Merge pull request #1353 from r00tX-glitch:1Password-secrets-extractor

PiperOrigin-RevId: 817123715

Author: copybara-github

binary/proto/scan_result.proto

@@ -688,6 +688,9 @@ message SecretData {
     AzureStorageAccountAccessKey azure_storage_account_access_key = 36;
     HashiCorpCloudPlatformCredentials hashicorp_cloud_platform_credentials = 37;
     HashiCorpCloudPlatformToken hashicorp_cloud_platform_token = 38;
+    OnePasswordSecretKey onepassword_secret_key = 39;
+    OnePasswordServiceToken onepassword_service_token = 40;
+    OnePasswordRecoveryCode onepassword_recovery_code = 41;
   }
 
   message GCPSAK {
@@ -880,6 +883,18 @@ message SecretData {
     // "ya29.[alphanumeric_string]"
     string token = 1;
   }
+
+  message OnePasswordSecretKey {
+    string key = 1;
+  }
+  message OnePasswordServiceToken {
+    string key = 1;
+  }
+
+  message OnePasswordRecoveryCode {
+    string key = 1;
+  }
+
 }
 
 message SecretStatus {

binary/proto/scan_result_go_proto/scan_result.pb.go

@@ -37,6 +37,7 @@ import (
 	veleshashicorpvault "github.com/google/osv-scalibr/veles/secrets/hashicorpvault"
 	veleshashicorpcloudplatform "github.com/google/osv-scalibr/veles/secrets/hcp"
 	"github.com/google/osv-scalibr/veles/secrets/huggingfaceapikey"
+	velesonepasswordkeys "github.com/google/osv-scalibr/veles/secrets/onepasswordkeys"
 	velesopenai "github.com/google/osv-scalibr/veles/secrets/openai"
 	velesperplexity "github.com/google/osv-scalibr/veles/secrets/perplexityapikey"
 	velespostmanapikey "github.com/google/osv-scalibr/veles/secrets/postmanapikey"
@@ -174,6 +175,12 @@ func velesSecretToProto(s veles.Secret) (*spb.SecretData, error) {
 		return gcpOAuth2ClientCredentialsToProto(t), nil
 	case gcpoauth2access.Token:
 		return gcpOAuth2AccessTokenToProto(t), nil
+	case velesonepasswordkeys.OnePasswordSecretKey:
+		return onepasswordSecretKeyToProto(t), nil
+	case velesonepasswordkeys.OnePasswordServiceToken:
+		return onepasswordServiceTokenToProto(t), nil
+	case velesonepasswordkeys.OnePasswordRecoveryCode:
+		return onepasswordRecoveryCodeToProto(t), nil
 	case veleshashicorpcloudplatform.ClientCredentials:
 		return hashicorpCloudPlatformCredentialsToProto(t), nil
 	case veleshashicorpcloudplatform.AccessToken:
@@ -553,6 +560,36 @@ func gcpOAuth2AccessTokenToProto(s gcpoauth2access.Token) *spb.SecretData {
 	}
 }
 
+func onepasswordSecretKeyToProto(s velesonepasswordkeys.OnePasswordSecretKey) *spb.SecretData {
+	return &spb.SecretData{
+		Secret: &spb.SecretData_OnepasswordSecretKey{
+			OnepasswordSecretKey: &spb.SecretData_OnePasswordSecretKey{
+				Key: s.Key,
+			},
+		},
+	}
+}
+
+func onepasswordServiceTokenToProto(s velesonepasswordkeys.OnePasswordServiceToken) *spb.SecretData {
+	return &spb.SecretData{
+		Secret: &spb.SecretData_OnepasswordServiceToken{
+			OnepasswordServiceToken: &spb.SecretData_OnePasswordServiceToken{
+				Key: s.Key,
+			},
+		},
+	}
+}
+
+func onepasswordRecoveryCodeToProto(s velesonepasswordkeys.OnePasswordRecoveryCode) *spb.SecretData {
+	return &spb.SecretData{
+		Secret: &spb.SecretData_OnepasswordRecoveryCode{
+			OnepasswordRecoveryCode: &spb.SecretData_OnePasswordRecoveryCode{
+				Key: s.Key,
+			},
+		},
+	}
+}
+
 func validationResultToProto(r inventory.SecretValidationResult) (*spb.SecretStatus, error) {
 	status, err := validationStatusToProto(r.Status)
 	if err != nil {
@@ -713,6 +750,18 @@ func velesSecretToStruct(s *spb.SecretData) (veles.Secret, error) {
 		return gcpOAuth2ClientCredentialsToStruct(s.GetGcpOauth2ClientCredentials()), nil
 	case *spb.SecretData_GcpOauth2AccessToken:
 		return gcpOAuth2AccessTokenToStruct(s.GetGcpOauth2AccessToken()), nil
+	case *spb.SecretData_OnepasswordSecretKey:
+		return velesonepasswordkeys.OnePasswordSecretKey{
+			Key: s.GetOnepasswordSecretKey().GetKey(),
+		}, nil
+	case *spb.SecretData_OnepasswordServiceToken:
+		return velesonepasswordkeys.OnePasswordServiceToken{
+			Key: s.GetOnepasswordServiceToken().GetKey(),
+		}, nil
+	case *spb.SecretData_OnepasswordRecoveryCode:
+		return velesonepasswordkeys.OnePasswordRecoveryCode{
+			Key: s.GetOnepasswordRecoveryCode().GetKey(),
+		}, nil
 	case *spb.SecretData_HashicorpCloudPlatformCredentials:
 		return veleshashicorpcloudplatform.ClientCredentials{
 			ClientID:     s.GetHashicorpCloudPlatformCredentials().GetClientId(),

binary/proto/secret.go

@@ -128,6 +128,9 @@ See the docs on [how to add a new Extractor](/docs/new_extractor.md).
 | Hashicorp Vault token                       | `secrets/hashicorpvaulttoken`        |
 | Hashicorp Vault AppRole token               | `secrets/hashicorpvaultapprole`      |
 | Hugging Face API key                        | `secrets/huggingfaceapikey`          |
+| 1Password Secret Key                        | `secrets/onepasswordsecretkey`       |
+| 1Password Service Token                     | `secrets/onepasswordservicetoken`    |
+| 1Password Recovery Code                     | `secrets/onepasswordrecoverycode`    |
 | OpenAI API key                              | `secrets/openai`                     |
 | Perplexity API key                          | `secrets/perplexityapikey`           |
 | Postman API key                             | `secrets/postmanapikey`              |

docs/supported_inventory_types.md

@@ -107,6 +107,7 @@ import (
 	"github.com/google/osv-scalibr/veles/secrets/hashicorpvault"
 	"github.com/google/osv-scalibr/veles/secrets/hcp"
 	"github.com/google/osv-scalibr/veles/secrets/huggingfaceapikey"
+	"github.com/google/osv-scalibr/veles/secrets/onepasswordkeys"
 	"github.com/google/osv-scalibr/veles/secrets/openai"
 	"github.com/google/osv-scalibr/veles/secrets/perplexityapikey"
 	"github.com/google/osv-scalibr/veles/secrets/postmanapikey"
@@ -297,6 +298,9 @@ var (
 		{stripeapikeys.NewWebhookSecretDetector(), "secrets/stripewebhooksecret", 0},
 		{gcpoauth2client.NewDetector(), "secrets/gcpoauth2clientcredentials", 0},
 		{gcpoauth2access.NewDetector(), "secrets/gcpoauth2accesstoken", 0},
+		{onepasswordkeys.NewSecretKeyDetector(), "secrets/onepasswordsecretkey", 0},
+		{onepasswordkeys.NewServiceTokenDetector(), "secrets/onepasswordservicetoken", 0},
+		{onepasswordkeys.NewRecoveryTokenDetector(), "secrets/onepasswordrecoverycode", 0},
 	})
 
 	// Misc artifact extractors.

extractor/filesystem/list/list.go

@@ -0,0 +1,83 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package onepasswordkeys
+
+import (
+	"regexp"
+
+	"github.com/google/osv-scalibr/veles"
+	"github.com/google/osv-scalibr/veles/secrets/common/simpletoken"
+)
+
+var (
+	// Ensure constructors satisfy the interface at compile time.
+	_ veles.Detector = NewSecretKeyDetector()
+	_ veles.Detector = NewServiceTokenDetector()
+	_ veles.Detector = NewRecoveryTokenDetector()
+)
+
+const (
+	secretKeyMaxLen     = 64
+	serviceTokenMaxLen  = 300
+	recoveryTokenMaxLen = 69
+)
+
+// secretKeyRe matches 1Password Secret Keys in the format:
+// A3-<6 alphanum>-<11 alphanum OR 6 alphanum-5 alphanum>-<5 alphanum group x3>
+var secretKeyRe = regexp.MustCompile(`A3-[A-Z0-9]{6}-(?:(?:[A-Z0-9]{11})|(?:[A-Z0-9]{6}-[A-Z0-9]{5}))-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}`)
+
+// serviceTokenRe matches 1Password Service Account Tokens, which:
+// - Start with "ops_eyJ"
+// - Followed by at least 250 base64 characters (a-zA-Z0-9+/)
+// - Optionally end with up to 3 '=' padding characters
+var serviceTokenRe = regexp.MustCompile(`ops_eyJ[a-zA-Z0-9+/]{250,}={0,3}`)
+
+// recoveryTokenRe matches 1Password Recovery Keys in the format:
+// - Start with "1PRK"
+// - Followed by 13 groups of 4 alphanum characters, each separated by '-'
+var recoveryTokenRe = regexp.MustCompile(`1PRK(?:-[A-Z0-9]{4}){13}`)
+
+// NewSecretKeyDetector returns a detector for 1Password Secret Keys.
+func NewSecretKeyDetector() veles.Detector {
+	return simpletoken.Detector{
+		MaxLen: secretKeyMaxLen,
+		Re:     secretKeyRe,
+		FromMatch: func(b []byte) (veles.Secret, bool) {
+			return OnePasswordSecretKey{Key: string(b)}, true
+		},
+	}
+}
+
+// NewServiceTokenDetector returns a detector for 1Password Service Account Tokens.
+func NewServiceTokenDetector() veles.Detector {
+	return simpletoken.Detector{
+		MaxLen: serviceTokenMaxLen,
+		Re:     serviceTokenRe,
+		FromMatch: func(b []byte) (veles.Secret, bool) {
+			return OnePasswordServiceToken{Key: string(b)}, true
+		},
+	}
+}
+
+// NewRecoveryTokenDetector returns a detector for 1Password Recovery Keys.
+func NewRecoveryTokenDetector() veles.Detector {
+	return simpletoken.Detector{
+		MaxLen: recoveryTokenMaxLen,
+		Re:     recoveryTokenRe,
+		FromMatch: func(b []byte) (veles.Secret, bool) {
+			return OnePasswordRecoveryCode{Key: string(b)}, true
+		},
+	}
+}