Summary
Add a Docker registry credentials honeytoken type (~/.docker/config.json). Docker config holds base64 registry auth that supply-chain attackers scan for, but there's no token type for it (current: aws/github/gcp/azure/ssh).
What to do
Follow docs/tokens.md — two files + a test:
server/thumper/tokens/catalog.py — add a TOKEN_TYPES entry: type: "docker", default_path: "~/.docker/config.json", suggested paths, a description.
server/thumper/tokens/generator.py — add a generate_token branch returning valid Docker config JSON, e.g.:
{"auths": {"registry.example.com": {"auth": "<base64 user:fake-token>"}}}
The credential must be random garbage (authenticates to nothing).
- Add a case in
tests/test_tripwire_content.py asserting the output is valid JSON with an auths entry.
Acceptance
docker appears in GET /api/token-types; generates a plausible ~/.docker/config.json; has a test; suite stays green.
Good first issue — small, additive, with a step-by-step guide (docs/tokens.md).
Summary
Add a Docker registry credentials honeytoken type (
~/.docker/config.json). Docker config holds base64 registry auth that supply-chain attackers scan for, but there's no token type for it (current: aws/github/gcp/azure/ssh).What to do
Follow docs/tokens.md — two files + a test:
server/thumper/tokens/catalog.py— add aTOKEN_TYPESentry:type: "docker",default_path: "~/.docker/config.json", suggested paths, a description.server/thumper/tokens/generator.py— add agenerate_tokenbranch returning valid Docker config JSON, e.g.:{"auths": {"registry.example.com": {"auth": "<base64 user:fake-token>"}}}tests/test_tripwire_content.pyasserting the output is valid JSON with anauthsentry.Acceptance
dockerappears inGET /api/token-types; generates a plausible~/.docker/config.json; has a test; suite stays green.Good first issue — small, additive, with a step-by-step guide (docs/tokens.md).