feat: confluence revamp (#330)

- Revamp confluence to use Confluence REST API v2
- Add flag to scan for a specific page ID
- Split the old --spaces flag into --space-keys and --space-ids.
- Add rate-limit handling and minimize the number of requests
(https://developer.atlassian.com/cloud/confluence/rate-limiting/)

---------

Co-authored-by: Rui Oliveira <[email protected]>

Author: cx-leonardo-fontes

.github/workflows/codecov.yaml

@@ -11,8 +11,6 @@ on:
 jobs:
   run:
     runs-on: ubuntu-latest
-    env:
-      go-version: 'stable'
 
     steps:
     - name: Checkout code
@@ -21,11 +19,11 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
-        go-version: ${{ env.go-version }}
+        go-version-file: go.mod
       env:
         GOPROXY: direct
         GONOSUMDB: "*"
-        GOPRIVATE: https://github.com/CheckmarxDev/ # Add your private organization url here
+        GOPRIVATE: https://github.com/CheckmarxDev/
 
     - name: Install dependencies 
       run: go install golang.org/x/tools/cmd/cover@latest

.github/workflows/new-rules.yml

@@ -12,6 +12,6 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "^1.22"
+          go-version-file: go.mod
       - name: Check Gitleaks new rules
         run: go run .ci/check_new_rules.go

.github/workflows/release.yml

@@ -59,7 +59,7 @@ jobs:
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "^1.22"
+          go-version-file: go.mod
 
       - name: Go Mod Tidy
         run: go mod tidy

.github/workflows/validate-readme.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "^1.22"
+          go-version-file: go.mod
 
       - name: update README
         run: ./.ci/update-readme.sh

Dockerfile

@@ -3,7 +3,7 @@
 # and "Missing User Instruction" since 2ms container is stopped after scan
 
 # Builder image
-FROM checkmarx/go:1.24.4-r0-ae7309142bb6bd@sha256:ae7309142bb6bd82e0272c3624ec53c0c68d855f6b63e985c5caaff5c1705644 AS builder
+FROM checkmarx/go:1.25.3-r0-b47cbbc1194cd0@sha256:b47cbbc1194cd0d801fe7739fca12091d610117b0d30c32b52fc900217a0821a AS builder
 
 WORKDIR /app
 

README.md

@@ -176,7 +176,7 @@ Usage:
   2ms [command]
 
 Scan Commands
-  confluence  Scan Confluence server
+  confluence  Scan Confluence Cloud
   discord     Scan Discord server
   filesystem  Scan local folder
   git         Scan local Git repository
@@ -274,30 +274,56 @@ This command is used to scan a [Confluence](https://www.atlassian.com/software/c
 2ms confluence <URL> [flags]
 ```
 
-| Flag         | Type  | Default                        | Description                                                                      |
-| ------------ | ----- | ------------------------------ | -------------------------------------------------------------------------------- |
-| `<url>`      | string | -                              | Confluence instance URL in the following format: `https://<company id>.atlassian.net/wiki` |
-| `--history`  | -      | Doesn't scan history revisions | Scans pages history revisions                                                    |
-| `--spaces`   | string | all spaces                     | The names or IDs of the Confluence spaces to scan                                |
-| `--token`    | string | -                              | The Confluence API token for authentication                                      |
-| `--username` | string | -                              | Confluence user name or email for authentication                                 |
+| Flag            | Type        | Default | Description                                                                      |
+| --------------- | ----------- | ------- |----------------------------------------------------------------------------------|
+| `--space-keys`  | string list | (all)   | Comma-separated list of space **keys** to scan.                                  |
+| `--space-ids`   | string list | (all)   | Comma-separated list of space **IDs** to scan.                                   |
+| `--page-ids`    | string list | (all)   | Comma-separated list of **page IDs** to scan.                                    |
+| `--history`     | bool        | `false` | Also scan **all versions** of each page (page history).                          |
+| `--username`    | string      |         | Confluence username/email (used for HTTP Basic Auth).                            |
+| `--token-type`  | string      |         | Token type for Confluence API. Accepted values: `api-token`, `scoped-api-token`. |
+| `--token-value` | string      |         | The API token value. **Required** when `--token-type` is set.                    |
 
-For example:
+#### Authentication
+- To scan **private spaces**, provide `--username`, `--token-type` and `--token-value` (API token).
+- How to create a Confluence API token: https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/
+
+#### Examples
+
+- Scan **all public pages** (no auth):
+    ```bash
+    2ms confluence https://<company id>.atlassian.net/wiki
+    ```
 
-- To scan public spaces:
+- Scan **private pages with an api token** (requires auth):
+    ```bash
+    2ms confluence https://<company id>.atlassian.net/wiki --username <USERNAME> --token-type api-token --token-value <API_TOKEN>
+    ```
 
+- Scan **private pages with a scoped api token** (requires auth):
     ```bash
-    2ms confluence https://checkmarx.atlassian.net/wiki --spaces secrets
+    2ms confluence https://<company id>.atlassian.net/wiki --username <USERNAME> --token-type scoped-api-token --token-value <API_TOKEN>
     ```
-    💡 [The `secrets` Confluence site](https://checkmarx.atlassian.net/wiki/spaces/secrets) purposely created with plain example secrets as a test subject for this demo
 
-- To scan private spaces, authentication is required
+- Scan specific **spaces by key**:
     ```bash
-    2ms confluence <URL> --username <USERNAME> --token <API_TOKEN> --spaces <SPACES>
+    2ms confluence https://<company id>.atlassian.net/wiki --space-keys Key1,Key2
     ```
-    [How to get a Confluence API token](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/).
 
-[![asciicast](https://asciinema.org/a/607179.svg)](https://asciinema.org/a/607179)
+- Scan specific **spaces by ID**:
+    ```bash
+    2ms confluence https://<company id>.atlassian.net/wiki --space-ids 1234567890,9876543210
+    ```
+
+- Scan specific **pages by ID**:
+    ```bash
+    2ms confluence https://<company id>.atlassian.net/wiki --page-ids 11223344556,99887766554
+    ```
+
+- Include **page history** (all revisions):
+    ```bash
+    2ms confluence https://<company id>.atlassian.net/wiki --history
+    ```
 
 ### Paligo
 

cmd/main.go

@@ -49,7 +49,7 @@ var configFilePath string
 var vConfig = viper.New()
 
 var allPlugins = []plugins.IPlugin{
-	&plugins.ConfluencePlugin{},
+	plugins.NewConfluencePlugin(),
 	&plugins.DiscordPlugin{},
 	&plugins.FileSystemPlugin{},
 	&plugins.SlackPlugin{},
@@ -112,9 +112,17 @@ func Execute() (int, error) {
 		}
 		subCommand.GroupID = group
 
+		pluginPreRun := subCommand.PreRunE
 		// Capture plugin name for closure
 		pluginName := plugin.GetName()
 		subCommand.PreRunE = func(cmd *cobra.Command, args []string) error {
+			// run plugin's own PreRunE (if any)
+			if pluginPreRun != nil {
+				if err := pluginPreRun(cmd, args); err != nil {
+					return err
+				}
+			}
+			// run engine-level PreRunE
 			return preRun(pluginName, engineInstance, cmd, args)
 		}
 		subCommand.PostRunE = func(cmd *cobra.Command, args []string) error {

engine/engine.go

@@ -342,7 +342,7 @@ func (e *Engine) detectSecrets(
 		if buildErr != nil {
 			return fmt.Errorf("failed to build secret: %w", buildErr)
 		}
-		if !isSecretIgnored(secret, e.ignoredIds, e.allowedValues) {
+		if !isSecretIgnored(secret, e.ignoredIds, e.allowedValues, value.Line, value.Match, pluginName) {
 			secrets <- secret
 		} else {
 			log.Debug().Msgf("Secret %s was ignored", secret.ID)
@@ -575,13 +575,15 @@ func getStartAndEndLines(
 	return startLine, endLine, nil
 }
 
-func isSecretIgnored(secret *secrets.Secret, ignoredIds, allowedValues *[]string) bool {
+func isSecretIgnored(secret *secrets.Secret, ignoredIds, allowedValues *[]string, secretLine, secretMatch, pluginName string) bool {
 	for _, allowedValue := range *allowedValues {
 		if secret.Value == allowedValue {
 			return true
 		}
 	}
-
+	if pluginName == "confluence" && isSecretFromConfluenceResourceIdentifier(secret.RuleID, secretLine, secretMatch) {
+		return true
+	}
 	return slices.Contains(*ignoredIds, secret.ID)
 }
 
@@ -740,3 +742,19 @@ func (e *Engine) Scan(pluginName string) {
 func (e *Engine) Wait() {
 	e.wg.Wait()
 }
+
+// isSecretFromConfluenceResourceIdentifier reports whether a regex match found in a line
+// actually belongs to Confluence Storage Format metadata (the `ri:` namespace) rather than
+// real user content. This lets us ignore false-positives that cannot be suppressed via the
+// generic-api-key rule allow-list.
+func isSecretFromConfluenceResourceIdentifier(secretRuleID, secretLine, secretMatch string) bool {
+	if secretRuleID != rules.GenericApiKeyID || secretLine == "" || secretMatch == "" {
+		return false
+	}
+
+	q := regexp.QuoteMeta(secretMatch)
+
+	pat := `<[^>]*\sri:` + q + `[^>]*>`
+	re := regexp.MustCompile(pat)
+	return re.MatchString(secretLine)
+}

engine/engine_test.go

@@ -727,6 +727,120 @@ func TestGetFindingId(t *testing.T) {
 	})
 }
 
+func TestIsSecretFromConfluenceResourceIdentifier(t *testing.T) {
+	tests := []struct {
+		name   string
+		ruleID string
+		line   string
+		match  string
+		want   bool
+	}{
+		{
+			name:   "matches ri:secret attribute with quoted value",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment ri:secret="12345" />`,
+			match:  `secret="12345"`,
+			want:   true,
+		},
+		{
+			name:   "matches with extra whitespace and self-closing tag",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment     ri:secret="12345"/>`,
+			match:  `secret="12345"`,
+			want:   true,
+		},
+		{
+			name:   "no match when value format differs (expects exact literal)",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment ri:secret="12345" />`,
+			match:  `secret=12345`,
+			want:   false,
+		},
+		{
+			name:   "no match when value appears in a different attribute",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment ri:filename="secret=12345" />`,
+			match:  `secret=12345`,
+			want:   false,
+		},
+		{
+			name:   "no match when ri: prefixes the element name (not an attribute)",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:secret value="x">`,
+			match:  `secret`,
+			want:   false,
+		},
+		{
+			name:   "no match when text is outside any tag",
+			ruleID: rules.GenericApiKeyID,
+			line:   `ri:secret=12345`,
+			match:  `secret=12345`,
+			want:   false,
+		},
+		{
+			name:   "no match for xri: prefixed attribute",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment xri:secret="12345" />`,
+			match:  `secret="12345"`,
+			want:   false,
+		},
+		{
+			name:   "no match when rule ID is not generic-api-key does not apply",
+			ruleID: "some-other-rule",
+			line:   `<ri:attachment ri:secret="12345" />`,
+			match:  `secret="12345"`,
+			want:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := isSecretFromConfluenceResourceIdentifier(tt.ruleID, tt.line, tt.match)
+			assert.Equal(t, tt.want, got, "ruleID=%q, line=%q, match=%q", tt.ruleID, tt.line, tt.match)
+		})
+	}
+}
+
+// if any of these tests fails, we should review isSecretFromConfluenceResourceIdentifier and/or generic-api-key rule
+func TestDetectWithConfluenceMetadata(t *testing.T) {
+	secretsCases := []struct {
+		Content    string
+		Name       string
+		ShouldFind bool
+	}{
+		{
+			Content:    "<ri:user ri:userkey=\"8a7f808362ce64321162ceb20e64321a\" >",
+			Name:       "should not detect from confluence userkey metadata",
+			ShouldFind: false,
+		},
+	}
+
+	detector, err := Init(&EngineConfig{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, secret := range secretsCases {
+		t.Run(secret.Name, func(t *testing.T) {
+			secretsChan := make(chan *secrets.Secret, 1)
+			c := plugins.ConfluencePlugin{}
+			err = detector.DetectFragment(item{content: &secret.Content}, secretsChan, c.GetName())
+			if err != nil {
+				return
+			}
+			close(secretsChan)
+
+			s := <-secretsChan
+
+			if secret.ShouldFind {
+				assert.Equal(t, s.LineContent, secret.Content)
+			} else {
+				assert.Nil(t, s)
+			}
+		})
+	}
+}
+
 type item struct {
 	content *string
 	id      string

engine/rules/generic-key.go

@@ -7,6 +7,8 @@ import (
 	"github.com/zricethezav/gitleaks/v8/config"
 )
 
+const GenericApiKeyID = "generic-api-key"
+
 func GenericCredential() *config.Rule {
 	regex := generateSemiGenericRegexIncludingXml([]string{
 		"access",
@@ -21,7 +23,7 @@ func GenericCredential() *config.Rule {
 	}, `[\w.=-]{10,150}|[a-z0-9][a-z0-9+/]{11,}={0,3}`, true)
 
 	return &config.Rule{
-		RuleID:      "generic-api-key",
+		RuleID:      GenericApiKeyID,
 		Description: "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
 		Regex:       regex,
 		Keywords: []string{