trufflehog
trufflehog copied to clipboard
Multi-part secrets are not reliably detected
Please review the Community Note before submitting
TruffleHog Version
Latest
Trace Output
N/A
Expected Behavior
Detectors like DockerHub which require both a username and password should pick up multi-part secrets.
Example: TruffleHog should pick up johndoe:dckr_pat_rotated
and johndoe:dckr_pat_newandactive
when processing commits.
DOCKERHUB_USER = 'johndoe'
- DOCKERHUB_PASSWORD = 'dckr_pat_rotated'
+ DOCKERHUB_PASSWORD = 'dckr_pat_newandactive'
Actual Behavior
TruffleHog only searches added lines for Git sources, meaning that the commit shown above will be processed without any surrounding context:
DOCKERHUB_PASSWORD = 'dckr_pat_newandactive'
This is due to how the GitParse logic is written: https://github.com/trufflesecurity/trufflehog/blob/857a37160074198a128f176f6534fd318d3c9494/pkg/gitparse/gitparse.go#L391-L396
Changing that line fixes the issue (or at least partially mitigates it), however, further care is needed to make sure that secrets are only reported for the commit they're introduced in.
- currentDiff.Content.Write([]byte("\n"))
+ currentDiff.Content.Write(line[1:])
Steps to Reproduce
N/A
Environment
N/A
Additional Context
N/A
References
N/A