Skip to content

Add 1Password service account token detector#4891

Open
tanishq-sf wants to merge 2 commits intotrufflesecurity:mainfrom
tanishq-sf:feat/onepassword-service-account-detector
Open

Add 1Password service account token detector#4891
tanishq-sf wants to merge 2 commits intotrufflesecurity:mainfrom
tanishq-sf:feat/onepassword-service-account-detector

Conversation

@tanishq-sf
Copy link
Copy Markdown

@tanishq-sf tanishq-sf commented Apr 16, 2026
edited by cursor bot
Loading

Summary

  • Adds a new detector for 1Password service account tokens (ops_eyJ... prefix)
  • These tokens authenticate automated workflows and CI/CD pipelines with 1Password vaults
  • Pattern-match only detection — tokens use SRP-based authentication and cannot be verified with a simple HTTP request

Changes

  • pkg/detectors/onepasswordserviceaccount/ — detector + tests
  • proto/detector_type.protoOnepasswordServiceAccount = 1045
  • pkg/pb/detector_typepb/detector_type.pb.go — generated enum constant
  • pkg/engine/defaults/defaults.go — import + scanner registration

Regex

ops_eyJ[A-Za-z0-9+/=._-]{50,}

Test plan

  • Regex validated against a real 1Password service account token
  • CI passes make protos and test suite
  • go test ./pkg/detectors/onepasswordserviceaccount/ -v

Note

Low Risk
Primarily additive changes (new detector + enum value + registration) with no verification/network behavior; main risk is minor integration/regeneration issues around the updated detector type proto/enum.

Overview
Adds a new onepasswordserviceaccount detector to identify 1Password service account tokens by regex (ops_eyJ...) and return matches without attempting verification.

Registers the detector in the default detector list and extends the detector type enum/proto with OnepasswordServiceAccount = 1045, including a basic pattern-matching unit test.

Reviewed by Cursor Bugbot for commit 1ef9b41. Bugbot is set up for automated code reviews on this repo. Configure here.

@tanishq-sf @claude
Add 1Password service account token detector
2492027 
Adds a new detector for 1Password service account tokens (ops_eyJ... prefix).
These tokens are used to authenticate automated workflows and CI/CD pipelines
with 1Password vaults. Detection is pattern-match only since these tokens
use SRP-based authentication and cannot be verified with a simple HTTP request.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tanishq-sf tanishq-sf requested a review from a team April 16, 2026 17:34
@tanishq-sf tanishq-sf requested review from a team as code owners April 16, 2026 17:34
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 16, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

cursor[bot]
cursor bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit 1ef9b41. Configure here.

Comment thread pkg/detectors/onepasswordserviceaccount/onepasswordserviceaccount_test.go
[DEBUG] Using Key=ops_abcdefghijklmnopqrstuvwxyzABCDEF
[INFO] Response received: 200 OK
`,
want: []string{ "ops_abcdefghijklmnopqrstuvwxyzABCDEF" },
Copy link
Copy Markdown

@cursor cursor bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test token doesn't match detector's keyword or regex

High Severity

The "valid pattern" test uses the token ops_abcdefghijklmnopqrstuvwxyzABCDEF, but the detector's keyword is ops_eyJ and the regex requires an ops_eyJ prefix followed by 50+ characters. This token has neither the correct prefix nor sufficient length. The AhoCorasick keyword pre-filter won't find ops_eyJ in the test input, so the test fails immediately at the keyword check — meaning the regex matching is never actually exercised. The "invalid pattern" test also lacks ops_eyJ in its input, so it too fails at the keyword check rather than validating that the regex correctly rejects invalid tokens.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 1ef9b41. Configure here.

Comment thread pkg/detectors/onepasswordserviceaccount/onepasswordserviceaccount_test.go
t.Run(test.name, func(t *testing.T) {
matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input))
if len(matchedDetectors) == 0 {
t.Errorf("test %%q failed: expected keywords %%v to be found in the input", test.name, d.Keywords())
Copy link
Copy Markdown

@cursor cursor bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double-percent format verbs produce literal percent signs

Medium Severity

All t.Errorf calls use %%q, %%v, %%d, %%s instead of %q, %v, %d, %s. In Go, %% is an escape that produces a literal % character, so the format arguments (test.name, d.Keywords(), etc.) won't be interpolated into the error messages. Every other detector test in the codebase uses single % for format verbs.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 1ef9b41. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tanishq-sf @CLAassistant