trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard
verified publisher icon trufflesecurity

S3 Secret Keys not detected

Open vexvec opened this issue 1 year ago • 4 comments

Version

3.82.6

Trace Output

NOT APPLICABLE

Expected Behavior

S3 Secret Keys that are defined in a JSON file as a KV pair S3_SECRET_KEY: verysecret are recognized. The corresponding S3_ACCESS_KEY pairs are recognized.

Actual Behavior

S3 access keys are recognized, S3 secret keys not.

Steps to Reproduce

  1. Take a test JSON file with both KV pairs
  2. Place the JSON in a S3 Bucket
  3. Scan the bucket (without any special flags)
  4. See that S3_ACCESS_KEY is recognized and S3_SECRET_KEY not

Environment

  • OS: debian
  • Version testing (Rolling)

Additional Context

{
  "env": {
    "S3_ACCESS_KEY": "i-have-an-access-key",
    "S3_SECRET_KEY": "and-a-secret-key"
  }
}

References

  • #0000

vexvec avatar Oct 07 '24 10:10 vexvec

Are you expecting the sample that you provided to be detected? That wouldn't match the pattern required.

dustin-decker avatar Oct 07 '24 15:10 dustin-decker

Yes indeed I expect it to be detected. The access key is detected in such a file, but the secret key not. Can't understand the reason behind it.

vexvec avatar Oct 07 '24 15:10 vexvec

Are you trying to detect actual keys? Or placeholders like you provided?

dustin-decker avatar Oct 07 '24 20:10 dustin-decker

Actual keys. To be more specific the keys are in the given format within a cloudformation config.

vexvec avatar Oct 07 '24 21:10 vexvec

i think its not displayng the detected secret key. use --json option and it will display the secret key in rawv2

ankushgoel27 avatar Nov 09 '24 15:11 ankushgoel27

See that S3_ACCESS_KEY is recognized and S3_SECRET_KEY not

This is intentional and doesn't mean the secret wasn't detected. TruffleHog only generates a result when both the access key and secret key are found together. The Raw field is used as an identifier, not as a display of the actual credentials. While it may look like secrets are shown in Raw for single-pattern detectors, it's actually just an identifier derived from the matched data.

As @ankushgoel27 mentioned, you can use the --json flag to view the RawV2 field, which combines both key and secret. However, there's no delimiter between them, because RawV2 serves as an identifier for multi-pattern detectors where multiple matches may share the same ID/Key and have same Raw Value.

kashifkhan0771 avatar Apr 30 '25 12:04 kashifkhan0771

@vexvec let me know if this answers your question? So we can close the issue. Thank you!

kashifkhan0771 avatar Apr 30 '25 12:04 kashifkhan0771

Yes this answers my question. Thanks

vexvec avatar Apr 30 '25 16:04 vexvec