Skip to content

Update artifactory detector with basic auth support #4605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zacharyyun wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Update artifactory detector with basic auth support #4605

zacharyyun wants to merge 11 commits into from

Conversation

@zacharyyun
Copy link

@zacharyyun zacharyyun commented Dec 17, 2025
edited
Loading

Description:

Enhance artifactory detector with basic auth detection and verification

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@zacharyyun zacharyyun requested a review from a team December 17, 2025 02:00
@zacharyyun zacharyyun requested a review from a team as a code owner December 17, 2025 02:00
@CLAassistant
Copy link

CLAassistant commented Dec 17, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

amanfcp
amanfcp reviewed Dec 17, 2025
View reviewed changes
Copy link
Contributor

@amanfcp amanfcp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution @zacharyyun

This seems like a suitable case for a V2. See this

@zacharyyun
Copy link
Author

zacharyyun commented Dec 17, 2025

V1/V2 added, thanks @amanfcp

amanfcp
amanfcp requested changes Dec 18, 2025
View reviewed changes
@zacharyyun zacharyyun requested a review from amanfcp December 18, 2025 22:38
shahzadhaider1
shahzadhaider1 reviewed Jan 2, 2026
View reviewed changes
Copy link
Contributor

@shahzadhaider1 shahzadhaider1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on this, thanks!
I have a couple of design-related suggestions around how the detector is structured that I’d like to discuss.

@zacharyyun zacharyyun requested review from a team as code owners January 6, 2026 19:14
@shahzadhaider1
Copy link
Contributor

shahzadhaider1 commented Jan 9, 2026
edited
Loading

The code looks good to me. However, when I tested it locally, the newly added Artifactory detector does not appear to detect Artifactory Basic Auth URL combinations. The URI detector successfully detects the test secrets, but when the URI detector is disabled, no results are returned. Please guide me if I am doing anything wrong. Screenshot attached.

image

@zacharyyun
Copy link
Author

zacharyyun commented Jan 9, 2026

The code looks good to me. However, when I tested it locally, the newly added Artifactory detector does not appear to detect Artifactory Basic Auth URL combinations. The URI detector successfully detects the test secrets, but when the URI detector is disabled, no results are returned. Please guide me if I am doing anything wrong. Screenshot attached.

image

Missed swapping one detector field from ArtifactoryAccessToken to ArtifactoryBasicAuth, should be all set now

@shahzadhaider1
Copy link
Contributor

shahzadhaider1 commented Jan 19, 2026

The code looks good to me. However, when I tested it locally, the newly added Artifactory detector does not appear to detect Artifactory Basic Auth URL combinations. The URI detector successfully detects the test secrets, but when the URI detector is disabled, no results are returned. Please guide me if I am doing anything wrong. Screenshot attached.
image

Missed swapping one detector field from ArtifactoryAccessToken to ArtifactoryBasicAuth, should be all set now

Hey, I don’t think this addresses the issue I was referring to. What I was trying to highlight is that the reported detector type for these findings is URI, not ArtifactoryBasicAuth. That suggests the newly added detector isn’t actually detecting these secrets--they’re being picked up by the existing URI detector instead.

Could you double-check whether the basic auth credentials detected in the screenshot match the format this new detector expects?

detector-type-uri

@zacharyyun
Copy link
Author

zacharyyun commented Jan 26, 2026

Could you double-check whether the basic auth credentials detected in the screenshot match the format this new detector expects?

Hi @shahzadhaider1, I double checked and confirm the credentials in your SS match the format the detector expects. I looked further into the issue and found that it looks like the new detector picks up the patterns correctly, but is placing them in the filtered_unverified bucket. If you add --results=filtered_unverified to your command it should output the expected results.

I haven't been able to figure out why my results are being put into the filtered_verification bucket after testing, if you can shed some light on how the actual filtering takes place, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amanfcp amanfcp Awaiting requested review from amanfcp

@shahzadhaider1 shahzadhaider1 Awaiting requested review from shahzadhaider1

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@zacharyyun @CLAassistant @shahzadhaider1 @amanfcp @kashifkhan0771