Skip to content

Add validation for GCP application default credentials detector #4198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add validation for GCP application default credentials detector #4198

wants to merge 6 commits into from

Conversation

amanfcp
Copy link
Contributor

@amanfcp amanfcp commented Jun 2, 2025
edited
Loading

Improve GCP Application Default Credentials Detection

Background

Google Cloud Platform (GCP) supports multiple types of credential JSON files, each with different structures:

  1. User Credentials (OAuth 2.0 Client ID) - Used for user authentication
  2. Service Account Keys - Used for service-to-service authentication
  3. Workload Identity Federation - Used for external identity providers

Currently, our detector assumes User Credentials format. According to GCP documentation, User Credentials JSON will always contain these specific fields:

  • client_id
  • client_secret
  • refresh_token
  • type

Changes

  • Added explicit validation of credential JSON structure through the isValid() method to ensure we only process User Credentials
  • Enhanced the detector to properly handle and verify User Credentials while avoiding false positives from other credential types

Impact

This change makes our GCP credential detection more accurate by reducing false positives from other credential types (OSS-91)
closes issue-3717

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@amanfcp
Add validation for GCP application default credentials detector
c6d1a3e 
- Introduced an `isValid` method to check the presence of required fields: ClientID, ClientSecret, RefreshToken, and Type.
- Updated the `FromData` method to skip invalid credentials during processing.
@amanfcp amanfcp requested a review from rosecodym June 2, 2025 15:42
@amanfcp amanfcp requested a review from a team as a code owner June 2, 2025 15:42
amanfcp added 2 commits June 3, 2025 11:50
@amanfcp
Add test case for invalid JSON input in GCP application default crede…
5d63050 
…ntials detector

- Introduced a new test case to handle invalid JSON input, ensuring the detector can gracefully manage such scenarios without returning unexpected results.
@amanfcp
Merge branch 'main' into fixes/oss-91
b2e5baf
rosecodym
rosecodym requested changes Jun 10, 2025
View reviewed changes
Copy link
Collaborator

@rosecodym rosecodym left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

requesting changes pending the outcome of an internal discussion

amanfcp added 3 commits June 13, 2025 16:19
@amanfcp
Update false positives map to handle empty strings and remove validat…
97251aa 
…ion method from GCP application default credentials detector
@amanfcp
revert the gcp adc detector changes
a39da64
@amanfcp
Merge branch 'fixes/oss-91' of amaandev:amanfcp/trufflehog; branch 'm…
fa9c9e7 
…ain' of github.com:trufflesecurity/trufflehog into fixes/oss-91
@amanfcp amanfcp requested a review from rosecodym June 13, 2025 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosecodym rosecodym Awaiting requested review from rosecodym

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Skipping result: invalid (empty raw)
2 participants
@amanfcp @rosecodym