Skip to content

Added detector for JFrog Artifactory Reference Tokens#4684

Merged
camgunz merged 5 commits intotrufflesecurity:mainfrom
shahzadhaider1:INS-263-add-artifactory-reference-token-detector
Mar 4, 2026
Merged

Added detector for JFrog Artifactory Reference Tokens#4684
camgunz merged 5 commits intotrufflesecurity:mainfrom
shahzadhaider1:INS-263-add-artifactory-reference-token-detector

Conversation

@shahzadhaider1
Copy link
Copy Markdown
Contributor

@shahzadhaider1 shahzadhaider1 commented Jan 21, 2026
edited by cursor bot
Loading

Summary

Adds a new detector for JFrog Artifactory Reference Tokens. Unlike JWT tokens (which start with eyJ), reference tokens are base64-encoded strings with a predictable structure:

reftkn:01:<expiry>:<random_data>

When base64-encoded, this always produces a token starting with cmVmdGtu.

Detection

Regex pattern:

\b(cmVmdGtu[A-Za-z0-9]{56})\b
  • Fixed prefix: cmVmdGtu (8 chars): base64 encoding of "reftkn"
  • Variable suffix: 56 alphanumeric characters
  • Total length: exactly 64 characters

Keyword: cmVmdGtu

Verification

Tokens are verified against the JFrog Access API:

GET https://<host>/access/api/v1/tokens/me
Authorization: Bearer <token>

This endpoint returns token metadata if valid. Available since Artifactory 7.53.1.

Response handling:

Status Meaning Result
200 + JSON Valid token Verified
200 + HTML Invalid subdomain (redirects to login page) Skip host
403 Valid token, insufficient permissions Verified
401 Invalid or expired token Not verified
404 Endpoint not found (old Artifactory version) Verification error

References

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Note

Medium Risk
Introduces a new network-verifying detector and a new protobuf detector type, which can affect verification behavior and compatibility if the API/host handling is incorrect, but changes are otherwise additive and localized.

Overview
Adds a new ArtifactoryReferenceToken detector that finds 64-char base64 tokens prefixed with cmVmdGtu and (optionally) verifies them by calling JFrog Access API GET /access/api/v1/tokens/me against discovered/configured *.jfrog.io endpoints.

Verification logic distinguishes valid tokens from invalid subdomains (e.g., 200+HTML treated as bad host), caches unreachable/invalid hosts to avoid repeat lookups, and records verification errors/analysis metadata when appropriate. The detector is wired into the default detector set, adds unit + integration coverage, and updates the engine cloud-endpoint initialization test to allow this new detector to have no cloud endpoint; protobuf enum/types are extended with DetectorType_ArtifactoryReferenceToken = 1042.

Written by Cursor Bugbot for commit 7a5f1db. This will update automatically on new commits. Configure here.

@shahzadhaider1 shahzadhaider1 requested a review from a team January 21, 2026 08:03
@shahzadhaider1 shahzadhaider1 requested review from a team as code owners January 21, 2026 08:03
mustansir14
mustansir14 approved these changes Jan 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mustansir14 mustansir14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@shahzadhaider1 shahzadhaider1 changed the title added detector for artifactory reference tokens Added detector for JFrog Artifactory Reference Tokens Jan 21, 2026
@shahzadhaider1 shahzadhaider1 linked an issue Jan 28, 2026 that may be closed by this pull request
Add support for Artifactory Reference Token #4706
Closed
@shahzadhaider1 shahzadhaider1 force-pushed the INS-263-add-artifactory-reference-token-detector branch from 1ec9128 to 9ecd554 Compare February 12, 2026 07:29
cursor[bot]
cursor bot reviewed Feb 12, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@shahzadhaider1 shahzadhaider1 force-pushed the INS-263-add-artifactory-reference-token-detector branch from bbae3a7 to 04d6285 Compare February 25, 2026 12:14
@camgunz camgunz merged commit 71c48af into trufflesecurity:main Mar 4, 2026
14 checks passed
@shahzadhaider1 shahzadhaider1 deleted the INS-263-add-artifactory-reference-token-detector branch March 4, 2026 15:57
@blsaccess blsaccess mentioned this pull request Mar 5, 2026
Open
peterfraedrich pushed a commit to peterfraedrich/trufflehog that referenced this pull request Mar 15, 2026
@shahzadhaider1 @peterfraedrich
Added detector for JFrog Artifactory Reference Tokens (trufflesecurit…
e9ddc0e 
…y#4684)

* added detector for artifactory reference tokens

* add artifactory reference token detector to the no cloud endpoints list

* address mustansir feedback; remove the invalid host deletion

* use detectors.DetectorHttpClientWithNoLocalAddresses instead of common.SaneHttpClient() just like sibling artifactory detector
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@mariduv mariduv mariduv approved these changes

@mustansir14 mustansir14 mustansir14 approved these changes

@kashifkhan0771 kashifkhan0771 kashifkhan0771 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for Artifactory Reference Token

5 participants

@shahzadhaider1 @mariduv @mustansir14 @kashifkhan0771 @camgunz