Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Storyblok Detector Fails to Detect Personal Access Token #3909

Open
joeleonjr opened this issue Feb 13, 2025 · 0 comments
Open

Storyblok Detector Fails to Detect Personal Access Token #3909

joeleonjr opened this issue Feb 13, 2025 · 0 comments
Labels
bug pkg/detectors PRs and Issues related to the `detectors` package

Comments

@joeleonjr
Copy link
Contributor

Actual Behavior

The Storyblok detector alerts on access tokens (which are tied to a Storyblok space), but not personal access tokens that access the Storyblok Management API. The REGEX for the personal access tokens is different than the CDN keys.

Suggested Improvements

  1. Update the existing verification check to exclude "Public" access tokens from being marked as valid, since these are meant to be exposed client-side and are not secrets.
  2. There is an argument to be made that "Preview" access tokens should remain private, though the impact is probably not that great, so I believe those should continue to be considered secrets.
  3. There are two other new access token types: "Theme" and "Asset". I'm unclear as to whether they should be considered a secret or not and the Storyblok docs aren't updated yet with details.
  4. Add a new detector for the Storyblock Management API key type. Maybe it's just the same detector with a separate REGEX and a field in extra_data indicating that it's for a different service within Storyblok. These keys have the largest impact.
@joeleonjr joeleonjr added bug pkg/detectors PRs and Issues related to the `detectors` package labels Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug pkg/detectors PRs and Issues related to the `detectors` package
Development

No branches or pull requests

1 participant