Skip to content

Add 1Password service account token detector#4891

Open
tanishq-sf wants to merge 6 commits intotrufflesecurity:mainfrom
tanishq-sf:feat/onepassword-service-account-detector
Open

Add 1Password service account token detector#4891
tanishq-sf wants to merge 6 commits intotrufflesecurity:mainfrom
tanishq-sf:feat/onepassword-service-account-detector

Conversation

@tanishq-sf
Copy link
Copy Markdown

@tanishq-sf tanishq-sf commented Apr 16, 2026
edited by cursor bot
Loading

Summary

  • Adds a new detector for 1Password service account tokens (ops_eyJ... prefix)
  • These tokens authenticate automated workflows and CI/CD pipelines with 1Password vaults
  • Pattern-match only detection — tokens use SRP-based authentication and cannot be verified with a simple HTTP request

Changes

  • pkg/detectors/onepasswordserviceaccount/ — detector + tests
  • proto/detector_type.protoOnepasswordServiceAccount = 1045
  • pkg/pb/detector_typepb/detector_type.pb.go — generated enum constant
  • pkg/engine/defaults/defaults.go — import + scanner registration

Regex

ops_eyJ[A-Za-z0-9+/=._-]{50,}

Test plan

  • Regex validated against a real 1Password service account token
  • CI passes make protos and test suite
  • go test ./pkg/detectors/onepasswordserviceaccount/ -v

Note

Medium Risk
Adds a new detector and registers a new protobuf DetectorType enum value, which can affect downstream integrations relying on stable detector type mappings. Detection is pattern-only, so the main functional risk is false positives/negatives from the regex/keyword prefilter.

Overview
Adds a new onepasswordserviceaccount detector to flag 1Password service account tokens (matching ops_eyJ...) via regex-only scanning (no verification), plus unit tests covering valid/invalid patterns.

Registers the detector in the default detector list and extends DetectorType with OnepasswordServiceAccount in proto/detector_type.proto and the generated detector_type.pb.go enum mapping.

Reviewed by Cursor Bugbot for commit c927cba. Bugbot is set up for automated code reviews on this repo. Configure here.

@tanishq-sf @claude
Add 1Password service account token detector
2492027 
Adds a new detector for 1Password service account tokens (ops_eyJ... prefix).
These tokens are used to authenticate automated workflows and CI/CD pipelines
with 1Password vaults. Detection is pattern-match only since these tokens
use SRP-based authentication and cannot be verified with a simple HTTP request.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tanishq-sf tanishq-sf requested a review from a team April 16, 2026 17:34
@tanishq-sf tanishq-sf requested review from a team as code owners April 16, 2026 17:34
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 16, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

cursor[bot]
cursor bot reviewed Apr 16, 2026
View reviewed changes
Comment thread pkg/detectors/onepasswordserviceaccount/onepasswordserviceaccount_test.go Outdated
Comment thread pkg/detectors/onepasswordserviceaccount/onepasswordserviceaccount_test.go Outdated
tanishq-sf and others added 3 commits April 19, 2026 18:50
@tanishq-sf @claude
Fix test: use valid ops_eyJ token and correct format verbs
391ac9a 
- Use a realistic ops_eyJ... token that matches the detector's keyword
  and regex (ops_eyJ prefix + 50 chars)
- Fix double-percent format verbs (%%q -> %q, %%v -> %v, etc.)
- Add test case for token that's too short
- Only fail keyword check when matches are expected

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tanishq-sf
Merge branch 'feat/onepassword-service-account-detector' of https://g…
7d23723 
…ithub.com/tanishq-sf/trufflehog into feat/onepassword-service-account-detector
@tanishq-sf @claude
Resolve merge conflicts: bump enum to 1047
816f698 
BitbucketDataCenter (1045) and JiraDataCenterPAT (1046) were added to
main since this branch was created. Bumped OnepasswordServiceAccount
to 1047 to avoid collision.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 3 potential issues.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit 816f698. Configure here.

Comment thread pkg/detectors/onepasswordserviceaccount/onepasswordserviceaccount.go Outdated
Comment thread pkg/detectors/onepasswordserviceaccount/onepasswordserviceaccount.go Outdated
Comment thread pkg/engine/defaults/defaults.go Outdated
@tanishq-sf @claude
Address review feedback: fix regex, remove unused code, fix ordering
c927cba 
- Remove trailing \b from regex since Base64 tokens may end with
  non-word chars (=, -, +, /). Use greedy match without boundary instead.
- Remove unused client field and net/http import (pattern-match only detector)
- Move import and scanner registration to correct alphabetical position
  (between onesignal and onfleet, not in the 's' section)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@shahzadhaider1
Copy link
Copy Markdown
Contributor

shahzadhaider1 commented Apr 20, 2026

Thanks for putting this together!

Just flagging that there's an existing PR for a 1Password Service Account Token detector in #3423. We'll review both contributions and move forward with whichever implementation is most accurate and complete.

Appreciate you taking the time to contribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tanishq-sf @CLAassistant @shahzadhaider1