Skip to content

Rancher Tokens #4622

New issue
New issue
Open
#4630
Open
Rancher Tokens#4622
#4630
Labels
enhancementgood first issuepkg/detectorsPRs and Issues related to the `detectors` package
@random-robbie

Description

@random-robbie
random-robbie
opened on Dec 29, 2025

Rancher/Cattle Token Detector

Overview

  • Service: Rancher Kubernetes Management Platform
  • Risk: CRITICAL - Full cluster admin access
  • Users: 37,000+ organizations

Token Format

Pattern

(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[\w]*\s*[=:]\s*["\']?([a-z0-9]{54,64})["\']?

Structure

  • Length: 54-64 characters (typically 54)
  • Characters: Lowercase letters + digits only [a-z0-9]
  • No special chars: No hyphens, underscores, uppercase

Example (fake)

jswpl27hs8pd88rmw2mgfgrjtpljp85fd5v7rhdwr2s6z22hvt6vjt

Where Users Get Tokens

  1. Rancher UI: User Avatar → "Account & API Keys" → "Create API Key"
  2. Bootstrap Password: docker logs rancher-container | grep "Bootstrap Password"
  3. Direct URL: https://[rancher-server]/apikeys

Validation

Endpoint: GET {CATTLE_SERVER}/v3
Header: Authorization: Bearer {token}
Success: HTTP 200 with JSON containing "apiVersion"
Failure: HTTP 401

curl -k -H "Authorization: Bearer ${TOKEN}" https://rancher.example.com/v3

Common Variable Names

CATTLE_TOKEN
CATTLE_BOOTSTRAP_PASSWORD
RANCHER_TOKEN
RANCHER_API_TOKEN
RANCHER_SECRET_KEY

Detection Strategy

⚠️ IMPORTANT: Pattern [a-z0-9]{54,64} alone has HIGH false positives!

Recommended: Only detect when:

  1. Found in variable named CATTLE_TOKEN, RANCHER_TOKEN, etc.
  2. OR found within 500 chars of CATTLE_SERVER or RANCHER_URL
  3. AND has high entropy (Shannon > 4.0)

Example Detections

✅ Should Detect

# .env file
CATTLE_SERVER=https://rancher.example.com
CATTLE_TOKEN=jswpl27hs8pd88rmw2mgfgrjtpljp85fd5v7rhdwr2s6z22hvt6vjt
# Kubernetes deployment
env:
  - name: CATTLE_TOKEN
    value: k7mnp9qr4st2vwx8yz3abc5def1ghi6jkl0mno8pqr2stu4vwx9yz
# Terraform
provider "rancher2" {
  token_key = "xz9yw8vt7sr6qp5on4ml3kj2ih1gf0ed9cb8az7yx6wv5ut4sr3qp"
}

❌ Should NOT Detect (no context)

# Random string without Rancher context
random_data = "abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuv"

Impact if Leaked

  • Deploy malicious containers
  • Access all Kubernetes secrets (DB passwords, API keys)
  • Create/delete clusters
  • Modify RBAC policies
  • Execute commands in any pod
  • Persistent backdoor access

TruffleHog Config

detector:
  name: RancherToken
  severity: CRITICAL

pattern:
  regex: '(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[\w]*\s*[=:]\s*["\']?([a-z0-9]{54,64})["\']?'
  capture_group: 1

validation:
  requires_context: CATTLE_SERVER
  endpoint: "{CATTLE_SERVER}/v3"
  method: GET
  headers:
    - name: Authorization
      value: "Bearer {SECRET}"
  success:
    status_code: 200
    body_contains: "apiVersion"
  failure:
    status_codes: [401, 403]

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementgood first issuepkg/detectorsPRs and Issues related to the `detectors` package

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions