trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

feat: Support verifying govcloud aws sessions

Open strazzere opened this issue 6 months ago • 3 comments

Add support to query govcloud sts endpoints for session tokens.

Description:

While doing some experimentation I noticed that govcloud sessions would never detect, so I added the logic to the session verifier to perform these.

I'm unsure exactly if this is the best way to add the logic in, as if the commercial check fails it will then check if it is a valid govcloud account. So essentially a true-negative will now make two http calls. This might possibly be something that should be gated behind a feature? I was hoping someone at Truffle would have more information on which would be preferred. Part of me thought, no one has ever complained this didn't work so no one else might want it. Though this also could mean no one else has ever realized it wasn't working? Lastly, if this ends up being merged, we may want to do the same with the account check code as well since this also utilizes a similar endpoint.

Checklist:

  • [X] Tests passing (make test-community)?
  • [X] Lint passing (make lint this requires golangci-lint)?

strazzere avatar Apr 23 '25 20:04 strazzere