feat(detectors): add Gitea API token detector#5042
Open
0xDevNinja wants to merge 2 commits into
Open
Conversation
Add the Gitea entry to the DetectorType enum and regenerate the protobuf bindings. Refs trufflesecurity#4718
Detect Gitea API tokens (40-char lowercase hex, anchored on the "gitea" keyword) and verify them against `GET /api/v1/user` using the `Authorization: token <token>` header. Supports self-hosted instances through the standard endpoint customization (defaults to gitea.com). Populates SecretParts on every result and distinguishes determinate from indeterminate verification failures. Registered in the default detector set. Includes pattern tests, verification tests covering all five detector states, and a build-tagged integration test. Closes trufflesecurity#4718
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit fb1d755. Configure here.
| t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) | ||
| } | ||
| } | ||
| ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "RawV2", "ExtraData", "verificationError") |
Contributor
There was a problem hiding this comment.
Integration test doesn't handle SecretParts field comparison
Medium Severity
The integration test's cmpopts.IgnoreFields list omits SecretParts, but FromData populates SecretParts: map[string]string{"key": token} on every result. The want structs don't set SecretParts, so cmp.Diff will report a mismatch and the test will fail when run under the detectors build tag. Every other detector that sets SecretParts either nulls it before comparison (like GitLab: got[i].SecretParts = nil) or includes "SecretParts" in the ignore list.
Reviewed by Cursor Bugbot for commit fb1d755. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Closes #4718.
Adds a new verifiable detector for Gitea API tokens.
giteakeyword to keep false positives low (a bare 40-hex string overlaps with SHA-1 hashes / commit IDs).GET /api/v1/userwith theAuthorization: token <token>header.200→ verified401/403→ determinately unverified (no error){"key": <token>}), per the detector guidelines.EndpointSetter/CloudProviderpattern, defaulting tohttps://gitea.comwhile supporting user-supplied endpoints.Giteato theDetectorTypeenum, regenerated the protobuf bindings withmake protos, and registered the scanner inpkg/engine/defaults/defaults.go.Tests cover all five detector states (verified, determinately unverified, indeterminate via unexpected response, indeterminate via timeout, and not-found) using mock HTTP clients, plus a build-tagged integration test for live verification.
Verified locally end to end:
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Low Risk
Additive detector following existing Git-provider patterns; verification only issues read-only API calls when enabled, with no changes to core scan engine behavior.
Overview
Adds Gitea API token scanning and optional live verification to TruffleHog.
Detection matches 40-character lowercase hex tokens only when a
giteakeyword is nearby (to avoid SHA-1 / commit-id collisions). Results includeSecretPartsand per-endpointhostmetadata; self-hosted instances are supported via the usual cloud default (https://gitea.com) and configurable endpoints.Verification calls
GET /api/v1/userwithAuthorization: token …, treating 200 as verified, 401/403 as definitively invalid, and other responses or network failures as indeterminate verification errors. On success across multiple endpoints, it stops after the first verified hit.Wiring adds
DetectorType_Gitea(1053) in the proto/enum, registersgitea.Scannerin the default detector list, and ships unit tests (pattern, status codes, timeout) plus a build-tagged integration test against live secrets.Reviewed by Cursor Bugbot for commit fb1d755. Bugbot is set up for automated code reviews on this repo. Configure here.