trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

Trufflehog didnt scan google oauth creds stored in plain text in Github Repository

Open spawar-apex opened this issue 9 months ago • 6 comments

Please review the Community Note before submitting

TruffleHog Version

3.57.0

Trace Output

Nothing to note in output

Expected Behavior

Trufflehog should detect GOOGLE_OAUTH2_SECRET in verified secrets.

Actual Behavior

Trufflehog isn't detecting the GOOGLE_OAUTH2_SECRET when scanning the git repository or using filesystem flag.

Steps to Reproduce

  1. Go to Terminal -> Trufflehog --version
  2. If version is proper and latest, run trufflehog --trace git https://github.com/<org_name>/gitops.git
  3. I have validated the above command with --only-verified as well as without it.
  4. output example as shown below: {"chunks": 280393, "bytes": 76133309, "verified_secrets": 12, "unverified_secrets": 1739, "scan_duration": "1m38.069474625s"}
  5. I have filtered the unverified results and still didnt find the GOOGLE_OAUTH2_SECRET has been detected by Trufflehog.

Environment

  • OS: Mac
  • Version : 13.2.1

Additional Context

I have created a GitOps Repo where I have stored GOOGLE_OAUTH2_SECRET value in plain text and was validating if Trufflehog was able to determine a secret/credentials present in plain text.

References

  • #0000

spawar-apex avatar Oct 02 '23 16:10 spawar-apex

I also met this problem. I downloaded the repository, and use the newest trufflehog version(3.60.0). trufflehog filesystem ./ , but it can't find the privatekey in .env file

alexanderhawl avatar Oct 18 '23 07:10 alexanderhawl

@dustin-decker - Could you please shed some insights on this?

spawar-apex avatar Oct 26 '23 15:10 spawar-apex

It would be helpful if you provide specific examples that can be tested against (redact/placeholders, obviously).

rgmz avatar Oct 26 '23 15:10 rgmz

@rgmz - This is specific to my environment. I did create values.yaml file as part of the Airflow GitOps deployment Repo.

In values.yaml configuration, I have configuration looks like shown below:

airflow:
  fernetKey: "<value_here>"
  config:
    AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER: "gs://<bucket>"
    AIRFLOW__WEBSERVER__BASE_URL: "<url>
    AIRFLOW__WEBSERVER__INSTANCE_NAME: <name>
    AIRFLOW__WEBSERVER__NAVBAR_COLOR: "#C05CF2"
  variables:
  - key: environment
    value: dev
  - key: group
    value: test
  extraEnv:
  - name: "GOOGLE_OAUTH2_CLIENT_ID"
    value: "<client_id_value>"
  - name: "GOOGLE_OAUTH2_SECRET"
    value: "<secret_value>"

This config file is stored locally and then ran trufflehog scanning but it didnt detect the OAUTH credentials.

spawar-apex avatar Oct 26 '23 16:10 spawar-apex

@rgmz - Just checking in if you're able to detect/test against the sample example.

spawar-apex avatar Nov 15 '23 21:11 spawar-apex

@rgmz - i'm not sure if this issue is addressed or are you able to detect against the sample provided earlier?

spawar-apex avatar Jan 18 '24 19:01 spawar-apex