From d9e1225959184794bf1ac79330fb5df97b8d812a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Rolland?= <srolland@quarkslab.com>
Date: Fri, 7 Nov 2025 12:12:10 +0100
Subject: [PATCH] Fix: search token in /run and /var/run (#14)

---
 pkg/plugins/token/token.go | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/pkg/plugins/token/token.go b/pkg/plugins/token/token.go
index 5786627..5cbd0fe 100644
--- a/pkg/plugins/token/token.go
+++ b/pkg/plugins/token/token.go
@@ -2,6 +2,7 @@ package token
 
 import (
 	"os"
+	"path/filepath"
 
 	"github.com/quarkslab/kdigger/pkg/bucket"
 )
@@ -9,30 +10,29 @@ import (
 const (
 	bucketName        = "token"
 	bucketDescription = "Token checks for the presence of a service account token in the filesystem."
-
-	tokenPath = "/run/secrets/kubernetes.io/serviceaccount"
 )
 
+var tokenPaths = []string{"/run/secrets/kubernetes.io/serviceaccount", "/var/run/secrets/kubernetes.io/serviceaccount"}
 var bucketAliases = []string{"tokens", "tk"}
 
 type Bucket struct{}
 
 func (n Bucket) Run() (bucket.Results, error) {
 	res := bucket.NewResults(bucketName)
-	if tokenFolderExist() {
+	if tokenPath, ok := tokenFolderLocation(); ok {
 		res.AddComment("A service account token is mounted.")
 
 		res.SetHeaders([]string{"namespace", "token", "CA"})
 
-		ns, err := readMountedData("namespace")
+		ns, err := readMountedData(tokenPath, "namespace")
 		if err != nil {
 			return bucket.Results{}, err
 		}
-		t, err := readMountedData("token")
+		t, err := readMountedData(tokenPath, "token")
 		if err != nil {
 			return bucket.Results{}, err
 		}
-		ca, err := readMountedData("ca.crt")
+		ca, err := readMountedData(tokenPath, "ca.crt")
 		if err != nil {
 			return bucket.Results{}, err
 		}
@@ -61,13 +61,18 @@ func NewTokenBucket(_ bucket.Config) (*Bucket, error) {
 	return &Bucket{}, nil
 }
 
-func tokenFolderExist() bool {
-	_, err := os.Stat(tokenPath)
-	return !os.IsNotExist(err)
+func tokenFolderLocation() (string, bool) {
+	for _, path := range tokenPaths {
+		_, err := os.Stat(path)
+		if !os.IsNotExist(err) {
+			return path, true
+		}
+	}
+	return "", false
 }
 
-func readMountedData(data string) (string, error) {
-	b, err := os.ReadFile(tokenPath + "/" + data)
+func readMountedData(tokenPath string, data string) (string, error) {
+	b, err := os.ReadFile(filepath.Join(tokenPath, data))
 	if err != nil {
 		return "", err
 	}