[INS-410] Added batch token detector#4833
Closed
MuneebUllahKhan222 wants to merge 6 commits intotrufflesecurity:mainfrom
Closed
[INS-410] Added batch token detector#4833MuneebUllahKhan222 wants to merge 6 commits intotrufflesecurity:mainfrom
MuneebUllahKhan222 wants to merge 6 commits intotrufflesecurity:mainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds the
HashiCorp Vault Token Detector.It scans for various types of HashiCorp Vault authentication tokens (including standard
service tokens,periodic tokens, andlegacy tokens) and associated Vault server endpoints. The detector supports live verification against the custom endpoints.Token Regex:
\b(hvb\.[A-Za-z0-9_.-]{50,300})\bEndpoint Regex:
(https?:\/\/[^\s\/]*\.hashicorp\.cloud(?::\d+)?)(?:\/[^\s]*)?Verification
Verification is performed by sending a GET request to the Vault server's
auth/token/lookup-selfendpoint using the detected token in theX-Vault-Tokenheader.A response code of
200 OKindicates the token is valid. In this case, the detector extracts and returns metadata about the token to assist with remediation, including:Policies: The permissions associated with the token.
Entity ID: Useful for identifying the identity/owner and revoking the token.
Attributes: orphan and renewable status.
A response code of
401 Unauthorized or 403 Forbiddenindicates the token is invalid or has been revoked.This verification is safe as lookup-self is a read-only metadata operation that does not consume secrets or trigger state changes within the Vault cluster.
Corpora Test
The detector does not appear in the list.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Adds a new detector that performs live HTTP verification against user-discovered Vault endpoints; mistakes in regex matching or endpoint handling could increase false positives/negatives or cause unexpected outbound requests during scans.
Overview
Adds a new
HashiCorpVaultBatchTokendetector that findshvb.batch tokens, extracts accompanying*.hashicorp.cloudVault endpoints, and (optionally) verifies tokens viaGET /v1/auth/token/lookup-selfusing theX-Vault-Tokenheader while attaching token metadata to results.Wires the detector into default engine detector lists and updates protobuf
DetectorTypeenums (plus engine tests) so the new detector is recognized and treated as having no cloud endpoint. Includes unit tests, an integration test using stored secrets, and a benchmark forFromData.Written by Cursor Bugbot for commit 8710f1c. This will update automatically on new commits. Configure here.