trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

False positives - currently in pagerDutyApiKey

Open shoddyknight opened this issue 1 year ago • 9 comments

Please review the Community Note before submitting

TruffleHog Version

3.55.1

Trace Output

Screenshot 2023-09-13 at 15 28 04

Expected Behavior

A standard camelCase string used in coding should not be detected as a secret

Actual Behavior

existingSubscription is detected as a secret

Additional Context

We use trufflehog in CI and output that to a Gitlab native report to generate security reports. Consistent false positives cause our dev teams real headaches and block the path to production

shoddyknight avatar Sep 13 '23 14:09 shoddyknight

Hi @shoddyknight , can you provide more information? We typically only recommend using the --only-verified flag, which would have attempted to authenticate with the PD key. Do you have the raw TruffleHog output? Is it showing up as verified?

dxa4481 avatar Sep 13 '23 14:09 dxa4481

Hi, @dxa4481 - we do not currently run with --only-verified and I can confirm this is not showing as verified.

I am adding a line of code to allow us to generate trace reports from the CI pipeline to give the raw output, I can add the raw JSON report shortly

shoddyknight avatar Sep 13 '23 14:09 shoddyknight 

{
  "SourceMetadata": {
    "Data": {
      "Git": {
        "commit": "478b68d2f2be5e4d95718c479e7ce4aa0f031601",
        "file": ".../StopSubscriptionServiceImpl.java",
        "email": "....",
        "repository": "...",
        "timestamp": "2023-09-12 13:45:22 +0000",
        "line": 156
      }
    }
  },
  "SourceID": 1,
  "SourceType": 16,
  "SourceName": "trufflehog - git",
  "DetectorType": 32,
  "DetectorName": "PagerDutyApiKey",
  "DecoderName": "BASE64",
  "Verified": false,
  "Raw": "existingSubscription",
  "RawV2": "",
  "Redacted": "",
  "ExtraData": null,
  "StructuredData": null
}

shoddyknight avatar Sep 13 '23 14:09 shoddyknight

You're going to experience a lot of unverified false positives, but the verification feature should sort them all out for you. Are you able to enable that flag?

dxa4481 avatar Sep 13 '23 14:09 dxa4481

Here's a related short blog: https://trufflesecurity.com/blog/its-impossible-to-find-every-vulnerability-so-we-dont-try-to/

dxa4481 avatar Sep 13 '23 14:09 dxa4481

I'll share this with my SecDev colleagues and we can discuss, thanks

I still think the bug is quite unpleasant

shoddyknight avatar Sep 13 '23 14:09 shoddyknight

Also, The recent surge is due to the recent change #1749 that added pd as keyword and since its so small/common its getting triggered more.

bugbaba avatar Sep 21 '23 15:09 bugbaba

You're going to experience a lot of unverified false positives, but the verification feature should sort them all out for you. Are you able to enable that flag?

so you're telling me I must leak information to every service in order to test if there is a valid token?

3.59.0 on 1000 repository I ended with image

As we don't use pagerduty (or exchange rate api) I simply discard does result. Is there a way to deactivate some detectors via config or cli?

Marx314 avatar Oct 16 '23 20:10 Marx314

As we don't use pagerduty (or exchange rate api) I simply discard does result. Is there a way to deactivate some detectors via config or cli?

That should be possible with --exclude-detectors

https://github.com/trufflesecurity/trufflehog/blob/98d2922bee11002ae67b9cd4e900a9d685b8596f/main.go#L64

rgmz avatar Oct 27 '23 00:10 rgmz