Skip to content

Added detector for JFrog Artifactory Reference Tokens #4684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
shahzadhaider1 wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Added detector for JFrog Artifactory Reference Tokens #4684

shahzadhaider1 wants to merge 8 commits into from
+560 −4

Conversation

@shahzadhaider1
Copy link
Contributor

@shahzadhaider1 shahzadhaider1 commented Jan 21, 2026

Summary

Adds a new detector for JFrog Artifactory Reference Tokens. Unlike JWT tokens (which start with eyJ), reference tokens are base64-encoded strings with a predictable structure:

reftkn:01:<expiry>:<random_data>

When base64-encoded, this always produces a token starting with cmVmdGtu.

Detection

Regex pattern:

\b(cmVmdGtu[A-Za-z0-9]{56})\b
  • Fixed prefix: cmVmdGtu (8 chars): base64 encoding of "reftkn"
  • Variable suffix: 56 alphanumeric characters
  • Total length: exactly 64 characters

Keyword: cmVmdGtu

Verification

Tokens are verified against the JFrog Access API:

GET https://<host>/access/api/v1/tokens/me
Authorization: Bearer <token>

This endpoint returns token metadata if valid. Available since Artifactory 7.53.1.

Response handling:

Status Meaning Result
200 + JSON Valid token Verified
200 + HTML Invalid subdomain (redirects to login page) Skip host
403 Valid token, insufficient permissions Verified
401 Invalid or expired token Not verified
404 Endpoint not found (old Artifactory version) Verification error

References

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@shahzadhaider1 shahzadhaider1 requested a review from a team January 21, 2026 08:03
@shahzadhaider1 shahzadhaider1 requested review from a team as code owners January 21, 2026 08:03
mustansir14
mustansir14 approved these changes Jan 21, 2026
View reviewed changes
Copy link
Contributor

@mustansir14 mustansir14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@shahzadhaider1 shahzadhaider1 changed the title added detector for artifactory reference tokens Added detector for JFrog Artifactory Reference Tokens Jan 21, 2026
@shahzadhaider1 shahzadhaider1 linked an issue Jan 28, 2026 that may be closed by this pull request
Add support for Artifactory Reference Token #4706
Open
cursor[bot]
cursor bot reviewed Jan 28, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@mustansir14 mustansir14 mustansir14 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for Artifactory Reference Token

2 participants

@shahzadhaider1 @mustansir14