trufflehog
trufflehog copied to clipboard
[request] Add detector for credentials in .pypirc file
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Hello Team :)
Currently the truffleHog is not having any detector for credentials and API token hardcoded inside the .pypirc file. It allows authenticated access to pypi.org
Problem to be Addressed
Credentials and API token hardcoded inside the .pypirc file not detected by trufflehog.
Description of the Preferred Solution
Add a detector to detect Credentials and API token in the .pypirc file.
References
https://packaging.python.org/en/latest/specifications/pypirc/
-- Regards, @bugbaba
This is partially related to https://github.com/trufflesecurity/trufflehog/issues/716
The password format for a pypirc file would be caught by that generic scanner:
[distutils]
index-servers =
pypi
testpypi
[pypi]
username = ...
password = ...
But it would be great to also verify these credentials!