feat(detectors): add VaultRootToken detector#5091
Conversation
Add detector for HTTP Basic Authentication tokens (BSCAU002). Detects Authorization: Basic <base64> patterns and decodes them to extract username:password credentials. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
feat(detectors): add BasicAuth detector
Add detector for Docker Swarm Unlock Keys (DKRSWRM002). Detects SWMKEY-1-<base64> patterns used to unlock locked Docker Swarm managers. Validates format and returns verified status for properly formatted keys. Docker Swarm unlock keys are 52+ character tokens starting with SWMKEY-1- prefix followed by base64-encoded data. These keys are used to unlock encrypted swarm state after manager node restarts. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add detector for Duffel API tokens (DFL001).
Detects duffel_test_ and duffel_live_ token patterns
used to access Duffel's travel booking API.
Duffel is a travel API platform for booking flights, stays,
and ground transportation. Tokens are 40-60 character strings
with test/live prefixes. Only test tokens are verified
automatically for safety.
Pattern: duffel_(test|live)_[a-zA-Z0-9_-]{40,60}
API Version: v2 (v1 deprecated)
Verification: GET /air/airlines endpoint
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add detector for HashiCorp Vault tokens (TF030). Detects hvs., hvb., hvr., and legacy s. token formats used to authenticate with Vault servers. HashiCorp Vault tokens are used to access secrets, manage policies, and perform administrative operations. Supports multiple token formats: - Service tokens (hvs.): Vault 1.10+ format, 90+ chars - Batch tokens (hvb.): 138+ chars - Recovery tokens (hvr.): 138+ chars - Legacy service tokens (s.): 24+ chars Pattern detection works for all formats. Verification attempts to connect to common Vault endpoints but will show unverified status without accessible server. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add detection for Slack App-Level tokens (SVC027).
Extends existing Slack detector to support xapp-1- token format
used for app-level authentication.
Slack App-Level tokens are used to authenticate apps at the
workspace level, allowing Socket Mode connections and other
app-level functionality. Format: xapp-1-[A-Za-z0-9-]{48,}
Changes:
- Add pattern for App-Level tokens (xapp-1-)
- Update keywords to include "xapp-"
- Add test cases for valid/invalid App-Level tokens
- Supports lowercase hex characters in token body
Verification uses existing auth.test endpoint which works
for all Slack token types including App-Level tokens.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Enhance AWS AppSync detector with more robust verification: - Add two-query fallback strategy (introspection → __typename) - Improve error detection in response body for 200 status - Better handling of schema vs authentication errors - Detect GraphQLSchemaException and treat as valid key - Add 400 and 404 status code handling - Parse JSON response body for UnauthorizedException - Distinguish between "no schema" (valid key) and "invalid key" Previously, the detector only tried a single __typename query. Now it attempts introspection first for better coverage, with fallback to __typename if introspection fails. Verification now correctly identifies: - Valid keys with schemas (200 + data) - Valid keys without schemas (200/502 + schema errors) - Invalid keys (401/403 or UnauthorizedException in body) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add detector for HashiCorp Vault root tokens (TF034).
Detects hvs. and s. token formats specifically in root token
context (vault init output, root_token variables).
HashiCorp Vault root tokens are special tokens with unrestricted
access generated during vault initialization. Unlike regular
service tokens, root tokens should be tightly controlled and
rotated regularly.
Format-based verification identifies:
- New format: hvs.XXXXX (28+ chars, typically ~28-100)
- Legacy format: s.XXXXX (26+ chars)
Keywords target root token context: "root_token", "root token",
"initial root token", "VAULT_ROOT_TOKEN" to reduce false positives
with regular service tokens.
Pattern: hvs.[A-Za-z0-9]{20,} or s.[a-zA-Z0-9]{24,}
Verification: Format validation (API verification skipped for
security - root tokens shouldn't be tested against live systems)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Deeraj CM seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
| if err != nil { | ||
| continue | ||
| } | ||
| defer resp.Body.Close() |
There was a problem hiding this comment.
Deferred response body close inside loop causes resource leak
Medium Severity
defer resp.Body.Close() is called inside the for loop iterating over vaultUrls. In Go, defer runs when the enclosing function returns, not when the loop iteration ends. When the switch hits StatusBadRequest or default and continues, the response body stays open. Multiple iterations accumulate unclosed response bodies until the function finally returns, causing a resource leak of HTTP connections and file descriptors.
Reviewed by Cursor Bugbot for commit fd75bdc. Configure here.
| } | ||
|
|
||
| var ( | ||
| defaultClient = detectors.DetectorHttpClientWithNoLocalAddresses |
There was a problem hiding this comment.
Verification uses localhost-blocking client with localhost-only endpoints
Medium Severity
defaultClient is DetectorHttpClientWithNoLocalAddresses, which blocks connections to loopback/private IPs. The only HTTP endpoint tried is localhost:2375, which will always be rejected. The unix socket is explicitly skipped. So the HTTP verification is dead code, and the fallback format check at line 98 always passes for any regex-matched token, making every detection unconditionally Verified: true.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit fd75bdc. Configure here.
| &dronahq.Scanner{}, | ||
| &droneci.Scanner{}, | ||
| &dropbox.Scanner{}, | ||
| &duffel.Scanner{}, |
There was a problem hiding this comment.
Duffel still in test exclusion list after implementation
High Severity
The Duffel detector is now registered in defaults.go, but DetectorType_Duffel remains in the excludedFromDefaultList map in defaults_test.go. The TestAllDetectorTypesAreInDefaultList test performs a reverse check that fails when a type appears in both the active detector list and the exclusion list, so this will cause a test failure.
Reviewed by Cursor Bugbot for commit fd75bdc. Configure here.
| return a | ||
| } | ||
| return b | ||
| } |
There was a problem hiding this comment.
Redundant custom min function shadows Go builtin
Low Severity
A custom min function is defined that duplicates the built-in min available since Go 1.21. The project uses Go 1.25 (per go.mod), so this package-level function unnecessarily shadows the builtin and adds dead code.
Reviewed by Cursor Bugbot for commit fd75bdc. Configure here.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 5 total unresolved issues (including 4 from previous reviews).
Reviewed by Cursor Bugbot for commit d633f93. Configure here.
| SpectralOps = 1051; | ||
| AWSAppSync = 1052; | ||
| BrainTrustApiKey = 1053; | ||
| ShippoLiveToken = 1053; |
There was a problem hiding this comment.
Enum value 1053 reassigned breaking existing BrainTrust detector
High Severity
Enum value 1053 was reassigned from BrainTrustApiKey to ShippoLiveToken, but the existing braintrust detector package still references DetectorType_BrainTrustApiKey and is still registered in defaults.go. This removes a live enum constant that's actively used by production code.
Reviewed by Cursor Bugbot for commit d633f93. Configure here.


Summary
Add detector for HashiCorp Vault root tokens (TF034).
Changes
VaultRootTokendetector for root tokens generated during vault inithvs.[A-Za-z0-9]{20,}ors.[a-zA-Z0-9]{24,}VaultRootToken = 1064to proto definitionsdefaults.goDetector Details
Type: HashiCorp Vault Root Token
Patterns:
hvs.XXXXX(28+ characters)s.XXXXX(26+ characters)Keywords: Specifically targets root token context to reduce false positives with regular service tokens
Verification: Format validation only - root tokens have unrestricted access and shouldn't be tested against live systems
Use Case: Detect exposed root tokens from vault initialization output
Context-Aware Detection
Unlike regular Vault tokens, this detector uses specific keywords to identify root token context:
root_token(variable names)Initial Root Token:(vault init output)VAULT_ROOT_TOKEN(environment variables)This reduces false positives while maintaining high detection rate for actual root tokens.
Security Note
Root tokens have unrestricted access to all Vault operations. Format-only verification is intentional:
Test Results