Gitlab false positive (Raw result: add-a-file-using-the-)

[ivansaurio]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

TruffleHog Version

3.4.1

Actual Behavior

The gitlab detector has a regex that matches against an url in the default readme.md

Regex: https://github.com/trufflesecurity/trufflehog/blob/fe029b1098bed46a3f7cfc517bb8a7c78abc5de9/pkg/detectors/gitlab/gitlab.go#L21

Readme:

- [ ] [Add files using the command line](https://docs.gitlab.com/ee/gitlab-basics/add-file.html#add-a-file-using-the-command-line) or push an existing Git repository with the following command:

Output: Found unverified result 🐷🔑❓ Detector Type: Gitlab Decoder Type: PLAIN Raw result: add-a-file-using-the- Commit: XXXXXXXXXXXXXXXX Email: XXXXXXXX xxxxxx@gmail.com File: README.md Line: 14 Link: https://gitlab.com/xxxxx/xxxxx/README.md Repository: https://gitlab.com/xxxxx/xxxxx/xxx.git Timestamp: 2022-09-26 18:58:05 +0000 UTC

Expected Behavior

This is a common false positive and should be discarded

Steps to Reproduce

docker run --rm -it -v "/tmp:/tmp" -v "$PWD:/pwd" trufflesecurity/trufflehog gitlab --token xxxxxxxxxxxx --repo https://gitlab.com/gitlab-org/docker-build-test.git

[khanhldt]

This gitlab detector found a ton of false positives. Hope this can be prioritized.

[ayedaemon]

I'm getting another false positive from gitlab detector.

Source file (test.lua)

local test_var = {
    "*\\gitlab-runner\\*",
    "*verbosity=diagnostic*"
}

Trufflehog Results:

🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-07-16T16:17:56+05:30       info-0  trufflehog      running source  {"source_manager_worker_id": "D5fK9", "with_units": true}
Found unverified result 🐷🔑❓
Detector Type: Gitlab
Decoder Type: PLAIN
Raw result: verbosity=diagnostic
Rotation_guide: https://howtorotate.com/docs/tutorials/gitlab/
Version: 1
File: test.lua
Line: 2

2024-07-16T16:17:56+05:30       info-0  trufflehog      finished scanning       {"chunks": 1, "bytes": 76, "verified_secrets": 0, "unverified_secrets": 1, "scan_duration": "426.043625ms", "trufflehog_version": "3.79.0"}

[cromefire]

Yeah it finds just everything with gitlab in it, like:

import com.gitlab.something.something

Mean while the do have a list of actual secrets in use with GitLab.

The most important ones would be:

• gldt- used to authenticate prod machines that need to pull artifacts, very important
• glpat- Personal Access Token, hugely important as it's the primary token used for authenticating users
• gloas- OAuth secret used to authenticate users
• glcbt- (although they expire after the build is finished and I think they are even IP limited to the CI build host, so by the time you detect them, they'll be gone once the toll has verified them).

And of those only the PATs were identified, the deploment token and the oauth token were just completely missed (pipline toke as well, but as said those probably just cause more false positives than anything else, especially when the GITLAB_CI variable is set and the detection is running inside the CI) and some of the more minor ones from the docs may also be missing. All those false positives weem to come from the detector V1, but I've seen no docs on how to turn off that version.

I think this makes the gitlab detector pretty flawed at the moment as it detects every thing that contains the word gitlab, which doesn't help with any actual secret at all as they are all gl<string>-key (many also probably require different detection methods, especially the runner tokens and and feed tokens and some like oauth and pipeline trigger token may not be verifiable at all).

Also the documentation on how to configure the verifier for gitlab self managed (so override the base url of gitlab.com) isn't really clear unless I'm missing some huge chunk of documentation.

[skyf0l]

Same, can we just ignore the add-a-file-using-the- pattern ?

[TryTryAgain]

Same, can we just ignore the add-a-file-using-the- pattern ?

@skyf0l How are you achieving that?

[skyf0l]

@skyf0l How are you achieving that?

if detected_secret != "add-a-file-using-the-" {
    // ignore
}

Given the number of false positives due to this string, it might be interesting to hard-code it. I don't have any other easy solutions to suggest at the moment. We'd have to check with the other false positives, but it seems that this detector flags all 20/22-character strings...