tartufo icon indicating copy to clipboard operation
tartufo copied to clipboard

Published 20 hours ago verified publisher icon godaddy

EICAR-like test string to always trigger tartufo and that can't be skipped

Open pmevzek-godaddy opened this issue 3 years ago • 0 comments

Feature Request

Is your feature request related to a problem? Please describe.

It is not related to a problem but just an idea, that will allow to always make sure tartufo works and does detect what it is expected for it to detect. Sometimes, by using wrong arguments or call or things like that we could believe tartufo was running as expected but instead did something else, unexpected, and hence we may thing secrets are correctly scanned for but in fact they were not.

Describe the solution you'd like

I was thinking about something similar to EICAR test file for Anti-Virus softwares. A specific signature (for example even one of the SHA version of the EICAR test string) that will always match, there is no command line option that allows it to be skipped. Which means if we put a file with this string, we know 100% that tartufo needs to find it, and if it doesn't it means it has been run with invalid parameters (like excluding some files, etc.)

This would allow to write an "always positive" test to make sure things work.

As done for EICAR test file (" According to EICAR's specification, the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long." from Wikipedia) with those kind of safeguards it will be safe to have this string in other files, and it can be excluded with normal file base or signature based exclusions. But no exclusions would ever be allowing this string to not be flagged as a secret.

The output would still need to be a success (like in the case of "no secret") but either a specific return code or specific structure in output, to identify specific case of "EICAR"-like string having been found (as obviously expected by the user running this tartufo scan).

Describe alternatives you've considered

One can of course do the same by putting any random string and running tartufo on it. However with appropriate flags/configuration that string can be skipped. The idea of this feature request is to have a specific string that will always trigger tartufo and that can't be skipped in any way.

Teachability, Documentation, Adoption, Migration Strategy

Small change in code needed as well as documentation.

pmevzek-godaddy avatar Apr 23 '21 22:04 pmevzek-godaddy