trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

Add validation for GCP application default credentials detector

Open amanfcp opened this issue 4 months ago • 0 comments

Improve GCP Application Default Credentials Detection

Background

Google Cloud Platform (GCP) supports multiple types of credential JSON files, each with different structures:

  1. User Credentials (OAuth 2.0 Client ID) - Used for user authentication
  2. Service Account Keys - Used for service-to-service authentication
  3. Workload Identity Federation - Used for external identity providers

Currently, our detector assumes User Credentials format. According to GCP documentation, User Credentials JSON will always contain these specific fields:

  • client_id
  • client_secret
  • refresh_token
  • type

Changes

  • Added explicit validation of credential JSON structure through the isValid() method to ensure we only process User Credentials
  • Enhanced the detector to properly handle and verify User Credentials while avoiding false positives from other credential types

Impact

This change makes our GCP credential detection more accurate by reducing false positives from other credential types (OSS-91) closes issue-3717

Checklist:

  • [x] Tests passing (make test-community)?
  • [x] Lint passing (make lint this requires golangci-lint)?

amanfcp avatar Jun 02 '25 15:06 amanfcp