feat(detectors): add Slack App-Level Token support#5089
Conversation
Add detector for HTTP Basic Authentication tokens (BSCAU002). Detects Authorization: Basic <base64> patterns and decodes them to extract username:password credentials. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
feat(detectors): add BasicAuth detector
Add detector for Docker Swarm Unlock Keys (DKRSWRM002). Detects SWMKEY-1-<base64> patterns used to unlock locked Docker Swarm managers. Validates format and returns verified status for properly formatted keys. Docker Swarm unlock keys are 52+ character tokens starting with SWMKEY-1- prefix followed by base64-encoded data. These keys are used to unlock encrypted swarm state after manager node restarts. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add detector for Duffel API tokens (DFL001).
Detects duffel_test_ and duffel_live_ token patterns
used to access Duffel's travel booking API.
Duffel is a travel API platform for booking flights, stays,
and ground transportation. Tokens are 40-60 character strings
with test/live prefixes. Only test tokens are verified
automatically for safety.
Pattern: duffel_(test|live)_[a-zA-Z0-9_-]{40,60}
API Version: v2 (v1 deprecated)
Verification: GET /air/airlines endpoint
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add detector for HashiCorp Vault tokens (TF030). Detects hvs., hvb., hvr., and legacy s. token formats used to authenticate with Vault servers. HashiCorp Vault tokens are used to access secrets, manage policies, and perform administrative operations. Supports multiple token formats: - Service tokens (hvs.): Vault 1.10+ format, 90+ chars - Batch tokens (hvb.): 138+ chars - Recovery tokens (hvr.): 138+ chars - Legacy service tokens (s.): 24+ chars Pattern detection works for all formats. Verification attempts to connect to common Vault endpoints but will show unverified status without accessible server. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add detection for Slack App-Level tokens (SVC027).
Extends existing Slack detector to support xapp-1- token format
used for app-level authentication.
Slack App-Level tokens are used to authenticate apps at the
workspace level, allowing Socket Mode connections and other
app-level functionality. Format: xapp-1-[A-Za-z0-9-]{48,}
Changes:
- Add pattern for App-Level tokens (xapp-1-)
- Update keywords to include "xapp-"
- Add test cases for valid/invalid App-Level tokens
- Supports lowercase hex characters in token body
Verification uses existing auth.test endpoint which works
for all Slack token types including App-Level tokens.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Deeraj CM seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
| // Format validation: SWMKEY-1- prefix + base64 (40+ chars after prefix) | ||
| if len(token) >= 49 && len(token) >= 9 && token[:9] == "SWMKEY-1-" { | ||
| return true, nil | ||
| } |
There was a problem hiding this comment.
Format fallback makes verification always return true
High Severity
The format-check fallback in verifyDockerSwarmUnlock always passes for any token matched by the regex, making every detected token Verified = true without actual verification. The regex (SWMKEY-1-[A-Za-z0-9+/]{40,}={0,2}) guarantees a SWMKEY-1- prefix and at least 49 characters, so the condition len(token) >= 49 && len(token) >= 9 && token[:9] == "SWMKEY-1-" is always satisfied. The Verified field loses its meaning entirely — it no longer indicates the secret was confirmed active against a real service.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 21ac218. Configure here.
| if err != nil { | ||
| continue | ||
| } | ||
| defer resp.Body.Close() |
There was a problem hiding this comment.
Deferred resp.Body.Close inside loop causes resource leak
Medium Severity
defer resp.Body.Close() is inside a for loop over vaultUrls. In Go, defer executes when the enclosing function returns, not at the end of the loop iteration. If the loop iterates through multiple URLs (e.g., first returns 400 and continues), response bodies from earlier iterations remain open until the function exits. The sibling detector dockerswarmunlock correctly calls resp.Body.Close() directly without defer in its loop.
Reviewed by Cursor Bugbot for commit 21ac218. Configure here.
| } | ||
|
|
||
| req.Header.Set("Content-Type", "application/json") | ||
| req.Body = http.NoBody |
There was a problem hiding this comment.
Verification request omits the unlock key in body
Medium Severity
The POST request to Docker's /swarm/unlock endpoint never sends the unlock key. The request is created with a nil body and then explicitly set to http.NoBody. The Docker Engine API expects a JSON body containing {"UnlockKey": "SWMKEY-1-..."}. Without it, the API cannot validate the token, so even if the Docker daemon is reachable, verification cannot succeed as intended.
Reviewed by Cursor Bugbot for commit 21ac218. Configure here.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 4 total unresolved issues (including 3 from previous reviews).
Reviewed by Cursor Bugbot for commit d91d07d. Configure here.
| SpectralOps = 1051; | ||
| AWSAppSync = 1052; | ||
| BrainTrustApiKey = 1053; | ||
| ShippoLiveToken = 1053; |
There was a problem hiding this comment.
Enum value 1053 reassigned, breaking existing detector
High Severity
Protobuf enum value 1053 is reassigned from BrainTrustApiKey to ShippoLiveToken. The existing braintrust detector package still references DetectorType_BrainTrustApiKey, and any previously stored detection results with type 1053 would be silently misinterpreted as ShippoLiveToken. Protobuf enum values are not meant to be reassigned.
Reviewed by Cursor Bugbot for commit d91d07d. Configure here.


Summary
Add detection for Slack App-Level tokens (SVC027) to existing Slack detector.
Changes
xapp-1-[A-Za-z0-9-]{48,}xapp-for efficient pre-filteringauth.testendpoint for verificationDetector Details
Type: Slack App-Level Token
Pattern:
xapp-1-prefix followed by 48+ alphanumeric characters and hyphensVerification: Uses existing Slack
auth.testAPI endpointUse Case: Authenticate apps at workspace level for Socket Mode connections and app-level functionality
Existing Slack Token Types (Already Supported)
xoxb-Bot Tokenxoxp-User Tokenxoxa-Workspace Access Tokenxoxr-Workspace Refresh TokenNew Token Type (This PR)
xapp-1-App-Level Token (NEW)Test Results