feat: add Rancher/Cattle token detector#4874

Open

moeedrehman135 wants to merge 3 commits intotrufflesecurity:mainfrom

moeedrehman135:feat/rancher-token-detector

moeedrehman135 commented Apr 8, 2026 •

edited by cursor bot

Loading

Summary

Adds a detector for Rancher/Cattle API tokens as requested in #4622.

Changes

New detector in pkg/detectors/rancher/
Regex matches CATTLE_TOKEN, RANCHER_TOKEN, CATTLE_BOOTSTRAP_PASSWORD, RANCHER_API_TOKEN patterns
Requires server context (CATTLE_SERVER or RANCHER_URL) nearby to reduce false positives
HTTP verification against Rancher v3 API
Pattern tests included
Registered in defaults.go

Testing

All pattern tests pass:

Valid token with server context
Invalid token (too short)
Token without server context (should not detect)

Closes #4622

Note

Medium Risk
Adds a new secret detector with optional live HTTP verification and wires it into the default detector set; main risk is false positives/negatives or unintended network calls when verify is enabled.

Overview
Adds a new rancher detector that identifies Rancher/Cattle API tokens only when a matching CATTLE_SERVER/RANCHER_URL is present, and (optionally) verifies candidates via a GET /v3 request using a Bearer token.

Registers the new detector in the default detector list and introduces a new DetectorType_Rancher enum value in protobuf-generated types, with accompanying pattern tests and a benchmark.

^{Reviewed by Cursor Bugbot for commit 7401a70. Bugbot is set up for automated code reviews on this repo. Configure here.}

moeedrehman135 requested a review from a team

April 8, 2026 14:42

moeedrehman135 requested review from a team as code owners

April 8, 2026 14:42

CLAassistant commented Apr 8, 2026 •

edited

Loading

All committers have signed the CLA.

cursor bot reviewed

View reviewed changes

pkg/detectors/rancher/rancher.go Outdated Show resolved Hide resolved

pkg/detectors/rancher/rancher.go

+              var (
+              	tokenPattern = regexp.MustCompile(
+              		`(?i)(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[^\w]{1,4}([a-z0-9]{54,64})`,
+              	)

cursor bot Apr 8, 2026

Token regex won't match real Rancher token format

High Severity

Real Rancher API tokens use the format token-xxxxx:yyyyyyyyyy (containing hyphens and colons), as documented in Rancher's official API docs. The capture group [a-z0-9]{54,64} only allows lowercase alphanumerics, so it will never match actual CATTLE_TOKEN or RANCHER_TOKEN values. The test data uses a fabricated token (kubeadmin5f8a3b...) that doesn't resemble any real Rancher token format, masking this fundamental mismatch.

^{Reviewed by Cursor Bugbot for commit 86cc6fa. Configure here.}


          feat: add Rancher/Cattle token detector

74f5a74

- Add regex pattern for CATTLE_TOKEN/RANCHER_API_TOKEN format
- Require server context (CATTLE_SERVER/RANCHER_URL) to reduce false positives
- Add HTTP verification against Rancher v3 API
- Add pattern tests
- Register detector in defaults.go

Closes trufflesecurity#4622

moeedrehman135 force-pushed the feat/rancher-token-detector branch from 86cc6fa to 74f5a74 Compare

April 8, 2026 15:05

cursor bot reviewed

View reviewed changes

pkg/detectors/rancher/rancher.go

+              	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
+              )
+              type Scanner struct{}

cursor bot Apr 8, 2026

Missing multi-part credential provider causes missed detections

Medium Severity

The Scanner struct doesn't embed detectors.DefaultMultiPartCredentialProvider, even though the detector requires two distinct patterns (server context via serverPattern and secret via tokenPattern) to co-occur in the same data chunk. Without this, the Aho-Corasick span calculator uses its default 512-byte radius, so if the server URL and token are farther apart in the scanned data, the chunk delivered to FromData may lack one of the two patterns, causing valid credentials to be silently missed. All comparable multi-part detectors (e.g., mattermostpersonaltoken, formsite) embed this provider.

^{Reviewed by Cursor Bugbot for commit 74f5a74. Configure here.}


          fix(rancher): extract server URL from data for verification and updat…

86414aa

…e regex

cursor bot reviewed

View reviewed changes

pkg/detectors/rancher/rancher.go Show resolved Hide resolved


          fix(rancher): extract server URL from data, fix regex to support ports

7401a70

cursor bot reviewed

View reviewed changes

cursor bot left a comment

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 3 total unresolved issues (including 2 from previous reviews).

^{Reviewed by Cursor Bugbot for commit 7401a70. Configure here.}

pkg/detectors/rancher/rancher.go

+              			req.Header.Set("Authorization", "Bearer "+token)
+              			res, err := client.Do(req)
+              			if err == nil {
+              				defer res.Body.Close()

cursor bot Apr 10, 2026

Deferred body close accumulates in loop iterations

Medium Severity

The defer res.Body.Close() is inside a for loop, so response bodies won't be closed until FromData returns rather than at the end of each iteration. This accumulates open connections/file descriptors across iterations. A comparable detector (pivotaltracker) with nearly identical structure correctly uses res.Body.Close() without defer in its loop.

^{Reviewed by Cursor Bugbot for commit 7401a70. Configure here.}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet