trufflehog
trufflehog copied to clipboard
Overhaul npm detector
Description:
This fixes #1455. It matches new npm tokens (npm_xxx...
), old npm tokens (NpmToken.0000-...
, 0000-...
), and "non-standard" tokens such as Artifactory using a JWT or GitHub packages using a PAT. Basic auth is a separate can of worms, so is out of scope for this PR.
The high-level flow for all detectors is:
flowchart TD
A[Got token] -->|Search for associated URL| B{URL found?}
B -->|Yes| C[Verify against URL]
B -->|No| D[Search for any potential URLs]
D --> E[Verify against all URLs]
C-->Z[END]
E-->Z
Checklist:
- [ ] Tests passing (
make test-community
)? - [ ] Lint passing (
make lint
this requires golangci-lint)?