trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

Feature Request: Ignore string filter

Open ryanohoro opened this issue 7 years ago • 14 comments

I'd like a set of configurable strings to be ignored when tests are executed. I've found that the following strings cut down on false positives for things like hex and base64 chars definitions.

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
123456789

ryanohoro avatar Jan 04 '17 19:01 ryanohoro

Would also like to have this added. I am running into multiple instances of this. Especially when dealing with people who sign their commits with PGP

GElkins avatar Jan 09 '17 19:01 GElkins

+1 Thoughts on having a yaml file like this?

ignore_strings:
  - "whateverignorethisstring"
  - "ignorethisonetoo
ignore_files:
  - "unit_tests_with_false_positives.py"

ashmastaflash avatar Jan 09 '17 21:01 ashmastaflash

I have PR #16 in for file ignore, it's a lazy .conf file format that uses fnmatch. But I'd be happy to merge the two features for files and strings. YML might be a better choice for this

ryanohoro avatar Jan 09 '17 21:01 ryanohoro

I'm reconsidering the file match. Initial thought was to ignore .travis.yml and the like, because encrypted credentials look like real credentials to truffleHog.
That being said, it's not hard to imagine someone plugging in real creds in a .yaml file. Maybe should just stick with individual string whitelisting :-)

ashmastaflash avatar Jan 09 '17 23:01 ashmastaflash

instead of or additionally to the ignore_files, have a ignore_commitids:, so once a commitid is identified as false positive, it can be added to not show up every time.

buzzdeee avatar Oct 20 '17 07:10 buzzdeee

FWIW, I created #66 which adds --include and --exclude options for filtering by Git object path (similar to @ryanohoro's PR, but with added logic for inclusion patterns, and support for regular expressions [as opposed to globs]).

I feel strongly that some path filtering option should be provided, because string white/blacklisting is not going to be a scalable endeavor across a large organization, or very efficient or accurate in many scenarios for that matter. As a concrete example, repos to which devs have uploaded a .classpath file (which they should not do, but realistically it happens a lot) will contain high entropy strings that change from commit to commit, so it would not be possible to create a whitelist or blacklist string filter against issues found in that file.

Another example case in which devs are not in any way to blame is jmeter .jmx files, which should be tracked with the source, but are programmatically generated XML files with lots of high entropy strings that change every time an integration test is modified.

milo-minderbinder avatar Nov 29 '17 23:11 milo-minderbinder

+1 for this.

Some regex for ignoring strings / paths would be great as in bigger applications the tests/ generating a lot of false positive noise.

apertureless avatar Aug 07 '18 19:08 apertureless

+1

How can I do, when I have false positive truffleHog, for example:

-----BEGIN RSA PRIVATE KEY-----

dalvarezquiroga avatar Nov 13 '18 15:11 dalvarezquiroga

One of the files in my repo is training material...about secrets management. It would be great to be able to whitelist these files!

scarolan avatar Apr 25 '19 14:04 scarolan

Hey there, we've just released the next major version of TruffleHog!

It doesn't support ignoring strings, but this is a good feature request.

It is a complete rewrite that scans more data sources and now supports detecting and verifying over 600 credentials. Please check it out when you can.

https://trufflesecurity.com/blog/introducing-trufflehog-v3

dustin-decker avatar Apr 04 '22 17:04 dustin-decker

I would love to see a way to commit a suppression of a particular secret into the code next to the secret so that the suppression is auditable just like the original commit of the secret.

Tfsec has a great method of doing this documented here.

jwenz723 avatar Jul 27 '22 20:07 jwenz723

Is there any work in progress on this? As far as I can see, the only way to exclude a positive result is to ignore the entire file?

james-callahan avatar Aug 26 '22 04:08 james-callahan

I'm using a jq filter to this end. Integrated would be better, but it gets the job done.

timdittler avatar Aug 29 '22 08:08 timdittler

I'm using a jq filter to this end. Integrated would be better, but it gets the job done.

Interesting idea! However hooking it up in CI will be a pain. Things to do would include:

  • Finding a jq container to use; or adding it to the existing trufflehog container
  • When using the json output, after filtering, transforming back into nice human readable output.

james-callahan avatar Aug 29 '22 12:08 james-callahan

Would also love a way to flag false-positives inline (for audit), I'm testing adding this to a pipeline in git and it's flagging jobs-or-pipelines-run- as an unverified result, but simultaneously a fake SSH key is also unverified

 -----BEGIN OPENSSH PRIVATE KEY-----
blahblah
-----END OPENSSH PRIVATE KEY-----

So for testing I can't know if it'll correctly detect real SSH keys as verified, but nor can I remove the --only-verified flag from the scan because I know it'll flag incorrect vars

TimKnight-DWP avatar Feb 01 '23 12:02 TimKnight-DWP

While this isn't top priority for our team, we're happy to review community PRs if someone wants to take a stab at it

zricethezav avatar Aug 25 '23 17:08 zricethezav

After some review, we don't plan on supporting this feature. However, if you want to add to the list of stopwords feel free to add to one of the following:

  • https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/badlist.txt
  • https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/programmingbooks.txt
  • https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/words.txt

zricethezav avatar Dec 14 '23 20:12 zricethezav