GitHub source does not pass apiEndpoint for basicAuth or unautheticated

[rgmz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

TruffleHog Version

3.43.0

Trace Output

TruffleHog passes the githubScanEndpoint for GitHub_Token and GitHub_GithubApp auth, but not GitHub_BasicAuth or GitHub_Unauthenticated. This is not really an inconvenience but is nevertheless a bug.

https://github.com/trufflesecurity/trufflehog/blob/a99d89d71110b1111bb7f7724067fa8a43a2319e/pkg/sources/github/github.go#L353-L366

Expected Behavior

TruffleHog calls the endpoint specified with --endpoint and not api.github.com.

./trufflehog github --endpoint="https://github.example.com/api/v3" --org="example" --only-verified  
2023-07-05T18:10:10-04:00       info-0  trufflehog      loaded decoders {"count": 3}
2023-07-05T18:10:10-04:00       info-0  trufflehog      loaded detectors        {"total": 747, "verification_enabled": 747, "verification_disabled": 0}
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2023-07-05T18:10:20-04:00       info-0  trufflehog      Completed enumeration   {"source_type": "SOURCE_TYPE_GITHUB", "source_name": "github", "num_repos": 1234, "num_orgs": 1, "num_members": 0}
Found verified result 🐷🔑
...

Actual Behavior

TruffleHog ignores --endpoint and calls api.github.com:

trufflehog github --endpoint="https://github.example.com/api/v3" --org="example" --only-verified
2023-07-05T18:17:59-04:00   info-0  trufflehog  loaded decoders {"count": 3}
2023-07-05T18:17:59-04:00   info-0  trufflehog  loaded detectors    {"total": 747, "verification_enabled": 747, "verification_disabled": 0}
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2023-07-05T18:17:59-04:00   error   trufflehog  error fetching repos for org or user    {"source_type": "SOURCE_TYPE_GITHUB", "source_name": "github", "error": "GET https://api.github.com/orgs/example/repos?per_page=100: 404 Not Found []"}
2023-07-05T18:17:59-04:00   info-0  trufflehog  Completed enumeration   {"source_type": "SOURCE_TYPE_GITHUB", "source_name": "github", "num_repos": 1, "num_orgs": 1, "num_members": 0}

Steps to Reproduce

N/A

References

N/A

[zricethezav]

@rgmz

TruffleHog passes the githubScanEndpoint for GitHub_Token and GitHub_GithubApp auth, but not GitHub_BasicAuth or GitHub_Unauthenticated. This is not really an inconvenience but is nevertheless a bug.

Is this a bug for GitHub_Unauthenticated? If a wants to scan github unauthenticated wouldn't we want to always hit api.github.com?

Updated Basic Auth makes sense to me though.

[rgmz]

Is this a bug for GitHub_Unauthenticated? If a wants to scan github unauthenticated wouldn't we want to always hit api.github.com?

The use case is for self-hosted instances of GitHub Enterprise Server. Arguably you should have credentials for private instances; regardless, TruffleHog ignoring the endpoint option and returning a 404 if you accidentally forget to pass in auth is a confusing experience.

[bill-rich]

1454 was merged, so this should be fixed.