feat(detectors): add Rancher/Cattle token detector#4960
Conversation
Detects Rancher API tokens by matching common Rancher/Cattle variable
names (CATTLE_TOKEN, RANCHER_TOKEN, CATTLE_BOOTSTRAP_PASSWORD,
RANCHER_API_TOKEN, RANCHER_SECRET_KEY) followed by a 54-64 char
lowercase alphanumeric token.
Anchoring detection to known variable names avoids false positives on
generic [a-z0-9]{54,64} strings. Verification requires a live Rancher
server URL (CATTLE_SERVER) which is not available at scan time, so
matched tokens are flagged as unverified.
Closes trufflesecurity#4622
|
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
verifyRancherToken was returning a non-nil error, causing SetVerificationError to mark every result as unknown instead of unverified. Tokens were silently dropped unless --results=unknown was set. Returning (false, nil) correctly classifies them as unverified.
…re case-sensitive
The global (?i) flag was widening the [a-z0-9]{54,64} capture group to
also match uppercase letters, causing false positives on uppercase strings.
Rancher tokens are lowercase alphanumeric only.
Replace (?i)(?:PREFIX) with (?i:PREFIX) so case-insensitivity applies
only to the variable name prefix, matching the pattern used by
azure_storage and other detectors in the codebase.
Added an uppercase token test case to assert the capture group
remains case-sensitive.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Reviewed by Cursor Bugbot for commit 5c0ee37. Configure here.
…oundary, and ordering - Add missing context import (was causing build failure) - Add \b after token capture group to prevent matching first 64 chars of tokens longer than 64 chars (false positive on truncated values) - Drop unused verify scaffolding (net/http, verifyRancherToken, defaultClient) so results are correctly classified as unverified, not unknown - Fix alphabetical ordering of rancher import and registration in defaults.go (ramp < rancher) - Add test case for over-length token rejection
|
Nice work on this detector, the regex scoping of (?i:PREFIX) and the \b boundary fix are exactly right. |
…tector # Conflicts: # pkg/pb/detector_typepb/detector_type.pb.go # proto/detector_type.proto
3 participants
Summary
Closes #4622. Adds a detector for Rancher API tokens (used by the Rancher Kubernetes management platform, deployed at 37,000+ organizations).
Detection Strategy
Tokens are anchored to known Rancher/Cattle variable names to avoid false positives on generic
[a-z0-9]{54,64}strings (as flagged in the issue):Regex pattern:
Verification
Verification requires a live Rancher server URL (
CATTLE_SERVER) which is not available at scan time. Matched tokens are returned as unverified. A future enhancement could extractCATTLE_SERVERfrom the same context chunk and attemptGET {server}/v3withAuthorization: Bearer {token}.Changes
pkg/detectors/rancher/rancher.go— detector implementationpkg/detectors/rancher/rancher_test.go— pattern tests (env file, quoted values, no-context rejection, length rejection)proto/detector_type.proto—Rancher = 1050pkg/pb/detector_typepb/detector_type.pb.go— generated enum updatepkg/engine/defaults/defaults.go— registered&rancher.Scanner{}Test Results
Note
Low Risk
Additive detector-only change with no auth or runtime behavior changes beyond new scanning rules.
Overview
Adds a Rancher secret detector for Kubernetes management API tokens tied to Rancher/Cattle env-style names (
CATTLE_TOKEN,RANCHER_TOKEN,CATTLE_BOOTSTRAP_PASSWORD,RANCHER_API_TOKEN,RANCHER_SECRET_KEY).Matches
=/:assignments with optional quotes, requiring a lowercase[a-z0-9]{54,64}value so bare random strings are not flagged. Results are unverified (no liveCATTLE_SERVERat scan time). RegistersDetectorType_Rancher(1053) and wiresrancher.Scannerinto default detectors, with pattern tests for env files, quoting, and negative cases.Reviewed by Cursor Bugbot for commit 922fdec. Bugbot is set up for automated code reviews on this repo. Configure here.