When a verification test fails, the log output should include this information so that potentially valid secrets aren't discounted.
For instance, if a slow remote server can cause the request to timeout:
Get "https://app.scrapingbee.com/api/v1/?api_key=TQ9CCAZSORUPU1NMZXZEM11VY7K3NC6HJPBNYP2V4CZZXUY9SWEULNDHOZ77XGWO9FASA12XWFVWUBZJ&url=https://httpbin.org/anything?json&render_js=false": context deadline exceeded
Which in turn will cause the secret to be reported as "unverified" without information about the failure, or excluded altogether if using --only-verified.
Found unverified result π·πβ
Detector Type: ScrapingBee
Decoder Type: PLAIN
Raw result: TQ9CCAZSORUPU1NMZXZEM11VY7K3NC6HJPBNYP2V4CZZXUY9SWEULNDHOZ77XGWO9FASA12XWFVWUBZJ
File: pkg/detectors/scrapingbee/scrapingbee_test.go
Line: 147
Preferred Solution
Two potential solutions come to mind.
Add "VeriticationError" to outputs such as PlainPrinter.
Found unverified result π·πβ
Detector Type: ScrapingBee
Decoder Type: PLAIN
Raw result: TQ9CCAZSORUPU1NMZXZEM11VY7K3NC6HJPBNYP2V4CZZXUY9SWEULNDHOZ77XGWO9FASA12XWFVWUBZJ
File: pkg/detectors/scrapingbee/scrapingbee_test.go
Line: 147
VerificationError: Get "https://app.scrapingbee.com/api/v1/?api_key=TQ9CCAZSORUPU1NMZXZEM11VY7K3NC6HJPBNYP2V4CZZXUY9SWEULNDHOZ77XGWO9FASA12XWFVWUBZJ&url=https://httpbin.org/anything?json&render_js=false": context deadline exceeded
Add a third case for results that include VerificationError that perhaps can still show up with --only-verified.
Failed to verify result π·πβ
Detector Type: ScrapingBee
Decoder Type: PLAIN
Raw result: TQ9CCAZSORUPU1NMZXZEM11VY7K3NC6HJPBNYP2V4CZZXUY9SWEULNDHOZ77XGWO9FASA12XWFVWUBZJ
File: pkg/detectors/scrapingbee/scrapingbee_test.go
Line: 147
VerificationError: Get "https://app.scrapingbee.com/api/v1/?api_key=TQ9CCAZSORUPU1NMZXZEM11VY7K3NC6HJPBNYP2V4CZZXUY9SWEULNDHOZ77XGWO9FASA12XWFVWUBZJ&url=https://httpbin.org/anything?json&render_js=false": context deadline exceeded
Additional Context
This may only be applicable to plain output. I haven't tested it with JSON or anything else.
rgmz
commented
9 months ago
Please review the Community Note before submitting
Description
When a verification test fails, the log output should include this information so that potentially valid secrets aren't discounted.
For instance, if a slow remote server can cause the request to timeout:
Which in turn will cause the secret to be reported as "unverified" without information about the failure, or excluded altogether if using
--only-verified.Preferred Solution
Two potential solutions come to mind.
VerificationErrorthat perhaps can still show up with--only-verified.Additional Context
This may only be applicable to plain output. I haven't tested it with JSON or anything else.
References
N/A