trufflehog
trufflehog copied to clipboard
Trufflehog didnt scan google oauth creds stored in plain text in Github Repository
Please review the Community Note before submitting
TruffleHog Version
3.57.0
Trace Output
Nothing to note in output
Expected Behavior
Trufflehog should detect GOOGLE_OAUTH2_SECRET
in verified secrets.
Actual Behavior
Trufflehog isn't detecting the GOOGLE_OAUTH2_SECRET
when scanning the git repository or using filesystem flag.
Steps to Reproduce
- Go to
Terminal -> Trufflehog --version
- If version is proper and latest, run
trufflehog --trace git https://github.com/<org_name>/gitops.git
- I have validated the above command with
--only-verified
as well as without it. - output example as shown below:
{"chunks": 280393, "bytes": 76133309, "verified_secrets": 12, "unverified_secrets": 1739, "scan_duration": "1m38.069474625s"}
- I have filtered the unverified results and still didnt find the
GOOGLE_OAUTH2_SECRET
has been detected by Trufflehog.
Environment
- OS: Mac
- Version : 13.2.1
Additional Context
I have created a GitOps Repo where I have stored GOOGLE_OAUTH2_SECRET
value in plain text and was validating if Trufflehog was able to determine a secret/credentials present in plain text.
References
- #0000
I also met this problem. I downloaded the repository, and use the newest trufflehog version(3.60.0). trufflehog filesystem ./ , but it can't find the privatekey in .env file
@dustin-decker - Could you please shed some insights on this?
It would be helpful if you provide specific examples that can be tested against (redact/placeholders, obviously).
@rgmz - This is specific to my environment. I did create values.yaml
file as part of the Airflow GitOps deployment Repo.
In values.yaml
configuration, I have configuration looks like shown below:
airflow:
fernetKey: "<value_here>"
config:
AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER: "gs://<bucket>"
AIRFLOW__WEBSERVER__BASE_URL: "<url>
AIRFLOW__WEBSERVER__INSTANCE_NAME: <name>
AIRFLOW__WEBSERVER__NAVBAR_COLOR: "#C05CF2"
variables:
- key: environment
value: dev
- key: group
value: test
extraEnv:
- name: "GOOGLE_OAUTH2_CLIENT_ID"
value: "<client_id_value>"
- name: "GOOGLE_OAUTH2_SECRET"
value: "<secret_value>"
This config file is stored locally and then ran trufflehog scanning but it didnt detect the OAUTH
credentials.
@rgmz - Just checking in if you're able to detect/test against the sample example.
@rgmz - i'm not sure if this issue is addressed or are you able to detect against the sample provided earlier?