Pattern for 1Password Service Account Token #3420
Labels
Comments
2 tasks
|
I have raised a PR, please check. |
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please review the Community Note before submitting
Description
1Password Service Accounts can be used to read/write secrets for an entire account. You can read about them on https://developer.1password.com/docs/service-accounts/security, including an example token -
ops_eyJlbWFpbCI6ImVqd2U2NHFtbHhocmlAMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmxjbCIsIm11ayI6eyJhbGciOiJBMjU2R0NNIiwiZXh0Ijp0cnVlLCJrIjoiTThWUGZJYzhWRWZUaGNNWExhS0NLRjhzTWg1Sk1ac1BBdHU5MmZRTmItbyIsImtleV9vcHMiOlsiZW5jcnlwdCIsImRlY3J5cHQiXSwia3R5Ijoib2N0Iiwia2lkIjoibXAifSwic2VjcmV0S2V5IjoiQTMtQzRaSk1OLVBRVFpUTC1IR0w4NC1HNjRNNy1LVlpSTi00WlZQNiIsInNycFgiOiI4NzBkNjdhOWU2MjY2MjVkOWUzNjg1MDc4MDRjOWMzMmU2NjFjNTdlN2U1NTg3NzgyOTFiZjI5ZDVhMjc5YWUxIiwic2lnbkluQWRkcmVzcyI6ImdvdGhhbS5iNWxvY2FsLmNvbTo0MDAwIiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6MTAwMDAwLCJzYWx0IjoiRk1SVVBpeXJONFhmXzhIb2g2WVJYUSJ9fQ.These account tokens are used in places like GH Actions to load in secrets for CI jobs - https://github.com/marketplace/actions/load-secrets-from-1password
The secret pattern is
ops_with base64 string afterwards which is an encoded JWT.Preferred Solution
A new pattern to detect these tokens. Unfortunately it seems like to verify the tokens you need the 1Password CLI tool, which you'd unlikely want to install as part of trufflehog
Additional Context
References
The text was updated successfully, but these errors were encountered: