trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

Overhaul npm detector

Open rgmz opened this issue 6 months ago • 1 comments

Description:

This fixes #1455. It matches new npm tokens (npm_xxx...), old npm tokens (NpmToken.0000-..., 0000-...), and "non-standard" tokens such as Artifactory using a JWT or GitHub packages using a PAT. Basic auth is a separate can of worms, so is out of scope for this PR.

The high-level flow for all detectors is:

flowchart TD
    A[Got token] -->|Search for associated URL| B{URL found?}
    B -->|Yes| C[Verify against URL]
    B -->|No| D[Search for any potential URLs]
    D --> E[Verify against all URLs]
    
    C-->Z[END]
    E-->Z

Checklist:

  • [ ] Tests passing (make test-community)?
  • [ ] Lint passing (make lint this requires golangci-lint)?

rgmz avatar Dec 28 '23 18:12 rgmz

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jan 04 '24 01:01 CLAassistant