trufflehog
trufflehog copied to clipboard
Gist Scanning Errors
TruffleHog Version
trufflehog 3.71.1
Trace Output
Expected Behavior
Gists should be scanned just like any other repository on GitHub.
Actual Behavior
Depending on the Gist URL structure, one of two different errors spits out:
URLs with the username (https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git)
Failed to fetch repository {"source_manager_worker_id": "Xwjd7", "repo": "https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git", "error": "GET https://api.github.com/repos/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb: 404 Not Found []"}
URLs without the username (https://gist.github.com/274463.git)
Unable to cache repository info {"source_manager_worker_id": "ATqG1", "repo": "https://gist.github.com/274463.git", "error": "missing cached info for gist: https://gist.github.com/274463.git"}
Steps to Reproduce
Run the following commands:
trufflehog github --repo https://gist.github.com/274463.git
trufflehog github --repo https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git
Environment
- OS: OSX
- Version 14.2.1
Additional Context
I believe this was introduced in PR #2379 .
This is caused by two faulty assumptions:
- that Gist URLs only contain one path segment
- that Gists wouldn't be scanned directly via the
--repo
flag https://github.com/trufflesecurity/trufflehog/blob/55b3c1c0ec497fa0f274168b9868b4a47c734cd2/pkg/sources/github/github.go#L429-L437
An obvious hot-fix would be to check whether the host is "gist.github.com", similar to what the existing code does elsewhere (prior code to #2379). However, this is a bad long-term solution as it won't work on GitHub Enterprise Server. https://github.com/rgmz/trufflehog/blob/283d83f113ff8762c8c301d1f3de7767c67f02e2/pkg/sources/github/github.go#L1074-L1075
Would it be reasonable to add a CLI flag just for gists?
I think they are different enough that it would make sense. There's a lot of awkward code around mingling repositories and gists.
TruffleHog Version
trufflehog 3.71.1
Trace Output
Expected Behavior
Gists should be scanned just like any other repository on GitHub.
Actual Behavior
Depending on the Gist URL structure, one of two different errors spits out:
URLs with the username (https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git)
Failed to fetch repository {"source_manager_worker_id": "Xwjd7", "repo": "https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git", "error": "GET https://api.github.com/repos/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb: 404 Not Found []"}
URLs without the username (https://gist.github.com/274463.git)
Unable to cache repository info {"source_manager_worker_id": "ATqG1", "repo": "https://gist.github.com/274463.git", "error": "missing cached info for gist: https://gist.github.com/274463.git"}
Steps to Reproduce
Run the following commands:
trufflehog github --repo https://gist.github.com/274463.git
trufflehog github --repo https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git
Environment
- OS: OSX
- Version 14.2.1
Additional Context
I believe this was introduced in PR #2379 .