trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

The tool will not run if the organization has a dash (-) in the name. Example: principal-aaas

Open principal-aaas opened this issue 2 years ago • 8 comments

sudo docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=principal-aaas

principal-aaas avatar Oct 26 '22 21:10 principal-aaas

Let me know if anybody is able to scan the principal-aaas organization such as I did in the example above or by another command. Thanks!

principal-aaas avatar Oct 27 '22 13:10 principal-aaas

Hi @principal-aaas would you be able to post the error you are getting. I tested on a couple orgs with - in their names and it looks to work as expected. Ex: rust-lang (https://github.com/rust-lang) and ant-design (https://github.com/ant-design)

Thanks a lot.

ahrav avatar Nov 04 '22 00:11 ahrav

Thank you for the message @ahrav. Here is the error that I am receiving: Unable to find image 'trufflesecurity/trufflehog:latest' locally latest: Pulling from trufflesecurity/trufflehog 9621f1afde84: Pull complete c04b1df7ea1e: Pull complete 4f4fb700ef54: Pull complete 684cafaf20e7: Pull complete d71608a2a2a1: Pull complete Digest: sha256:4469c599fe8f709cb15531591ff5f0d5dd065f3600d9c6ca70c13ac55a0e6a97 Status: Downloaded newer image for trufflesecurity/trufflehog:latest 🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷

ERRO[0000] error fetching repos for org or user: principal-aaas error="could not list repos for org principal-aaas: GET https://api.github.com/orgs/principal-aaas/repos?per_page=100: 404 Not Found []"

principal-aaas avatar Nov 08 '22 20:11 principal-aaas

Does anybody have an idea as to why the tool could not list repos for org principal-aaas ?

principal-aaas avatar Nov 16 '22 16:11 principal-aaas

principal-aaas is actually a user, but it should still work. TruffleHog first tries to enumerate the org and should fall back to the user. It works with my username, which also has a dash.

I was able to reproduce this issue with principal-aaas

dustin-decker avatar Nov 16 '22 16:11 dustin-decker

Why doesn't the tool like principal-aaas?

principal-aaas avatar Nov 17 '22 15:11 principal-aaas

There was an interesting challenge posed with a generous reward by Gloria Brown to the first person that can resolve this issue. Check out her latest post: https://www.linkedin.com/in/gloria-brown-49961b1a8/

principal-aaas avatar Dec 01 '22 21:12 principal-aaas

I just observed this when updating our integration tests to use a new user with a dash in the name. I suspect it's an issue with

  • using the org enumeration endpoint for users AND
  • the user being relatively new OR the user being relatively new with a dash in the name.

I haven't narrowed down the exact conditions but the solution is probably to just use the proper API.

dustin-decker avatar Jan 25 '23 05:01 dustin-decker 

2024-02-16T19:18:36Z    error   trufflehog      error fetching repos for org    {"error": "GET https://api.github.com/orgs/principal-aaas/repos?per_page=100: 404 Not Found []"}
2024-02-16T19:18:36Z    info-0  trufflehog      Completed enumeration   {"num_repos": 4, "num_orgs": 1, "num_members": 0}
2024-02-16T19:18:36Z    info-0  trufflehog      finished scanning       {"chunks": 40, "bytes": 151846, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "553.488334ms"}

Works fine with the latest version. I tested with a few different users including @principal-aaas. We should probably change how we handle error messages for users, or maybe even expose a --user option for github scans. https://github.com/trufflesecurity/trufflehog/blob/88c1bb3289c5de44ebf4e9f484a6ebc02a2f6178/pkg/sources/github/github.go#L542-L544

Despite the confusing error message, a user scan will complete. Closing the issue for now.

zricethezav avatar Feb 16 '24 19:02 zricethezav