Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The NpmToken v1 & v2 detectors are hard-coded to verify tokens against https://registry.npmjs.org/-/whoami:

However, npm can be used with registries other than the default (registry.npmjs.org), meaning that valid tokens can inadvertently be marked as unverified. This is especially likely in enterprise environments which often have internal instances of Nexus Repository, Artifactory, or other artifact repository managers, and do not use registry.npmjs.org directly..

Problem to be Addressed

The NpmToken detectors should verify the tokens against the relevant registry/registries, where possible.

Description of the Preferred Solution

NpmTokens are often found in the .npmrc configuration file, where they are required to be scoped to a specific registry.

For example, the following NpmTokens have enough contextual information for TruffleHog to determine what registries they should be checked against instead of registry.npmjs.org:

//artifactory.example.com/:_authToken=NpmToken.18b533de-b347-46bc-8d2e-ae6550c6a16a
//nexus.example.com/repository/npm-proxy/:_authToken=NpmToken.105d5de9-17d0-4a08-a5e9-3e5d7070225b

https://docs.npmjs.com/cli/v9/configuring-npm/npmrc#auth-related-configuration

Additional Context

References

N/A