Skip to content

[INS-403] Support Custom endpoint config in hashicorpvaultauth Detector#4825

Merged
MuneebUllahKhan222 merged 7 commits intotrufflesecurity:mainfrom
MuneebUllahKhan222:vaultauth-custom-ep
Apr 13, 2026
Merged

[INS-403] Support Custom endpoint config in hashicorpvaultauth Detector#4825
MuneebUllahKhan222 merged 7 commits intotrufflesecurity:mainfrom
MuneebUllahKhan222:vaultauth-custom-ep

Conversation

@MuneebUllahKhan222
Copy link
Copy Markdown
Contributor

@MuneebUllahKhan222 MuneebUllahKhan222 commented Mar 19, 2026
edited by cursor Bot
Loading

Description:

This PR enabled custom endpoint configuration for the existing hashicorpvaultauth detector.

It enables custom endpoint configuration by making the detector comply to detectors.EndpointCustomizer interface and updating to default client to detectors.DetectorHttpClientWithNoLocalAddresses to avoid potential security risks like ssrf attacks.

This PR also updates the existing test to make sure that the test work fine with the new changes and also introduces a new integration test to emulate custom endpoint configuration.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Note

Medium Risk
Changes the HashiCorp Vault auth detector’s verification targeting by introducing configurable/found endpoint selection and switching to a no-local-address HTTP client, which could impact verification behavior and network access patterns.

Overview
Adds custom endpoint configuration to the hashicorpvaultauth detector by embedding detectors.EndpointSetter and implementing detectors.EndpointCustomizer, so verification can run against configured endpoints and/or endpoints discovered in scanned data.

Updates verification to use detectors.DetectorHttpClientWithNoLocalAddresses by default (reducing SSRF risk), loosens result generation to no longer require a Vault URL in input (endpoints now come from configuration and/or found URLs), and adjusts unit/integration tests accordingly, including a new integration test covering SetConfiguredEndpoints.

Reviewed by Cursor Bugbot for commit ae13d6a. Bugbot is set up for automated code reviews on this repo. Configure here.

@MuneebUllahKhan222 MuneebUllahKhan222 requested a review from a team March 19, 2026 11:53
@MuneebUllahKhan222 MuneebUllahKhan222 requested review from a team as code owners March 19, 2026 11:53
shahzadhaider1
shahzadhaider1 approved these changes Mar 19, 2026
View reviewed changes
Comment thread pkg/detectors/hashicorpvaultauth/hashicorpvaultauth_integration_test.go Outdated
cursor[bot]
cursor Bot reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit fe49c7f. Configure here.

Comment thread pkg/detectors/hashicorpvaultauth/hashicorpvaultauth.go Outdated
@MuneebUllahKhan222 MuneebUllahKhan222 merged commit 88c7519 into trufflesecurity:main Apr 13, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@rosecodym rosecodym rosecodym approved these changes

@shahzadhaider1 shahzadhaider1 shahzadhaider1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MuneebUllahKhan222 @rosecodym @shahzadhaider1