domwhewell-sage
commented
2 weeks ago Ah it appears truffle hog version 3.78.1 is no longer getting this unverified secret
~/.bbot/tools/trufflehog git file:///tmp/test_keys/
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
2024-06-13T20:39:44+01:00 info-0 trufflehog running source {"source_manager_worker_id": "xpxBT", "with_units": true}
2024-06-13T20:39:44+01:00 info-0 trufflehog scanning repo {"source_manager_worker_id": "xpxBT", "unit": "/tmp/test_keys/", "unit_kind": "dir", "repo": "/tmp/test_keys/"}
✅ Found verified result 🐷🔑
Detector Type: URI
Decoder Type: PLAIN
Raw result: https://admin:admin@the-internet.herokuapp.com
Commit: 7e9ad4002a3fcd40298735a71d90e2ce521301f3
Email: BBOT Test <bbot@blacklanternsecurity.com>
File: keys.txt
Line: 2
Timestamp: 2024-06-13 18:20:06 +0000
2024-06-13T20:39:45+01:00 info-0 trufflehog finished scanning {"chunks": 2, "bytes": 236, "verified_secrets": 1, "unverified_secrets": 0, "scan_duration": "1.070352313s", "trufflehog_version": "3.78.1"}Nothing has changed on our side but truffle hog automatically goes off and does a sneaky update unless you have the --no-update flag on
By rolling back the version on my machine and using this flag I was able to get the events to be emitted and the tests to pass
~/.bbot/tools/trufflehog --no-update git file:///tmp/test_keys/
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
2024-06-13T20:37:22+01:00 info-0 trufflehog running source {"source_manager_worker_id": "Lfvfr", "with_units": true}
✅ Found verified result 🐷🔑
Detector Type: URI
Decoder Type: PLAIN
Raw result: https://admin:admin@the-internet.herokuapp.com
Commit: 7e9ad4002a3fcd40298735a71d90e2ce521301f3
Email: BBOT Test <bbot@blacklanternsecurity.com>
File: keys.txt
Line: 2
Timestamp: 2024-06-13 18:20:06 +0000
Found unverified result 🐷🔑❓
Verification issue: lookup internal.host.com on 172.29.64.1:53: no such host
Detector Type: URI
Decoder Type: PLAIN
Raw result: https://admin:admin@internal.host.com
Commit: 7e9ad4002a3fcd40298735a71d90e2ce521301f3
Email: BBOT Test <bbot@blacklanternsecurity.com>
File: keys.txt
Line: 5
Timestamp: 2024-06-13 18:20:06 +0000
2024-06-13T20:37:23+01:00 info-0 trufflehog finished scanning {"chunks": 2, "bytes": 236, "verified_secrets": 1, "unverified_secrets": 1, "scan_duration": "1.011314663s", "trufflehog_version": "3.75.1"}So where to go from here...
- Its probably worth us adding the
--no-updateflag to version lock the binary to whats defined in"version": "3.75.1" - create an issue / ask on the truffle-security slack channel as to why unverified secrets are no longer getting picked up (I had a quick scan through their change log but couldn't see anything pertaining to changes to verified secrets)
TheTechromancer
codecov[bot]
@domwhewell-sage when you get a chance would you mind looking at the trufflehog tests? The
TestTrufflehog_NonVerifiedtest is failing for me. I can't figure out why; the version hasn't changed, but it seems to be having trouble with the non-verified ones.