trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

Credentials Masked while giving output in json Format

Open SecTheBit opened this issue 3 years ago • 1 comments

Hi Team, It has been observed that trufflehog is Masking the credentials while giving output in json format. For example, this mongodb credentials has been detected , and also showing the leaked credentials (refer screenshot below) Screenshot from 2022-08-01 17-36-23. But when I used the --json flag ,then in the output the credentials have been masked. (refer below screenshot)

Screenshot from 2022-08-01 17-43-18

Yes, the credentials has been shown in raw , in base64 format , but what is the purpose of encoding that in base64, can't we just show in the raw format.

SecTheBit avatar Aug 01 '22 12:08 SecTheBit

Also, I run the trufflehog with following command on my github repo (https://github.com/secthebit/Test_Keys) and in the output some of the api keys shown has been base64 encoded and some of them are not (refer screenshot below)

./trufflehog git --only-verified https://github.com/secthebit/Test_Keys.git --json

Screenshot from 2022-08-02 13-20-54

SecTheBit avatar Aug 02 '22 07:08 SecTheBit

This is a bug with the json output format that will be fixed by #825

dustin-decker avatar Sep 27 '22 16:09 dustin-decker