guacsec · Strum355 · Feb 17, 2026 · Feb 10, 2026 · Feb 11, 2026
diff --git a/src/analysis.js b/src/analysis.js
@@ -9,11 +9,11 @@ import { RegexNotToBeLogged, getCustom } from "./tools.js";
 
 export default { requestComponent, requestStack, requestImages, validateToken }
 
-const rhdaTokenHeader = "rhda-token";
-const rhdaTelemetryId = "rhda-telemetry-id";
-const rhdaSourceHeader = "rhda-source"
-const rhdaOperationTypeHeader = "rhda-operation-type"
-const rhdaPackageManagerHeader = "rhda-pkg-manager"
+const rhdaTokenHeader = "trust-da-token";
+const rhdaTelemetryId = "telemetry-anonymous-id";
+const rhdaSourceHeader = "trust-da-source"
+const rhdaOperationTypeHeader = "trust-da-operation-type"
+const rhdaPackageManagerHeader = "trust-da-pkg-manager"
 
 /**
  * Adds proxy agent configuration to fetch options if a proxy URL is specified
@@ -229,11 +229,12 @@ async function validateToken(url, opts = {}) {
  *
  * @param {string} headerName - the header name to populate in request
  * @param headers
- * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
+ * @param {string} optsKey - key in the options object to use the value for
+ * @param {import("index.js").Options} [opts={}] - options input object to fetch header values from
  * @private
  */
-function setRhdaHeader(headerName, headers, opts) {
-	let rhdaHeaderValue = getCustom(headerName.toUpperCase().replaceAll("-", "_"), null, opts);
+function setRhdaHeader(headerName, headers, optsKey, opts) {
+	let rhdaHeaderValue = getCustom(optsKey, null, opts);
 	if (rhdaHeaderValue) {
 		headers[headerName] = rhdaHeaderValue
 	}
@@ -244,26 +245,15 @@ function setRhdaHeader(headerName, headers, opts) {
  * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {{}}
  */
-function getTokenHeaders(opts = {}) {
-	let supportedTokens = ['snyk', 'oss-index']
+export function getTokenHeaders(opts = {}) {
 	let headers = {}
-	supportedTokens.forEach(vendor => {
-		let token = getCustom(`TRUSTIFY_DA_${vendor.replace("-", "_").toUpperCase()}_TOKEN`, null, opts);
-		if (token) {
-			headers[`ex-${vendor}-token`] = token
-		}
-		let user = getCustom(`TRUSTIFY_DA_${vendor.replace("-", "_").toUpperCase()}_USER`, null, opts);
-		if (user) {
-			headers[`ex-${vendor}-user`] = user
-		}
-	})
-	setRhdaHeader(rhdaTokenHeader, headers, opts);
-	setRhdaHeader(rhdaSourceHeader, headers, opts);
-	setRhdaHeader(rhdaOperationTypeHeader, headers, opts);
-	setRhdaHeader(rhdaPackageManagerHeader, headers, opts)
-	setRhdaHeader(rhdaTelemetryId, headers, opts);
+	setRhdaHeader(rhdaTokenHeader, headers, 'TRUSTIFY_DA_TOKEN', opts);
+	setRhdaHeader(rhdaSourceHeader, headers, 'TRUSTIFY_DA_SOURCE', opts);
+	setRhdaHeader(rhdaOperationTypeHeader, headers, rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_"), opts);
+	setRhdaHeader(rhdaPackageManagerHeader, headers, rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_"), opts)
+	setRhdaHeader(rhdaTelemetryId, headers, 'TRUSTIFY_DA_TELEMETRY_ID', opts);
 
-	if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
+	if (getCustom("TRUSTIFY_DA_DEBUG", null, opts) === "true") {
 		console.log("Headers Values to be sent to Trustify DA backend:" + EOL)
 		for (const headerKey in headers) {
 			if (!headerKey.match(RegexNotToBeLogged)) {

diff --git a/src/index.js b/src/index.js
@@ -39,9 +39,9 @@ export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken
  * TRUSTIFY_DA_SYFT_PATH?: string | undefined,
  * TRUSTIFY_DA_YARN_PATH?: string | undefined,
  * MATCH_MANIFEST_VERSIONS?: string | undefined,
- * RHDA_SOURCE?: string | undefined,
- * RHDA_TOKEN?: string | undefined,
- * RHDA_TELEMETRY_ID?: string | undefined,
+ * TRUSTIFY_DA_SOURCE?: string | undefined,
+ * TRUSTIFY_DA_TOKEN?: string | undefined,
+ * TRUSTIFY_DA_TELEMETRY_ID?: string | undefined,
  * [key: string]: string | undefined,
  * }} Options
  */

diff --git a/src/tools.js b/src/tools.js
@@ -3,7 +3,7 @@ import { EOL } from "os";
 
 import { PackageURL } from "packageurl-js";
 
-export const RegexNotToBeLogged = /TRUSTIFY_DA_.*_TOKEN|ex-.*-token/
+export const RegexNotToBeLogged = /TRUSTIFY_DA_(.*_)?TOKEN|ex-.*-token|trust-.*-token/
 /**
  *
  * @param {string} key to log its value from environment variables and from opts, if it exists

diff --git a/test/get-exhort-url.test.js → test/exhort-backend-utils.test.js b/test/get-exhort-url.test.js → test/exhort-backend-utils.test.js
@@ -1,11 +1,16 @@
 import { expect } from 'chai'
+import * as chai from 'chai'
+import * as sinon from 'sinon'
+import sinonChai from 'sinon-chai'
 
+import { getTokenHeaders } from '../src/analysis.js';
 import { selectTrustifyDABackend } from '../src/index.js'
 
-const testUrl = 'https://trustify-da.example.com';
-const testUrl2 = 'https://dev.trustify-da.example.com';
+chai.use(sinonChai)
 
 suite('testing Select Trustify DA Backend function', () => {
+	const testUrl = 'https://trustify-da.example.com';
+	const testUrl2 = 'https://dev.trustify-da.example.com';
 
 	test('When TRUSTIFY_DA_BACKEND_URL is set in environment variable, should return that value', () => {
 		process.env['TRUSTIFY_DA_BACKEND_URL'] = testUrl;
@@ -63,3 +68,14 @@ suite('testing Select Trustify DA Backend function', () => {
 }).afterAll(() => {
 	delete process.env['TRUSTIFY_DA_BACKEND_URL'];
 });
+
+suite('verify token header logging', () => {
+	test('don\'t log the token header', () => {
+		getTokenHeaders({
+			'TRUSTIFY_DA_TOKEN': 'banana',
+			'TRUSTIFY_DA_DEBUG': 'true'
+		})
+		// Should only be called once with "Headers Values to be sent to Trustify DA backend:"
+		expect(console.log).to.be.calledOnce
+	})
+}).beforeAll(() => sinon.spy(console, 'log')).afterAll(() => console.log.restore())