feat: confluence revamp

.ci/update-readme.sh

@@ -13,7 +13,7 @@ update_readme() {
 }
 
 # Update the README with the help message
-help_message=$(go run .)
+help_message=$(GOEXPERIMENT=jsonv2 go run .)
 
 echo "" >output.txt
 echo '```text' >>output.txt
@@ -23,7 +23,7 @@ echo "" >>output.txt
 update_readme "output.txt" "command-line" "README.md"
 rm output.txt
 
-go run . rules | awk 'BEGIN{FS = "   *"}{print "| " $1 " | " $2 " | " $3 " | " $4 " |";}' >output.txt
+GOEXPERIMENT=jsonv2 go run . rules | awk 'BEGIN{FS = "   *"}{print "| " $1 " | " $2 " | " $3 " | " $4 " |";}' >output.txt
 update_readme "output.txt" "table" "./docs/list-of-rules.md"
 rm output.txt
 

.github/workflows/codecov.yaml

@@ -32,7 +32,7 @@ jobs:
 
     - name: Run tests and generate coverage 
       run: |
-        go test ./... -coverpkg=./... -v -coverprofile cover.out
+        GOEXPERIMENT=jsonv2 go test ./... -coverpkg=./... -v -coverprofile cover.out
 
 
     - name: Upload coverage to Codecov

.github/workflows/pr-validation.yml

@@ -30,13 +30,13 @@ jobs:
           git diff --exit-code
 
       - name: Go Linter
-        run: docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v2.1.5 golangci-lint run --timeout=5m
+        run: docker run --rm -e GOEXPERIMENT=jsonv2 -v $(pwd):/app -w /app golangci/golangci-lint:v2.5.0 golangci-lint run --timeout=5m
 
       - name: Go Test
-        run: go test -v ./...
+        run: GOEXPERIMENT=jsonv2 go test -v ./...
 
       - name: Run 2ms Scan
-        run: go run . git . --config .2ms.yml
+        run: GOEXPERIMENT=jsonv2 go run . git . --config .2ms.yml
 
   build:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -27,12 +27,12 @@ jobs:
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "^1.22"
+          go-version-file: 'go.mod'
       - name: Go Linter
-        run: docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v2.1.5 golangci-lint run --timeout=5m
+        run: docker run --rm -e GOEXPERIMENT=jsonv2 -v $(pwd):/app -w /app golangci/golangci-lint:v2.5.0 golangci-lint run --timeout=5m
 
       - name: Unit Tests
-        run: go test ./...
+        run: GOEXPERIMENT=jsonv2 go test ./...
 
       - name: Gets release info
         id: semantic_release_info

Dockerfile

@@ -3,7 +3,10 @@
 # and "Missing User Instruction" since 2ms container is stopped after scan
 
 # Builder image
-FROM checkmarx/go:1.24.4-r0-ae7309142bb6bd@sha256:ae7309142bb6bd82e0272c3624ec53c0c68d855f6b63e985c5caaff5c1705644 AS builder
+FROM checkmarx/go:1.25.2-r0-1362f4e5a16bb5@sha256:1362f4e5a16bb5dd639020ca7890c99245ab4111f8b3bf360eac87df79e2f4cf AS builder
+
+ARG GOEXPERIMENT=jsonv2
+ENV GOEXPERIMENT=$GOEXPERIMENT
 
 WORKDIR /app
 

Makefile

@@ -10,7 +10,7 @@ RESET := $(shell printf "\033[0m")
 
 COVERAGE_REQUIRED := 55
 MOCKGEN_VERSION := 0.5.2
-LINTER_VERSION := 2.1.6
+LINTER_VERSION := 2.5.0
 
 .PHONY: lint
 lint: check-linter-version
@@ -26,7 +26,7 @@ modtidy:
 
 .PHONY: test
 test:
-	go test -race -vet all -coverprofile=cover.out.tmp ./...
+	GOEXPERIMENT=jsonv2 go test -race -vet all -coverprofile=cover.out.tmp ./...
 	grep -v -e "_mock\.go:" -e "/mocks/" -e "/docs/" cover.out.tmp > cover.out
 	go tool cover -func=cover.out
 	rm cover.out.tmp

README.md

@@ -176,7 +176,7 @@ Usage:
   2ms [command]
 
 Scan Commands
-  confluence  Scan Confluence server
+  confluence  Scan Confluence Cloud
   discord     Scan Discord server
   filesystem  Scan local folder
   git         Scan local Git repository
@@ -274,30 +274,50 @@ This command is used to scan a [Confluence](https://www.atlassian.com/software/c
 2ms confluence <URL> [flags]
 ```
 
-| Flag         | Type  | Default                        | Description                                                                      |
-| ------------ | ----- | ------------------------------ | -------------------------------------------------------------------------------- |
-| `<url>`      | string | -                              | Confluence instance URL in the following format: `https://<company id>.atlassian.net/wiki` |
-| `--history`  | -      | Doesn't scan history revisions | Scans pages history revisions                                                    |
-| `--spaces`   | string | all spaces                     | The names or IDs of the Confluence spaces to scan                                |
-| `--token`    | string | -                              | The Confluence API token for authentication                                      |
-| `--username` | string | -                              | Confluence user name or email for authentication                                 |
+| Flag            | Type         | Default | Description |
+|-----------------|--------------|---------|-------------|
+| `--space-keys`  | string list  | (all)   | Comma-separated list of space **keys** to scan. |
+| `--space-ids`   | string list  | (all)   | Comma-separated list of space **IDs** to scan. |
+| `--page-ids`    | string list  | (all)   | Comma-separated list of **page IDs** to scan. |
+| `--history`     | bool         | `false` | Also scan **all versions** of each page (page history). |
+| `--username`    | string       |         | Confluence username/email for Basic Auth. |
+| `--token`       | string       |         | Confluence **API token** for Basic Auth. |
 
-For example:
+#### Authentication
+- To scan **private spaces**, provide `--username` and `--token` (API token).
+- How to create a Confluence API token: https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/
+
+#### Examples
+
+- Scan **all public pages** (no auth):
+    ```bash
+    2ms confluence https://<company id>.atlassian.net/wiki
+    ```
+
+- Scan **private pages** (requires auth):
+    ```bash
+    2ms confluence https://<company id>.atlassian.net/wiki --username <USERNAME> --token <API_TOKEN>
+    ```
 
-- To scan public spaces:
+- Scan specific **spaces by key**:
+    ```bash
+    2ms confluence https://<company id>.atlassian.net/wiki --space-keys Key1,Key2
+    ```
 
+- Scan specific **spaces by ID**:
     ```bash
-    2ms confluence https://checkmarx.atlassian.net/wiki --spaces secrets
+    2ms confluence https://<company id>.atlassian.net/wiki --space-ids 1234567890,9876543210
     ```
-    💡 [The `secrets` Confluence site](https://checkmarx.atlassian.net/wiki/spaces/secrets) purposely created with plain example secrets as a test subject for this demo
 
-- To scan private spaces, authentication is required
+- Scan specific **pages by ID**:
     ```bash
-    2ms confluence <URL> --username <USERNAME> --token <API_TOKEN> --spaces <SPACES>
+    2ms confluence https://<company id>.atlassian.net/wiki --page-ids 11223344556,99887766554
     ```
-    [How to get a Confluence API token](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/).
 
-[![asciicast](https://asciinema.org/a/607179.svg)](https://asciinema.org/a/607179)
+- Include **page history** (all revisions):
+    ```bash
+    2ms confluence https://<company id>.atlassian.net/wiki --history
+    ```
 
 ### Paligo
 

cmd/main.go

@@ -49,7 +49,7 @@ var configFilePath string
 var vConfig = viper.New()
 
 var allPlugins = []plugins.IPlugin{
-	&plugins.ConfluencePlugin{},
+	plugins.NewConfluencePlugin(),
 	&plugins.DiscordPlugin{},
 	&plugins.FileSystemPlugin{},
 	&plugins.SlackPlugin{},
@@ -112,9 +112,17 @@ func Execute() (int, error) {
 		}
 		subCommand.GroupID = group
 
+		pluginPreRun := subCommand.PreRunE
 		// Capture plugin name for closure
 		pluginName := plugin.GetName()
 		subCommand.PreRunE = func(cmd *cobra.Command, args []string) error {
+			// run plugin's own PreRunE (if any)
+			if pluginPreRun != nil {
+				if err := pluginPreRun(cmd, args); err != nil {
+					return err
+				}
+			}
+			// run engine-level PreRunE
 			return preRun(pluginName, engineInstance, cmd, args)
 		}
 		subCommand.PostRunE = func(cmd *cobra.Command, args []string) error {

engine/engine.go

@@ -342,7 +342,7 @@ func (e *Engine) detectSecrets(
 		if buildErr != nil {
 			return fmt.Errorf("failed to build secret: %w", buildErr)
 		}
-		if !isSecretIgnored(secret, e.ignoredIds, e.allowedValues) {
+		if !isSecretIgnored(secret, e.ignoredIds, e.allowedValues, value.Line, value.Match, pluginName) {
 			secrets <- secret
 		} else {
 			log.Debug().Msgf("Secret %s was ignored", secret.ID)
@@ -575,13 +575,15 @@ func getStartAndEndLines(
 	return startLine, endLine, nil
 }
 
-func isSecretIgnored(secret *secrets.Secret, ignoredIds, allowedValues *[]string) bool {
+func isSecretIgnored(secret *secrets.Secret, ignoredIds, allowedValues *[]string, secretLine, secretMatch, pluginName string) bool {
 	for _, allowedValue := range *allowedValues {
 		if secret.Value == allowedValue {
 			return true
 		}
 	}
-
+	if pluginName == "confluence" && isSecretFromConfluenceResourceIdentifier(secret.RuleID, secretLine, secretMatch) {
+		return true
+	}
 	return slices.Contains(*ignoredIds, secret.ID)
 }
 
@@ -740,3 +742,19 @@ func (e *Engine) Scan(pluginName string) {
 func (e *Engine) Wait() {
 	e.wg.Wait()
 }
+
+// isSecretFromConfluenceResourceIdentifier reports whether a regex match found in a line
+// actually belongs to Confluence Storage Format metadata (the `ri:` namespace) rather than
+// real user content. This lets us ignore false-positives that cannot be suppressed via the
+// generic-api-key rule allow-list.
+func isSecretFromConfluenceResourceIdentifier(secretRuleID, secretLine, secretMatch string) bool {
+	if secretRuleID != rules.GenericApiKeyID || secretLine == "" || secretMatch == "" {
+		return false
+	}
+
+	q := regexp.QuoteMeta(secretMatch)
+
+	pat := `<[^>]*\sri:` + q + `[^>]*>`
+	re := regexp.MustCompile(pat)
+	return re.MatchString(secretLine)
+}

engine/engine_test.go

@@ -717,6 +717,120 @@ func TestGetFindingId(t *testing.T) {
 	})
 }
 
+func TestIsSecretFromConfluenceResourceIdentifier(t *testing.T) {
+	tests := []struct {
+		name   string
+		ruleID string
+		line   string
+		match  string
+		want   bool
+	}{
+		{
+			name:   "matches ri:secret attribute with quoted value",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment ri:secret="12345" />`,
+			match:  `secret="12345"`,
+			want:   true,
+		},
+		{
+			name:   "matches with extra whitespace and self-closing tag",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment     ri:secret="12345"/>`,
+			match:  `secret="12345"`,
+			want:   true,
+		},
+		{
+			name:   "no match when value format differs (expects exact literal)",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment ri:secret="12345" />`,
+			match:  `secret=12345`,
+			want:   false,
+		},
+		{
+			name:   "no match when value appears in a different attribute",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment ri:filename="secret=12345" />`,
+			match:  `secret=12345`,
+			want:   false,
+		},
+		{
+			name:   "no match when ri: prefixes the element name (not an attribute)",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:secret value="x">`,
+			match:  `secret`,
+			want:   false,
+		},
+		{
+			name:   "no match when text is outside any tag",
+			ruleID: rules.GenericApiKeyID,
+			line:   `ri:secret=12345`,
+			match:  `secret=12345`,
+			want:   false,
+		},
+		{
+			name:   "no match for xri: prefixed attribute",
+			ruleID: rules.GenericApiKeyID,
+			line:   `<ri:attachment xri:secret="12345" />`,
+			match:  `secret="12345"`,
+			want:   false,
+		},
+		{
+			name:   "no match when rule ID is not generic-api-key does not apply",
+			ruleID: "some-other-rule",
+			line:   `<ri:attachment ri:secret="12345" />`,
+			match:  `secret="12345"`,
+			want:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := isSecretFromConfluenceResourceIdentifier(tt.ruleID, tt.line, tt.match)
+			assert.Equal(t, tt.want, got, "ruleID=%q, line=%q, match=%q", tt.ruleID, tt.line, tt.match)
+		})
+	}
+}
+
+// if any of these tests fails, we should review isSecretFromConfluenceResourceIdentifier and/or generic-api-key rule
+func TestDetectWithConfluenceMetadata(t *testing.T) {
+	secretsCases := []struct {
+		Content    string
+		Name       string
+		ShouldFind bool
+	}{
+		{
+			Content:    "<ri:user ri:userkey=\"8a7f808362ce64321162ceb20e64321a\" >",
+			Name:       "should not detect from confluence userkey metadata",
+			ShouldFind: false,
+		},
+	}
+
+	detector, err := Init(&EngineConfig{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, secret := range secretsCases {
+		t.Run(secret.Name, func(t *testing.T) {
+			secretsChan := make(chan *secrets.Secret, 1)
+			c := plugins.ConfluencePlugin{}
+			err = detector.DetectFragment(item{content: &secret.Content}, secretsChan, c.GetName())
+			if err != nil {
+				return
+			}
+			close(secretsChan)
+
+			s := <-secretsChan
+
+			if secret.ShouldFind {
+				assert.Equal(t, s.LineContent, secret.Content)
+			} else {
+				assert.Nil(t, s)
+			}
+		})
+	}
+}
+
 type item struct {
 	content *string
 	id      string

engine/rules/generic-key.go

@@ -7,6 +7,8 @@ import (
 	"github.com/zricethezav/gitleaks/v8/config"
 )
 
+const GenericApiKeyID = "generic-api-key"
+
 func GenericCredential() *config.Rule {
 	regex := generateSemiGenericRegexIncludingXml([]string{
 		"access",
@@ -21,7 +23,7 @@ func GenericCredential() *config.Rule {
 	}, `[\w.=-]{10,150}|[a-z0-9][a-z0-9+/]{11,}={0,3}`, true)
 
 	return &config.Rule{
-		RuleID:      "generic-api-key",
+		RuleID:      GenericApiKeyID,
 		Description: "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
 		Regex:       regex,
 		Keywords: []string{

go.mod

@@ -1,6 +1,6 @@
 module github.com/checkmarx/2ms/v4
 
-go 1.24.6
+go 1.25.2
 
 replace (
 	golang.org/x/oauth2 => golang.org/x/oauth2 v0.30.0