Not finding passwords and tokens

[mohanss08]

I'm using trufflehog_3.33.0_linux_amd64.tar.gz to detect the passwords and tokens.

Actually i have hard-coded tokens & passwords and committed them into my github repository. But when i tried to scan it is not finding tokens and passwords.

$ ./trufflehog git git@github-company.com:org-demo/test.git --only-verified
2023-05-02T09:57:50+05:30       info-0  trufflehog      loaded decoders {"count": 3}
2023-05-02T09:57:50+05:30       info-0  trufflehog      loaded detectors        {"total": 737, "verification_enabled": 737, "verification_disabled": 0}
2023-05-02T09:57:50+05:30       info-0  trufflehog      possible duplicate detector configured  {"detector": "Square"}
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

In my repository files i have passwords & tokens like below format.

USERNAME="user"
PASSWORD="password"

HTTP_USER="user1"
HTTP_TOKEN="DRFuteQw$#riYhte69AwerDdf-$"

Can I know what is the issue with my command? Why it is not finding custom password & token?

Any help would be appreciated

[Atrejoe]

Similar here when running a filesystem scan:

Secrets in app1.props

password=MySAP@ssw0rd!
secret: MySAP@ssw0rd!

Secret in appsettings.json

{
    "ConnectionStrings": {
        "DefaultConnection": "Server=myserver;Database=mydatabase;User=sa;Password=MySAP@ssw0rd!;"
    },
}

Command: ..\trufflehog.exe filesystem . --trace

Output::

2023-05-10T15:36:48+02:00       info-2  trufflehog      trufflehog 3.34.0
2023-05-10T15:36:48+02:00       info-2  trufflehog      engine started  {"workers": 16}
2023-05-10T15:36:48+02:00       info-0  trufflehog      loaded decoders {"count": 3}
2023-05-10T15:36:48+02:00       info-0  trufflehog      loaded detectors        {"total": 738, "verification_enabled": 738, "verification_disabled": 0}
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2023-05-10T15:36:48+02:00       info-3  trufflehog      scanning file   {"source_type": "SOURCE_TYPE_FILESYSTEM", "source_name": "filesystem", "path": "app1.props"}
2023-05-10T15:36:48+02:00       info-3  trufflehog      scanning file   {"source_type": "SOURCE_TYPE_FILESYSTEM", "source_name": "filesystem", "path": "appsettings.json"}
Found unverified result 🐷🔑❓
Detector Type: SQLServer
Decoder Type: PLAIN
Raw result: MySAP@ssw0rd!
File: appsettings.json
Line: 2

2023-05-10T15:36:52+02:00       info-2  trufflehog      finished scanning       {"chunks": 2, "bytes": 181}

Both files are apparently scanned. With 3.31.2 it did not find ány results, with 3.34.0 only the SQL connection string password is found.

I would expect the secrets in app1.props to be found too.

[zricethezav]

@mohanss08

Can I know what is the issue with my command? Why it is not finding custom password & token?

USERNAME="user"
PASSWORD="password"

HTTP_USER="user1"
HTTP_TOKEN="DRFuteQw$#riYhte69AwerDdf-$"

These are generic credentials. Trufflehog does not support scanning generic credentials by default.

@Atrejoe

I would expect the secrets in app1.props to be found too.

password=MySAP@ssw0rd! in a .props file does not give enough information to determine what detector that secret is for which is why it is not detected.

[sadams-evi]

what is the status of this ticket I am experiencing the same issue

[zricethezav]

@sadams-evi see, the response I gave above: https://github.com/trufflesecurity/trufflehog/issues/1317#issuecomment-1584903339

Trufflehog is scanning as expected. If you would like to detect something like password=MySAP@ssw0rd! in a .props file , I suggest you write a custom regex detector: https://github.com/trufflesecurity/trufflehog#regex-detector-example

Closing the issue as this is the intended behavior.

[sadams-evi]

@zricethezav just for clarification regex detectors are in YAML, can I feed in a JSON list ?

[zricethezav]

@sadams-evi YAML only at this time

[sadams-evi]

Can you explain to me what "verify" is in the example provided

# config.yaml
detectors:
- name: hog detector
  keywords:
  - hog
  regex:----> (IS THIS WHERE THE REGEX GOES ?)
    adjective: hogs are (\S+)
  verify: ---> (what is needed to input here ?) 
  - endpoint: http://localhost:8000/
    # unsafe must be set if the endpoint is HTTP
    unsafe: true
    headers:
    - 'Authorization: super secret authorization header'

@zricethezav

[sadams-evi]

@zricethezav if you could let me know if this is correct formatting

I am trying to detect regex pattern for "API key": "([a-zA-Z0-9]{32})"

# config.yaml
detectors:
- name: hog detector
  keywords:
  - API key
  regex:-
    adjective: "([a-zA-Z0-9]{32})"
    unsafe: true
    headers:
    - 'Authorization: super secret authorization header'

[zricethezav]

I encourage you to try it out first. Use regex101 to see if your regex are working as intended.

But you could use something like this if all you care about is the regex and keyword:

# config.yaml
detectors:
- name: custom api detector
  keywords:
  - api
  regex:
    adjective: "[a-zA-Z0-9]{32}"

verify is an optional check to see if your secret is valid and/or live.

[sadams-evi]

@zricethezav thanks makes sense, I have multiple regex I need to add, can you provide an example of how I would add multiple searches to this file?

# config.yaml
detectors:
- name: custom api detector
  keywords:
  - api
  regex:
    adjective: "[a-zA-Z0-9]{32}"
detectors:
- name: Slack Webhook
  keywords:
  - slack
  regex:
    adjective: "\\bhttps:\\/\\/hooks\\.slack\\.com\\/services\\/T[a-zA-Z0-9_]{8}\\/[a-zA-Z0-9_]{10}\\/[a-zA-Z0-9_]{24}\\b"

want to make sure this is configured correctly

[zricethezav]

looks good to me

[sadams-evi]

also one last question @zricethezav
If I am only interested in scanning the last commit, is the correct code line :

trufflehog --fail  --config ./trufflehog/trufflehog-rules.yaml  --only-verified git file:///$PWD --regex --since-commit HEAD

[sadams-evi]

This did the trick

trufflehog --fail --no-update --github-actions  --config ./trufflehog-rules.yaml  --only-verified git  --since-commit HEAD --regex  file:///$PWD 

I had to add the --no-update flag to get this to work, if the flag is not aded you get an error msg about trufflehog being unable to move binaries

[sadams-evi]

I do have an additional comment, YAML file produces an error msg: Map keys must be unique.