deprecated = true];; - YouNeedABudget = 464; - Cricket = 465; // Not yet implemented - Filestack = 466; // Not yet implemented - Gyazo = 467; - Mavenlink = 468; - Sheety = 469; - Sportsmonk = 470; - Stockdata = 471; - Unsplash = 472; - Allsports = 473; - CalorieNinja = 474; - WalkScore = 475; - Strava = 476; - Cicero = 477; - IPQuality = 478; - ParallelDots = 479; - Roaring = 480; - Mailsac = 481; - Whoxy = 482; - WorldWeather = 483; - ApiFonica = 484; - Aylien = 485; - Geocode = 486; - IconFinder = 487; - Ipify = 488 [deprecated = true]; - LanguageLayer = 489; - Lob = 490; - OnWaterIO = 491 [deprecated = true]; - Pastebin = 492; - PdfLayer = 493; - Pixabay = 494; - ReadMe = 495; - VatLayer = 496; - VirusTotal = 497; - AirVisual = 498; - Currencyfreaks = 499; - Duffel = 500; // Not yet implemented - FlatIO = 501; - M3o = 502; - Mesibo = 503; - Openuv = 504; - Snipcart = 505; - Besttime = 506; - Happyscribe = 507; - Humanity = 508; - Impala = 509; - Loginradius = 510; - AutoPilot = 511; - Bitmex = 512; - ClustDoc = 513; - Messari = 514; // Not yet implemented - PdfShift = 515; - Poloniex = 516; - RestpackHtmlToPdfAPI = 517; - RestpackScreenshotAPI = 518; - ShutterstockOAuth = 519; - SkyBiometry = 520; - AbuseIPDB = 521; - AletheiaApi = 522; - BlitApp = 523; - Censys = 524; - Cloverly = 525; - CountryLayer = 526; - FileIO = 527; - FlightApi = 528; - Geoapify = 529; - IPinfoDB = 530; - MediaStack = 531; - NasdaqDataLink = 532; - OpenCageData = 533; - Paymongo = 534; - PositionStack = 535; - Rebrandly = 536; - ScreenshotLayer = 537; - Stytch = 538; - Unplugg = 539; - UPCDatabase = 540; - UserStack = 541; - Geocodify = 542; - Newscatcher = 543; - Nicereply = 544; - Partnerstack = 545; - Route4me = 546; - Scrapeowl = 547; - ScrapingDog = 548; // Not yet implemented - Streak = 549; - Veriphone = 550; - Webscraping = 551; - Zenscrape = 552; - Zenserp = 553; - CoinApi = 554; - Gitter = 555; - Host = 556; - Iexcloud = 557; - Restpack = 558 [deprecated = true]; - ScraperBox = 559; - ScrapingAnt = 560; - SerpStack = 561; - SmartyStreets = 562; - TicketMaster = 563; - AviationStack = 564; - BombBomb = 565; - Commodities = 566; - Dfuse = 567; - EdenAI = 568; - Glassnode = 569; - Guru = 570; - Hive = 571; - Hiveage = 572; - Kickbox = 573; - Passbase = 574 [deprecated = true]; - PostageApp = 575; - PureStake = 576; - Qubole = 577; - CarbonInterface = 578; - Intrinio = 579; - QuickMetrics = 580 [deprecated = true]; - ScrapeStack = 581; - TechnicalAnalysisApi = 582; - Urlscan = 583; - BaseApiIO = 584; // Not yet implemented - DailyCO = 585; - TLy = 586; - Shortcut = 587; - Appfollow = 588; - Thinkific = 589; - Feedly = 590; // Not yet implemented - Stitchdata = 591; - Fetchrss = 592; - Signupgenius = 593; - Signaturit = 594; - Optimizely = 595; - OcrSpace = 596; // Not yet implemented - WeatherBit = 597; - BuddyNS = 598; - ZipAPI = 599; - ZipBooks = 600; - Onedesk = 601; - Bugherd = 602; - Blazemeter = 603; - Autodesk = 604; - Tru = 605; - UnifyID = 606; - Trimble = 607; // Not yet implemented - Smooch = 608; - Semaphore = 609; - Telnyx = 610; - Signalwire = 611; - Textmagic = 612; - Serphouse = 613; - Planyo = 614; - Simplybook = 615; // Not yet implemented - Vyte = 616; - Nylas = 617; - Squareup = 618; - Dandelion = 619; - DataFire = 620 [deprecated = true]; - DeepAI = 621; - MeaningCloud = 622; - NeutrinoApi = 623; - Storecove = 624; - Shipday = 625; - Sentiment = 626 [deprecated = true]; - StreamChatMessaging = 627; // Not yet implemented - TeamworkCRM = 628; - TeamworkDesk = 629; - TeamworkSpaces = 630; - TheOddsApi = 631; - Apacta = 632; - GetSandbox = 633; - Happi = 634 [deprecated = true]; - Oanda = 635; - FastForex = 636; - APIMatic = 637; - VersionEye = 638; - EagleEyeNetworks = 639; - ThousandEyes = 640; - SelectPDF = 641; - Flightstats = 642; - ChecIO = 643; - Manifest = 644; - ApiScience = 645 [deprecated = true]; - AppSynergy = 646; - Caflou = 647; - Caspio = 648; - ChecklyHQ = 649; - CloudElements = 650; - DronaHQ = 651; - Enablex = 652; - Fmfw = 653; - GoodDay = 654; - Luno = 655; - Meistertask = 656; - Mindmeister = 657; - PeopleDataLabs = 658; - ScraperSite = 659 [deprecated = true]; - Scrapfly = 660; - SimplyNoted = 661; - TravelPayouts = 662; - WebScraper = 663; - Convier = 664; - Courier = 665; - Ditto = 666; - Findl = 667; - Lendflow = 668; - Moderation = 669; - Opendatasoft = 670; // Not yet implemented - Podio = 671; - Rockset = 672 [deprecated = true]; - Rownd = 673; - Shotstack = 674; - Swiftype = 675; - Twitter = 676; - Honey = 677; - Freshdesk = 678; - Upwave = 679; - Fountain = 680; // Not yet implemented - Freshbooks = 681; - Mite = 682; - Deputy = 683; - Beebole = 684; - Cashboard = 685; - Kanban = 686; - Worksnaps = 687; - MyIntervals = 688; - InvoiceOcean = 689; - Sherpadesk = 690; - Mrticktock = 691; - Chatfule = 692; - Aeroworkflow = 693; - Emailoctopus = 694; // Not yet implemented - Fusebill = 695 [deprecated = true]; - Geckoboard = 696; - Gosquared = 697; // Not yet implemented - Moonclerk = 698; - Paymoapp = 699; - Mixmax = 700; - Processst = 701; // Not yet implemented - Repairshopr = 702; - Goshippo = 703; // Not yet implemented - Sigopt = 704; - Sugester = 705; - Viewneo = 706; - BoostNote = 707; - CaptainData = 708; - Checkvist = 709; - Cliengo = 710; - Cloze = 711; - FormIO = 712; - FormBucket = 713; - GoCanvas = 714; - MadKudu = 715; - NozbeTeams = 716; - Papyrs = 717; // Not yet implemented - SuperNotesAPI = 718; - Tallyfy = 719; - ZenkitAPI = 720; - CloudImage = 721; - UploadCare = 722; - Borgbase = 723; - Pipedream = 724; - Sirv = 725; - Diffbot = 726; - EightxEight = 727; - Sendoso = 728; // Not yet implemented - Printfection = 729; // Not yet implemented - Authorize = 730; // Not yet implemented - PandaScore = 731; - Paymo = 732; - AvazaPersonalAccessToken = 733; - PlanviewLeanKit = 734; - Livestorm = 735; - KuCoin = 736; - MetaAPI = 737; - NiceHash = 738; // Not yet implemented - CexIO = 739; - Klipfolio = 740; - Dynatrace = 741; // Not yet implemented - MollieAPIKey = 742; // Not yet implemented - MollieAccessToken = 743; // Not yet implemented - BasisTheory = 744; // Not yet implemented - Nordigen = 745; // Not yet implemented - FlagsmithEnvironmentKey = 746; // Not yet implemented - FlagsmithToken = 747; // Not yet implemented - Mux = 748; - Column = 749; - Sendbird = 750; - SendbirdOrganizationAPI = 751; - Midise = 752; // Not yet implemented - Mockaroo = 753; - Image4 = 754; // Not yet implemented - Pinata = 755; - BrowserStack = 756; - CrossBrowserTesting = 757 [deprecated = true]; - Loadmill = 758; - TestingBot = 759; - KnapsackPro = 760; - Qase = 761; - Dareboost = 762; - GTMetrix = 763; - Holistic = 764; - Parsers = 765; - ScrutinizerCi = 766; - SonarCloud = 767; - APITemplate = 768; - ConversionTools = 769; - CraftMyPDF = 770; - ExportSDK = 771; - GlitterlyAPI = 772 [deprecated = true]; - Hybiscus = 773; - Miro = 774; - Statuspage = 775; - Statuspal = 776; - Teletype = 777; - TimeCamp = 778; - Userflow = 779; - Wistia = 780; - SportRadar = 781 [deprecated = true];; - UptimeRobot = 782; - Codequiry = 783; - ExtractorAPI = 784; - Signable = 785; - MagicBell = 786; - Stormboard = 787; - Apilayer = 788; - Disqus = 789; - Woopra = 790; // Not yet implemented - Paperform = 791; - Gumroad = 792; - Paydirtapp = 793; - Detectify = 794; - Statuscake = 795; - Jumpseller = 796; // Not yet implemented - LunchMoney = 797; - Rosette = 798; // Not yet implemented - Yelp = 799; - Atera = 800; - EcoStruxureIT = 801; - Aha = 802; - Parsehub = 803; - PackageCloud = 804; - Cloudsmith = 805; - Flowdash = 806 [deprecated = true]; - Flowdock = 807 [deprecated = true]; - Fibery = 808; - Typetalk = 809; - VoodooSMS = 810; - ZulipChat = 811; - Formcraft = 812; - Iexapis = 813; - Reachmail = 814; - Chartmogul = 815; - Appointedd = 816; - Wit = 817; - RechargePayments = 818; - Diggernaut = 819; - MonkeyLearn = 820; - Duply = 821; - Postbacks = 822; - Collect2 = 823; - ZenRows = 824; - Zipcodebase = 825; - Tefter = 826; - Twist = 827; - BraintreePayments = 828; - CloudConvert = 829; - Grafana = 830; - ConvertApi = 831; - Transferwise = 832; - Bulksms = 833; - Databox = 834; - Onesignal = 835; - Rentman = 836; - Parseur = 837; - Docparser = 838; - Formsite = 839; - Tickettailor = 840; - Lemlist = 841; - Prodpad = 842; - Formstack = 843; // Not yet implemented - Codeclimate = 844; - Codemagic = 845; - Vbout = 846; - Nightfall = 847; - FlightLabs = 848; - SpeechTextAI = 849; - PollsAPI = 850; - SimFin = 851; - Scalr = 852; - Kanbantool = 853; - Brightlocal = 854; // Not yet implemented - Hotwire = 855; // Not yet implemented - Instabot = 856; - Timekit = 857; // Not yet implemented - Interseller = 858; - Mojohelpdesk = 859; // Not yet implemented - Createsend = 860; // Not yet implemented - Getresponse = 861; - Dynadot = 862; // Not yet implemented - Demio = 863; - Tokeet = 864; - Myexperiment = 865; // Not yet implemented - Copyscape = 866; // Not yet implemented - Besnappy = 867; - Salesmate = 868; - Heatmapapi = 869 [deprecated = true];; - Websitepulse = 870; - Uclassify = 871; - Convert = 872; - PDFmyURL = 873; // Not yet implemented - Api2Convert = 874; // Not yet implemented - Opsgenie = 875; - Gemini = 876; - Honeycomb = 877; - KalturaAppToken = 878; // Not yet implemented - KalturaSession = 879; // Not yet implemented - BitGo = 880; // Not yet implemented - Optidash = 881; // Not yet implemented - Imgix = 882; // Not yet implemented - ImageToText = 883; // Not yet implemented - Page2Images = 884; // Not yet implemented - Quickbase = 885; // Not yet implemented - Redbooth = 886; // Not yet implemented - Nubela = 887; // Not yet implemented - Infobip = 888; // Not yet implemented - Uproc = 889; // Not yet implemented - Supportbee = 890; // Not yet implemented - Aftership = 891; // Not yet implemented - Edusign = 892; // Not yet implemented - Teamup = 893; // Not yet implemented - Workday = 894; // Not yet implemented - MongoDB = 895; - NGC = 896; - DigitalOceanV2 = 897; - SQLServer = 898; - FTP = 899; - Redis = 900; - LDAP = 901; - Shopify = 902; - RabbitMQ = 903; - CustomRegex = 904; - Etherscan = 905; - Infura = 906; - Alchemy = 907; - BlockNative = 908; - Moralis = 909; - BscScan = 910; - CoinMarketCap = 911 [deprecated = true]; - Percy = 912; - TinesWebhook = 913; - Pulumi = 914; - SupabaseToken = 915; - NuGetApiKey = 916; - Aiven = 917; - Prefect = 918; - Docusign = 919; - Couchbase = 920; - Dockerhub = 921; - TrufflehogEnterprise = 922; - EnvoyApiKey = 923; - GitHubOauth2 = 924; - Salesforce = 925; - HuggingFace = 926; - Snowflake = 927; - Sourcegraph = 928; - Tailscale = 929; - Web3Storage = 930; - AzureStorage = 931; - PlanetScaleDb = 932; - Anthropic = 933; - Ramp = 934; - Klaviyo = 935; - SourcegraphCody = 936; - Voiceflow = 937; - Privacy = 938; - IPInfo = 939; - Ip2location = 940; - Instamojo = 941; - Portainer = 942; - PortainerToken = 943; - Loggly = 944; - OpenVpn = 945; - VagrantCloudPersonalToken = 946; - BetterStack = 947; - ZeroTier = 948; - AppOptics = 949; - Metabase = 950; - CoinbaseWaaS = 951 [deprecated = true]; - LemonSqueezy = 952; - Budibase = 953; - DenoDeploy = 954; - Stripo = 955; - ReplyIO = 956; - AzureBatch = 957; - AzureContainerRegistry = 958; - AWSSessionKey = 959; - Coda = 960; - LogzIO = 961; - Eventbrite = 962; - GrafanaServiceAccount = 963; - RequestFinance = 964; - Overloop = 965; - Ngrok = 966; - Replicate = 967; - Postgres = 968; - AzureActiveDirectoryApplicationSecret = 969; - AzureCacheForRedisAccessKey = 970; - AzureCosmosDBKeyIdentifiable = 971; - AzureDevopsPersonalAccessToken = 972; - AzureFunctionKey = 973; - AzureMLWebServiceClassicIdentifiableKey = 974; - AzureSasToken = 975; - AzureSearchAdminKey = 976; - AzureSearchQueryKey = 977; - AzureManagementCertificate = 978; - AzureSQL = 979; - FlyIO = 980; - BuiltWith = 981; - JupiterOne = 982; - GCPApplicationDefaultCredentials = 983; - Wiz = 984; - Pagarme = 985; - Onfleet = 986; - Intra42 = 987; - Groq = 988; - TwitterConsumerkey = 989; - Eraser = 990; - LarkSuite = 991; - LarkSuiteApiKey = 992; - EndorLabs = 993; - ElevenLabs = 994; - Netsuite = 995; - RobinhoodCrypto = 996; - NVAPI = 997; - PyPI = 998; - RailwayApp = 999; - Meraki = 1000; - SaladCloudApiKey = 1001; - Box = 1002; - BoxOauth = 1003; - ApiMetrics = 1004; - WeightsAndBiases = 1005; - ZohoCRM = 1006; - AzureOpenAI = 1007; - GoDaddy = 1008; - Flexport = 1009; - TwitchAccessToken = 1010; - TwilioApiKey = 1011; - Sanity = 1012; - AzureRefreshToken = 1013; - AirtableOAuth = 1014; - AirtablePersonalAccessToken = 1015; - StoryblokPersonalAccessToken = 1016; - SentryOrgToken = 1017; - AzureApiManagementRepositoryKey = 1018; - AzureAPIManagementSubscriptionKey = 1019; - Harness = 1020; - Langfuse = 1021; - BingSubscriptionKey = 1022; - XAI = 1023; - AzureDirectManagementKey = 1024; - AzureAppConfigConnectionString = 1025; - DeepSeek = 1026; - StripePaymentIntent = 1027; - LangSmith = 1028; - BitbucketAppPassword = 1029; - Hasura = 1030; - SalesforceRefreshToken = 1031; - AnypointOAuth2 = 1032; - WebexBot = 1033; - TableauPersonalAccessToken = 1034; - Rootly = 1035; - HashiCorpVaultAuth = 1036; - PhraseAccessToken = 1037; - Photoroom = 1038; - JWT = 1039; - OpenAIAdmin = 1040; - GoogleGeminiAPIKey = 1041; - ArtifactoryReferenceToken = 1042; - DatadogApikey = 1043; +syntax = "proto3"; + +package detectors; + +option go_package = "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"; + +enum DecoderType { + UNKNOWN = 0; + PLAIN = 1; + BASE64 = 2; + UTF16 = 3; + ESCAPED_UNICODE = 4; +} + +enum DetectorType { + Alibaba = 0; + AMQP = 1; // Not yet implemented + AWS = 2; + Azure = 3; + Circle = 4; + Coinbase = 5; + GCP = 6; + Generic = 7; + Github = 8; + Gitlab = 9; + JDBC = 10; + RazorPay = 11; + SendGrid = 12; + Slack = 13; + Square = 14; + PrivateKey = 15; + Stripe = 16; + URI = 17; + Dropbox = 18; + Heroku = 19; + Mailchimp = 20; + Okta = 21; + OneLogin = 22; + PivotalTracker = 23; + SquareApp = 25; + Twilio = 26; + Test = 27; + TravisCI = 29; + SlackWebhook = 30; + PaypalOauth = 31; + PagerDutyApiKey = 32; + Firebase = 33; // Not yet implemented + Mailgun = 34; + HubSpot = 35; + GitHubApp = 36; + CircleCI = 37; // Not yet implemented + WpEngine = 38; // Not yet implemented + DatadogToken = 39; + FacebookOAuth = 40; + AsanaPersonalAccessToken = 41; + AmplitudeApiKey = 42; + BitLyAccessToken = 43; + CalendlyApiKey = 44; + ZapierWebhook = 45; + YoutubeApiKey = 46; + SalesforceOauth2 = 47; // Not yet implemented + TwitterApiSecret = 48; // Not yet implemented + NpmToken = 49; + NewRelicPersonalApiKey = 50; + AirtableApiKey = 51 [deprecated = true]; + AkamaiToken = 52; // Not yet implemented + AmazonMWS = 53; // Not yet implemented + KubeConfig = 54; // Not yet implemented + Auth0oauth = 55; + Bitfinex = 56; + Clarifai = 57; + CloudflareGlobalApiKey = 58; + CloudflareCaKey = 59; + Confluent = 60; + ContentfulDelivery = 61; // Not yet implemented + DatabricksToken = 62; + DigitalOceanSpaces = 63; // Not yet implemented + DigitalOceanToken = 64; + DiscordBotToken = 65; + DiscordWebhook = 66; + EtsyApiKey = 67 [deprecated = true]; + FastlyPersonalToken = 68; + GoogleOauth2 = 69; + ReCAPTCHA = 70; // Not yet implemented + GoogleApiKey = 71 [deprecated = true]; + Hunter = 72; + IbmCloudUserKey = 73; + Netlify = 74; + Vonage = 75; // Not yet implemented + EquinixOauth = 76; // Not yet implemented + Paystack = 77; + PlaidToken = 78; // Not yet implemented + PlaidKey = 79; + Plivo = 80; + Postmark = 81; + PubNubPublishKey = 82; + PubNubSubscriptionKey = 83; + PusherChannelKey = 84; + ScalewayKey = 85; + SendinBlueV2 = 86; + SentryToken = 87; + ShodanKey = 88; + SnykKey = 89; + SpotifyKey = 90; + TelegramBotToken = 91; + TencentCloudKey = 92; // Not yet implemented + TerraformCloudPersonalToken = 93; + TrelloApiKey = 94; + ZendeskApi = 95; + MaxMindLicense = 96; + AirtableMetadataApiKey = 97; // Not yet implemented + AsanaOauth = 98; + RapidApi = 99; + CloudflareApiToken = 100; + Webex = 101; + FirebaseCloudMessaging = 102; // Not yet implemented + ContentfulPersonalAccessToken = 103; + MapBox = 104; + MailJetBasicAuth = 105; + MailJetSMS = 106; + HubSpotApiKey = 107; + HubSpotOauth = 108; // Not yet implemented + SslMate = 109; + Auth0ManagementApiToken = 110; + MessageBird = 111; + ElasticEmail = 112; + FigmaPersonalAccessToken = 113; + MicrosoftTeamsWebhook = 114; + GitHubOld = 115; // Not yet implemented + VultrApiKey = 116; + Pepipost = 117; + Postman = 118; + CloudsightKey = 119; // Not yet implemented + JiraToken = 120; + NexmoApiKey = 121; + SegmentApiKey = 122; + SumoLogicKey = 123; + PushBulletApiKey = 124; + AirbrakeProjectKey = 125; + AirbrakeUserKey = 126; + PendoIntegrationKey = 127; // Not yet implemented + SplunkOberservabilityToken = 128; + LokaliseToken = 129; + Calendarific = 130; + Jumpcloud = 131; + IpStack = 133; + Notion = 134; + DroneCI = 135; + AdobeIO = 136; + TwelveData = 137; + D7Network = 138; + ScrapingBee = 139; + KeenIO = 140; + Wakatime = 141; // Not yet implemented + Buildkite = 142; + Verimail = 143; + Zerobounce = 144; + Mailboxlayer = 145; + Fastspring = 146; // Not yet implemented + Paddle = 147; // Not yet implemented + Sellfy = 148; // Not yet implemented + FixerIO = 149; + ButterCMS = 150; + Taxjar = 151; + Avalara = 152; // Not yet implemented + Helpscout = 153; + ElasticPath = 154; // Not yet implemented + Zeplin = 155; + Intercom = 156; + Mailmodo = 157; + CannyIo = 158; + Pipedrive = 159; + Vercel = 160; + PosthogApp = 161; + SinchMessage = 162; + Ayrshare = 163; + HelpCrunch = 164; + LiveAgent = 165; + Beamer = 166; + WeChatAppKey = 167; // Not yet implemented + LineMessaging = 168; + UberServerToken = 169; // Not yet implemented + AlgoliaAdminKey = 170; + FullContact = 171; // Not yet implemented + Mandrill = 172; + Flutterwave = 173; + MattermostPersonalToken = 174; + Cloudant = 175; // Not yet implemented + LineNotify = 176; + LinearAPI = 177; + Ubidots = 178; + Anypoint = 179; + Dwolla = 180; + ArtifactoryAccessToken = 181; + Surge = 182; // Not yet implemented + Sparkpost = 183; + GoCardless = 184; + Codacy = 185; + Kraken = 186; + Checkout = 187; + Kairos = 188; // Not yet implemented + ClockworkSMS = 189; + Atlassian = 190; // Not yet implemented + LaunchDarkly = 191; + Coveralls = 192; + Linode = 193; // Not yet implemented + WePay = 194; + PlanetScale = 195; + Doppler = 196; + Agora = 197; + Samsara = 198; // Not yet implemented + FrameIO = 199; + RubyGems = 200; + OpenAI = 201; + SurveySparrow = 202; + Simvoly = 203; + Survicate = 204; + Omnisend = 205; + Groovehq = 206; + Newsapi = 207; + Chatbot = 208; + ClickSendsms = 209; + Getgist = 210; + CustomerIO = 211; + ApiDeck = 212; + Nftport = 213; + Copper = 214; + Close = 215; + Myfreshworks = 216; + Salesflare = 217; + Webflow = 218; + Duda = 219; // Not yet implemented + Yext = 220; // Not yet implemented + ContentStack = 221; // Not yet implemented + StoryblokAccessToken = 222; + GraphCMS = 223; + Checkmarket = 224; // Not yet implemented + Convertkit = 225; + CustomerGuru = 226; + Kaleyra = 227; // Not yet implemented + Mailerlite = 228; + Qualaroo = 229; + SatismeterProjectkey = 230; + SatismeterWritekey = 231; + Simplesat = 232; + SurveyAnyplace = 233; + SurveyBot = 234; + Webengage = 235; // Not yet implemented + ZonkaFeedback = 236; + Delighted = 237; + Feedier = 238; + Abyssale = 239; + Magnetic = 240; + Nytimes = 241 [deprecated = true]; + Polygon = 242; + Powrbot = 243; + ProspectIO = 244 [deprecated = true]; + Skrappio = 245; + Monday = 246; + Smartsheets = 247; + Wrike = 248; + Float = 249; + Imagekit = 250; + Integromat = 251 [deprecated = true]; + Salesblink = 252; + Bored = 253; // Not yet implemented + Campayn = 254; + Clinchpad = 255; + CompanyHub = 256; + Debounce = 257; + Dyspatch = 258; + Guardianapi = 259; + Harvest = 260; + Moosend = 261; + OpenWeather = 262; + Siteleaf = 263; + Squarespace = 264; + FlowFlu = 265; + Nimble = 266; + LessAnnoyingCRM = 267; + Nethunt = 268; + Apptivo = 269; + CapsuleCRM = 270; + Insightly = 271; + Kylas = 272; + OnepageCRM = 273; + User = 274; + ProspectCRM = 275; + ReallySimpleSystems = 276; + Airship = 277; + Artsy = 278; + Yandex = 279; + Clockify = 280; + Dnscheck = 281; + EasyInsight = 282; + Ethplorer = 283; + Everhour = 284; + Fulcrum = 285; + GeoIpifi = 286; + Jotform = 287; + Refiner = 288; + Timezoneapi = 289; + TogglTrack = 290; + Vpnapi = 291; + Workstack = 292; + Apollo = 293; + Eversign = 294; // Not yet implemented + Juro = 295; + KarmaCRM = 296; + Metrilo = 297; + Pandadoc = 298; + RevampCRM = 299; + Salescookie = 300; + Alconost = 301; + Blogger = 302; + Accuweather = 303; + Opengraphr = 304 [deprecated = true]; + Rawg = 305; + Riotgames = 306; // Not yet implemented + Clientary = 307; + Stormglass = 308; + Tomtom = 309; + Twitch = 310; + Documo = 311; + Cloudways = 312; // Not yet implemented + Veevavault = 313; // Not yet implemented + KiteConnect = 314; // Not yet implemented + ShopeeOpenPlatform = 315; // Not yet implemented + TeamViewer = 316; // Not yet implemented + Bulbul = 317; + CentralStationCRM = 318; + Teamgate = 319; + Axonaut = 320; + Tyntec = 321; + Appcues = 322; + Autoklose = 323; + Cloudplan = 324; + Dotdigital = 325; + GetEmail = 326; + GetEmails = 327; + Kontent = 328; + Leadfeeder = 329; + Raven = 330; + RocketReach = 331; + Uplead = 332; + Brandfetch = 333; + Clearbit = 334; + Crowdin = 335; + Mapquest = 336; + Noticeable = 337; + Onbuka = 338; // Not yet implemented + Todoist = 339; + Storychief = 340; + LinkedIn = 341; // Not yet implemented + YouSign = 342; + Docker = 343; + Telesign = 344; // Not yet implemented + Spoonacular = 345; + Aerisweather = 346; // Not yet implemented + Alphavantage = 347; // Not yet implemented + Imgur = 348; // Not yet implemented + Imagga = 349; + SMSApi = 350; // Not yet implemented + Distribusion = 351; // Not yet implemented + Blablabus = 352 [deprecated = true]; + WordsApi = 353; // Not yet implemented + Currencylayer = 354; + Html2Pdf = 355; + IPGeolocation = 356; + Owlbot = 357; + Cloudmersive = 358; + Dynalist = 359; + ExchangeRateAPI = 360; + HolidayAPI = 361; + Ipapi = 362; + Marketstack = 363; + Nutritionix = 364; + Swell = 365; + ClickupPersonalToken = 366; + Nitro = 367 [deprecated = true]; + Rev = 368; + RunRunIt = 369; + Typeform = 370; + Mixpanel = 371; + Tradier = 372; + Verifier = 373; + Vouchery = 374; + Alegra = 375; + Audd = 376; + Baremetrics = 377; + Coinlib = 378; + ExchangeRatesAPI = 379; + CurrencyScoop = 380; + FXMarket = 381; + CurrencyCloud = 382; + GetGeoAPI = 383; + Abstract = 384; + Billomat = 385; + Dovico = 386; + Bitbar = 387; + Bugsnag = 388; + AssemblyAI = 389; + AdafruitIO = 390; + Apify = 391; + CoinGecko = 392; // Not yet implemented + CryptoCompare = 393; + Fullstory = 394; + HelloSign = 395; + Loyverse = 396; + NetCore = 397; // Not yet implemented + SauceLabs = 398; + AlienVault = 399; + Apiflash = 401; + Coinlayer = 402; + CurrentsAPI = 403; + DataGov = 404; + Enigma = 405; + FinancialModelingPrep = 406; + Geocodio = 407; + HereAPI = 408; + Macaddress = 409 [deprecated = true]; + OOPSpam = 410; + ProtocolsIO = 411; + ScraperAPI = 412; + SecurityTrails = 413; + TomorrowIO = 414; + WorldCoinIndex = 415; + FacePlusPlus = 416; + Voicegain = 417; + Deepgram = 418; + VisualCrossing = 419; + Finnhub = 420; + Tiingo = 421; + RingCentral = 422; + Finage = 423; + Edamam = 424; + HypeAuditor = 425; // Not yet implemented + Gengo = 426; + Front = 427; + Fleetbase = 428; + Bubble = 429; // Not yet implemented + Bannerbear = 430; + Adzuna = 431; + BitcoinAverage = 432; + CommerceJS = 433; + DetectLanguage = 434; + FakeJSON = 435 [deprecated = true]; + Graphhopper = 436; + Lexigram = 437; + LinkPreview = 438; + Numverify = 439; + ProxyCrawl = 440; + ZipCodeAPI = 441; + Cometchat = 442; // Not yet implemented + Keygen = 443; // Not yet implemented + Mixcloud = 444; // Not yet implemented + TatumIO = 445; + Tmetric = 446; + Lastfm = 447 [deprecated = true]; + Browshot = 448; + JSONbin = 449; // Not yet implemented + LocationIQ = 450; + ScreenshotAPI = 451; + WeatherStack = 452; + Amadeus = 453; + FourSquare = 454; + Flickr = 455; + ClickHelp = 456; + Ambee = 457; + Api2Cart = 458; + Hypertrack = 459; + KakaoTalk = 460; // Not yet implemented + RiteKit = 461; + Shutterstock = 462; + Text2Data = 463 [deprecated = true];; + YouNeedABudget = 464; + Cricket = 465; // Not yet implemented + Filestack = 466; // Not yet implemented + Gyazo = 467; + Mavenlink = 468; + Sheety = 469; + Sportsmonk = 470; + Stockdata = 471; + Unsplash = 472; + Allsports = 473; + CalorieNinja = 474; + WalkScore = 475; + Strava = 476; + Cicero = 477; + IPQuality = 478; + ParallelDots = 479; + Roaring = 480; + Mailsac = 481; + Whoxy = 482; + WorldWeather = 483; + ApiFonica = 484; + Aylien = 485; + Geocode = 486; + IconFinder = 487; + Ipify = 488 [deprecated = true]; + LanguageLayer = 489; + Lob = 490; + OnWaterIO = 491 [deprecated = true]; + Pastebin = 492; + PdfLayer = 493; + Pixabay = 494; + ReadMe = 495; + VatLayer = 496; + VirusTotal = 497; + AirVisual = 498; + Currencyfreaks = 499; + Duffel = 500; // Not yet implemented + FlatIO = 501; + M3o = 502; + Mesibo = 503; + Openuv = 504; + Snipcart = 505; + Besttime = 506; + Happyscribe = 507; + Humanity = 508; + Impala = 509; + Loginradius = 510; + AutoPilot = 511; + Bitmex = 512; + ClustDoc = 513; + Messari = 514; // Not yet implemented + PdfShift = 515; + Poloniex = 516; + RestpackHtmlToPdfAPI = 517; + RestpackScreenshotAPI = 518; + ShutterstockOAuth = 519; + SkyBiometry = 520; + AbuseIPDB = 521; + AletheiaApi = 522; + BlitApp = 523; + Censys = 524; + Cloverly = 525; + CountryLayer = 526; + FileIO = 527; + FlightApi = 528; + Geoapify = 529; + IPinfoDB = 530; + MediaStack = 531; + NasdaqDataLink = 532; + OpenCageData = 533; + Paymongo = 534; + PositionStack = 535; + Rebrandly = 536; + ScreenshotLayer = 537; + Stytch = 538; + Unplugg = 539; + UPCDatabase = 540; + UserStack = 541; + Geocodify = 542; + Newscatcher = 543; + Nicereply = 544; + Partnerstack = 545; + Route4me = 546; + Scrapeowl = 547; + ScrapingDog = 548; // Not yet implemented + Streak = 549; + Veriphone = 550; + Webscraping = 551; + Zenscrape = 552; + Zenserp = 553; + CoinApi = 554; + Gitter = 555; + Host = 556; + Iexcloud = 557; + Restpack = 558 [deprecated = true]; + ScraperBox = 559; + ScrapingAnt = 560; + SerpStack = 561; + SmartyStreets = 562; + TicketMaster = 563; + AviationStack = 564; + BombBomb = 565; + Commodities = 566; + Dfuse = 567; + EdenAI = 568; + Glassnode = 569; + Guru = 570; + Hive = 571; + Hiveage = 572; + Kickbox = 573; + Passbase = 574 [deprecated = true]; + PostageApp = 575; + PureStake = 576; + Qubole = 577; + CarbonInterface = 578; + Intrinio = 579; + QuickMetrics = 580 [deprecated = true]; + ScrapeStack = 581; + TechnicalAnalysisApi = 582; + Urlscan = 583; + BaseApiIO = 584; // Not yet implemented + DailyCO = 585; + TLy = 586; + Shortcut = 587; + Appfollow = 588; + Thinkific = 589; + Feedly = 590; // Not yet implemented + Stitchdata = 591; + Fetchrss = 592; + Signupgenius = 593; + Signaturit = 594; + Optimizely = 595; + OcrSpace = 596; // Not yet implemented + WeatherBit = 597; + BuddyNS = 598; + ZipAPI = 599; + ZipBooks = 600; + Onedesk = 601; + Bugherd = 602; + Blazemeter = 603; + Autodesk = 604; + Tru = 605; + UnifyID = 606; + Trimble = 607; // Not yet implemented + Smooch = 608; + Semaphore = 609; + Telnyx = 610; + Signalwire = 611; + Textmagic = 612; + Serphouse = 613; + Planyo = 614; + Simplybook = 615; // Not yet implemented + Vyte = 616; + Nylas = 617; + Squareup = 618; + Dandelion = 619; + DataFire = 620 [deprecated = true]; + DeepAI = 621; + MeaningCloud = 622; + NeutrinoApi = 623; + Storecove = 624; + Shipday = 625; + Sentiment = 626 [deprecated = true]; + StreamChatMessaging = 627; // Not yet implemented + TeamworkCRM = 628; + TeamworkDesk = 629; + TeamworkSpaces = 630; + TheOddsApi = 631; + Apacta = 632; + GetSandbox = 633; + Happi = 634 [deprecated = true]; + Oanda = 635; + FastForex = 636; + APIMatic = 637; + VersionEye = 638; + EagleEyeNetworks = 639; + ThousandEyes = 640; + SelectPDF = 641; + Flightstats = 642; + ChecIO = 643; + Manifest = 644; + ApiScience = 645 [deprecated = true]; + AppSynergy = 646; + Caflou = 647; + Caspio = 648; + ChecklyHQ = 649; + CloudElements = 650; + DronaHQ = 651; + Enablex = 652; + Fmfw = 653; + GoodDay = 654; + Luno = 655; + Meistertask = 656; + Mindmeister = 657; + PeopleDataLabs = 658; + ScraperSite = 659 [deprecated = true]; + Scrapfly = 660; + SimplyNoted = 661; + TravelPayouts = 662; + WebScraper = 663; + Convier = 664; + Courier = 665; + Ditto = 666; + Findl = 667; + Lendflow = 668; + Moderation = 669; + Opendatasoft = 670; // Not yet implemented + Podio = 671; + Rockset = 672 [deprecated = true]; + Rownd = 673; + Shotstack = 674; + Swiftype = 675; + Twitter = 676; + Honey = 677; + Freshdesk = 678; + Upwave = 679; + Fountain = 680; // Not yet implemented + Freshbooks = 681; + Mite = 682; + Deputy = 683; + Beebole = 684; + Cashboard = 685; + Kanban = 686; + Worksnaps = 687; + MyIntervals = 688; + InvoiceOcean = 689; + Sherpadesk = 690; + Mrticktock = 691; + Chatfule = 692; + Aeroworkflow = 693; + Emailoctopus = 694; // Not yet implemented + Fusebill = 695 [deprecated = true]; + Geckoboard = 696; + Gosquared = 697; // Not yet implemented + Moonclerk = 698; + Paymoapp = 699; + Mixmax = 700; + Processst = 701; // Not yet implemented + Repairshopr = 702; + Goshippo = 703; // Not yet implemented + Sigopt = 704; + Sugester = 705; + Viewneo = 706; + BoostNote = 707; + CaptainData = 708; + Checkvist = 709; + Cliengo = 710; + Cloze = 711; + FormIO = 712; + FormBucket = 713; + GoCanvas = 714; + MadKudu = 715; + NozbeTeams = 716; + Papyrs = 717; // Not yet implemented + SuperNotesAPI = 718; + Tallyfy = 719; + ZenkitAPI = 720; + CloudImage = 721; + UploadCare = 722; + Borgbase = 723; + Pipedream = 724; + Sirv = 725; + Diffbot = 726; + EightxEight = 727; + Sendoso = 728; // Not yet implemented + Printfection = 729; // Not yet implemented + Authorize = 730; // Not yet implemented + PandaScore = 731; + Paymo = 732; + AvazaPersonalAccessToken = 733; + PlanviewLeanKit = 734; + Livestorm = 735; + KuCoin = 736; + MetaAPI = 737; + NiceHash = 738; // Not yet implemented + CexIO = 739; + Klipfolio = 740; + Dynatrace = 741; // Not yet implemented + MollieAPIKey = 742; // Not yet implemented + MollieAccessToken = 743; // Not yet implemented + BasisTheory = 744; // Not yet implemented + Nordigen = 745; // Not yet implemented + FlagsmithEnvironmentKey = 746; // Not yet implemented + FlagsmithToken = 747; // Not yet implemented + Mux = 748; + Column = 749; + Sendbird = 750; + SendbirdOrganizationAPI = 751; + Midise = 752; // Not yet implemented + Mockaroo = 753; + Image4 = 754; // Not yet implemented + Pinata = 755; + BrowserStack = 756; + CrossBrowserTesting = 757 [deprecated = true]; + Loadmill = 758; + TestingBot = 759; + KnapsackPro = 760; + Qase = 761; + Dareboost = 762; + GTMetrix = 763; + Holistic = 764; + Parsers = 765; + ScrutinizerCi = 766; + SonarCloud = 767; + APITemplate = 768; + ConversionTools = 769; + CraftMyPDF = 770; + ExportSDK = 771; + GlitterlyAPI = 772 [deprecated = true]; + Hybiscus = 773; + Miro = 774; + Statuspage = 775; + Statuspal = 776; + Teletype = 777; + TimeCamp = 778; + Userflow = 779; + Wistia = 780; + SportRadar = 781 [deprecated = true];; + UptimeRobot = 782; + Codequiry = 783; + ExtractorAPI = 784; + Signable = 785; + MagicBell = 786; + Stormboard = 787; + Apilayer = 788; + Disqus = 789; + Woopra = 790; // Not yet implemented + Paperform = 791; + Gumroad = 792; + Paydirtapp = 793; + Detectify = 794; + Statuscake = 795; + Jumpseller = 796; // Not yet implemented + LunchMoney = 797; + Rosette = 798; // Not yet implemented + Yelp = 799; + Atera = 800; + EcoStruxureIT = 801; + Aha = 802; + Parsehub = 803; + PackageCloud = 804; + Cloudsmith = 805; + Flowdash = 806 [deprecated = true]; + Flowdock = 807 [deprecated = true]; + Fibery = 808; + Typetalk = 809; + VoodooSMS = 810; + ZulipChat = 811; + Formcraft = 812; + Iexapis = 813; + Reachmail = 814; + Chartmogul = 815; + Appointedd = 816; + Wit = 817; + RechargePayments = 818; + Diggernaut = 819; + MonkeyLearn = 820; + Duply = 821; + Postbacks = 822; + Collect2 = 823; + ZenRows = 824; + Zipcodebase = 825; + Tefter = 826; + Twist = 827; + BraintreePayments = 828; + CloudConvert = 829; + Grafana = 830; + ConvertApi = 831; + Transferwise = 832; + Bulksms = 833; + Databox = 834; + Onesignal = 835; + Rentman = 836; + Parseur = 837; + Docparser = 838; + Formsite = 839; + Tickettailor = 840; + Lemlist = 841; + Prodpad = 842; + Formstack = 843; // Not yet implemented + Codeclimate = 844; + Codemagic = 845; + Vbout = 846; + Nightfall = 847; + FlightLabs = 848; + SpeechTextAI = 849; + PollsAPI = 850; + SimFin = 851; + Scalr = 852; + Kanbantool = 853; + Brightlocal = 854; // Not yet implemented + Hotwire = 855; // Not yet implemented + Instabot = 856; + Timekit = 857; // Not yet implemented + Interseller = 858; + Mojohelpdesk = 859; // Not yet implemented + Createsend = 860; // Not yet implemented + Getresponse = 861; + Dynadot = 862; // Not yet implemented + Demio = 863; + Tokeet = 864; + Myexperiment = 865; // Not yet implemented + Copyscape = 866; // Not yet implemented + Besnappy = 867; + Salesmate = 868; + Heatmapapi = 869 [deprecated = true];; + Websitepulse = 870; + Uclassify = 871; + Convert = 872; + PDFmyURL = 873; // Not yet implemented + Api2Convert = 874; // Not yet implemented + Opsgenie = 875; + Gemini = 876; + Honeycomb = 877; + KalturaAppToken = 878; // Not yet implemented + KalturaSession = 879; // Not yet implemented + BitGo = 880; // Not yet implemented + Optidash = 881; // Not yet implemented + Imgix = 882; // Not yet implemented + ImageToText = 883; // Not yet implemented + Page2Images = 884; // Not yet implemented + Quickbase = 885; // Not yet implemented + Redbooth = 886; // Not yet implemented + Nubela = 887; // Not yet implemented + Infobip = 888; // Not yet implemented + Uproc = 889; // Not yet implemented + Supportbee = 890; // Not yet implemented + Aftership = 891; // Not yet implemented + Edusign = 892; // Not yet implemented + Teamup = 893; // Not yet implemented + Workday = 894; // Not yet implemented + MongoDB = 895; + NGC = 896; + DigitalOceanV2 = 897; + SQLServer = 898; + FTP = 899; + Redis = 900; + LDAP = 901; + Shopify = 902; + RabbitMQ = 903; + CustomRegex = 904; + Etherscan = 905; + Infura = 906; + Alchemy = 907; + BlockNative = 908; + Moralis = 909; + BscScan = 910; + CoinMarketCap = 911 [deprecated = true]; + Percy = 912; + TinesWebhook = 913; + Pulumi = 914; + SupabaseToken = 915; + NuGetApiKey = 916; + Aiven = 917; + Prefect = 918; + Docusign = 919; + Couchbase = 920; + Dockerhub = 921; + TrufflehogEnterprise = 922; + EnvoyApiKey = 923; + GitHubOauth2 = 924; + Salesforce = 925; + HuggingFace = 926; + Snowflake = 927; + Sourcegraph = 928; + Tailscale = 929; + Web3Storage = 930; + AzureStorage = 931; + PlanetScaleDb = 932; + Anthropic = 933; + Ramp = 934; + Klaviyo = 935; + SourcegraphCody = 936; + Voiceflow = 937; + Privacy = 938; + IPInfo = 939; + Ip2location = 940; + Instamojo = 941; + Portainer = 942; + PortainerToken = 943; + Loggly = 944; + OpenVpn = 945; + VagrantCloudPersonalToken = 946; + BetterStack = 947; + ZeroTier = 948; + AppOptics = 949; + Metabase = 950; + CoinbaseWaaS = 951 [deprecated = true]; + LemonSqueezy = 952; + Budibase = 953; + DenoDeploy = 954; + Stripo = 955; + ReplyIO = 956; + AzureBatch = 957; + AzureContainerRegistry = 958; + AWSSessionKey = 959; + Coda = 960; + LogzIO = 961; + Eventbrite = 962; + GrafanaServiceAccount = 963; + RequestFinance = 964; + Overloop = 965; + Ngrok = 966; + Replicate = 967; + Postgres = 968; + AzureActiveDirectoryApplicationSecret = 969; + AzureCacheForRedisAccessKey = 970; + AzureCosmosDBKeyIdentifiable = 971; + AzureDevopsPersonalAccessToken = 972; + AzureFunctionKey = 973; + AzureMLWebServiceClassicIdentifiableKey = 974; + AzureSasToken = 975; + AzureSearchAdminKey = 976; + AzureSearchQueryKey = 977; + AzureManagementCertificate = 978; + AzureSQL = 979; + FlyIO = 980; + BuiltWith = 981; + JupiterOne = 982; + GCPApplicationDefaultCredentials = 983; + Wiz = 984; + Pagarme = 985; + Onfleet = 986; + Intra42 = 987; + Groq = 988; + TwitterConsumerkey = 989; + Eraser = 990; + LarkSuite = 991; + LarkSuiteApiKey = 992; + EndorLabs = 993; + ElevenLabs = 994; + Netsuite = 995; + RobinhoodCrypto = 996; + NVAPI = 997; + PyPI = 998; + RailwayApp = 999; + Meraki = 1000; + SaladCloudApiKey = 1001; + Box = 1002; + BoxOauth = 1003; + ApiMetrics = 1004; + WeightsAndBiases = 1005; + ZohoCRM = 1006; + AzureOpenAI = 1007; + GoDaddy = 1008; + Flexport = 1009; + TwitchAccessToken = 1010; + TwilioApiKey = 1011; + Sanity = 1012; + AzureRefreshToken = 1013; + AirtableOAuth = 1014; + AirtablePersonalAccessToken = 1015; + StoryblokPersonalAccessToken = 1016; + SentryOrgToken = 1017; + AzureApiManagementRepositoryKey = 1018; + AzureAPIManagementSubscriptionKey = 1019; + Harness = 1020; + Langfuse = 1021; + BingSubscriptionKey = 1022; + XAI = 1023; + AzureDirectManagementKey = 1024; + AzureAppConfigConnectionString = 1025; + DeepSeek = 1026; + StripePaymentIntent = 1027; + LangSmith = 1028; + BitbucketAppPassword = 1029; + Hasura = 1030; + SalesforceRefreshToken = 1031; + AnypointOAuth2 = 1032; + WebexBot = 1033; + TableauPersonalAccessToken = 1034; + Rootly = 1035; + HashiCorpVaultAuth = 1036; + PhraseAccessToken = 1037; + Photoroom = 1038; + JWT = 1039; + OpenAIAdmin = 1040; + GoogleGeminiAPIKey = 1041; + ArtifactoryReferenceToken = 1042; + DatadogApikey = 1043; ShopifyOAuth = 1044; -} - -message Result { - int64 source_id = 2; - string redacted = 3; - bool verified = 4; - string hash = 5; - map extra_data = 6; - StructuredData structured_data = 7; - string hash_v2 = 8; - DecoderType decoder_type = 9; - - // This field should only be populated if the verification process itself failed in a way that provides no information - // about the verification status of the candidate secret, such as if the verification request timed out. - string verification_error_message = 10; - - FalsePositiveInfo false_positive_info = 11; -} - -message FalsePositiveInfo { - bool word_match = 1; - bool low_entropy = 2; -} - -message StructuredData { - repeated TlsPrivateKey tls_private_key = 1; - repeated GitHubSSHKey github_ssh_key = 2; -} - -message TlsPrivateKey { - string certificate_fingerprint = 1; - string verification_url = 2; - int64 expiration_timestamp = 3; -} - -message GitHubSSHKey { - string user = 1; - string public_key_fingerprint = 2; -} + Rancher = 1045; +} + +message Result { + int64 source_id = 2; + string redacted = 3; + bool verified = 4; + string hash = 5; + map extra_data = 6; + StructuredData structured_data = 7; + string hash_v2 = 8; + DecoderType decoder_type = 9; + + // This field should only be populated if the verification process itself failed in a way that provides no information + // about the verification status of the candidate secret, such as if the verification request timed out. + string verification_error_message = 10; + + FalsePositiveInfo false_positive_info = 11; +} + +message FalsePositiveInfo { + bool word_match = 1; + bool low_entropy = 2; +} + +message StructuredData { + repeated TlsPrivateKey tls_private_key = 1; + repeated GitHubSSHKey github_ssh_key = 2; +} + +message TlsPrivateKey { + string certificate_fingerprint = 1; + string verification_url = 2; + int64 expiration_timestamp = 3; +} + +message GitHubSSHKey { + string user = 1; + string public_key_fingerprint = 2; +} From 86414aade2ed3b7af0abd2178a6fece991172c02 Mon Sep 17 00:00:00 2001 From: moeedrehman135 Date: Fri, 10 Apr 2026 17:15:44 +0500 Subject: [PATCH 2/3] fix(rancher): extract server URL from data for verification and update regex --- pkg/detectors/rancher/rancher.go | 16 ++++++++++------ pkg/detectors/rancher/rancher_test.go | 14 +++++++------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/pkg/detectors/rancher/rancher.go b/pkg/detectors/rancher/rancher.go index adb29ee113f1..465a0c60386a 100644 --- a/pkg/detectors/rancher/rancher.go +++ b/pkg/detectors/rancher/rancher.go @@ -3,6 +3,7 @@ package rancher import ( "context" "net/http" + "strings" regexp "github.com/wasilibs/go-re2" @@ -17,10 +18,10 @@ var _ detectors.Detector = (*Scanner)(nil) var ( tokenPattern = regexp.MustCompile( - `(?i)(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[^\w]{1,4}([a-z0-9]{54,64})`, + `(?i)(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[\w]*\s*[=:]\s*["']?([a-z0-9]{54,64})["']?`, ) serverPattern = regexp.MustCompile( - `(?i)(?:CATTLE_SERVER|RANCHER_URL|rancher\.[a-z0-9-]+\.[a-z]{2,})`, + `(?i)(?:CATTLE_SERVER|RANCHER_URL)\s*[=:]\s*["']?(https?://[a-zA-Z0-9._\-]+)["']?`, ) ) @@ -31,9 +32,11 @@ func (s Scanner) Keywords() []string { func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { dataStr := string(data) - if !serverPattern.MatchString(dataStr) { + serverMatches := serverPattern.FindStringSubmatch(dataStr) + if len(serverMatches) < 2 { return } + serverURL := strings.TrimRight(serverMatches[1], "/") matches := tokenPattern.FindAllStringSubmatch(dataStr, -1) for _, match := range matches { @@ -45,18 +48,19 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result result := detectors.Result{ DetectorType: detectorspb.DetectorType_Rancher, Raw: []byte(token), + RawV2: []byte(serverURL + ":" + token), } if verify { client := common.SaneHttpClient() - req, err := http.NewRequestWithContext(ctx, "GET", "https://rancher.example.com/v3", nil) + req, err := http.NewRequestWithContext(ctx, "GET", serverURL+"/v3", nil) if err != nil { continue } req.Header.Set("Authorization", "Bearer "+token) res, err := client.Do(req) if err == nil { - res.Body.Close() + defer res.Body.Close() if res.StatusCode == http.StatusOK { result.Verified = true } @@ -74,4 +78,4 @@ func (s Scanner) Type() detectorspb.DetectorType { func (s Scanner) Description() string { return "Rancher is a Kubernetes management platform. Rancher API tokens can be used to gain full cluster admin access." -} +} \ No newline at end of file diff --git a/pkg/detectors/rancher/rancher_test.go b/pkg/detectors/rancher/rancher_test.go index a0863bb8c053..a01a64c19eb7 100644 --- a/pkg/detectors/rancher/rancher_test.go +++ b/pkg/detectors/rancher/rancher_test.go @@ -12,9 +12,9 @@ import ( ) var ( - validPattern = "RANCHER_URL=https://rancher.example.com\nRANCHER_API_TOKEN=kubeadmin5f8a3b2c1d9e4f7a6b0c5d2e8f1a4b7c3d6e9f2a5b8c1d4e7f0a3b6" + validPattern = "CATTLE_SERVER=https://rancher.example.com\nCATTLE_TOKEN=kubeadmin5f8a3b2c1d9e4f7a6b0c5d2e8f1a4b7c3d6e9f2a5b8c1d4e7f0a3b6" invalidPattern = "RANCHER_API_TOKEN=shorttoken123" - keyword = "rancher_api_token" + keyword = "cattle_token" ) func TestRancher_Pattern(t *testing.T) { @@ -27,17 +27,17 @@ func TestRancher_Pattern(t *testing.T) { }{ { name: "valid pattern with server context", - input: fmt.Sprintf("%s", validPattern), - want: []string{"kubeadmin5f8a3b2c1d9e4f7a6b0c5d2e8f1a4b7c3d6e9f2a5b8c1d4e7f0a3b6"}, + input: validPattern, + want: []string{"https://rancher.example.com:kubeadmin5f8a3b2c1d9e4f7a6b0c5d2e8f1a4b7c3d6e9f2a5b8c1d4e7f0a3b6"}, }, { name: "invalid pattern - token too short", - input: fmt.Sprintf("%s token = '%s'", keyword, invalidPattern), + input: fmt.Sprintf("CATTLE_SERVER=https://rancher.example.com\n%s", invalidPattern), want: []string{}, }, { name: "no server context - should not detect", - input: "RANCHER_API_TOKEN=kubeadmin5f8a3b2c1d9e4f7a6b0c5d2e8f1a4b7c3d6e9f2a5b8c1d4e7f0a3b6", + input: "CATTLE_TOKEN=kubeadmin5f8a3b2c1d9e4f7a6b0c5d2e8f1a4b7c3d6e9f2a5b8c1d4e7f0a3b6", want: []string{}, }, } @@ -99,4 +99,4 @@ func BenchmarkFromData(benchmark *testing.B) { } }) } -} +} \ No newline at end of file From 7401a70c5c190fef7f3d5620ca282d26fe52332d Mon Sep 17 00:00:00 2001 From: moeedrehman135 Date: Fri, 10 Apr 2026 18:30:20 +0500 Subject: [PATCH 3/3] fix(rancher): extract server URL from data, fix regex to support ports --- pkg/detectors/rancher/rancher.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/detectors/rancher/rancher.go b/pkg/detectors/rancher/rancher.go index 465a0c60386a..8c123a11652b 100644 --- a/pkg/detectors/rancher/rancher.go +++ b/pkg/detectors/rancher/rancher.go @@ -21,7 +21,7 @@ var ( `(?i)(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[\w]*\s*[=:]\s*["']?([a-z0-9]{54,64})["']?`, ) serverPattern = regexp.MustCompile( - `(?i)(?:CATTLE_SERVER|RANCHER_URL)\s*[=:]\s*["']?(https?://[a-zA-Z0-9._\-]+)["']?`, + `(?i)(?:CATTLE_SERVER|RANCHER_URL)\s*[=:]\s*["']?(https?://[a-zA-Z0-9._\-]+(:\d+)?)["']?`, ) )