Closed rgmz closed 3 months ago
Running trufflehog on a .pem file to scan for privateKeys but it returns nothing. --results=filtered_unverified
works only with filesystem
and not with git
.
Command tried:
docker run -v "/test/private_key.pem:/test/private_key.pem" trufflesecurity/trufflehog:latest git file:///test/private_key.pem --results=filtered_unverified
Image version: "trufflehog_version": "3.78.1"
Can someone please help on how to scan for privateKeys on a git commit?
Please review the Community Note before submitting
TruffleHog Version
HEAD
Trace Output
N/A
Description
Consider the following file,
example.json
If you were to run the following command, what would you expect the output to be? Perhaps two results: GCP and PrivateKey?
The answer is, surprisingly, nothing!
Running with
--results=filtered_unverified
yields a surprising result:How can this be? Both
GCP
andPrivateKey
explicitly don't attempt to do any form of "false positive" check.https://github.com/trufflesecurity/trufflehog/blob/433a57adaf8fedce312630ef593f5142227c5855/pkg/detectors/gcp/gcp.go#L136-L138
https://github.com/trufflesecurity/trufflehog/blob/433a57adaf8fedce312630ef593f5142227c5855/pkg/detectors/privatekey/privatekey.go#L154
Put your guesses in the comments now!
...
The problematic lines are:
https://github.com/trufflesecurity/trufflehog/blob/433a57adaf8fedce312630ef593f5142227c5855/pkg/engine/engine.go#L738
https://github.com/trufflesecurity/trufflehog/blob/433a57adaf8fedce312630ef593f5142227c5855/pkg/engine/engine.go#L848
The struct being passed in is actually DetectorMatch, and not
gcp.Scanner
as expected. For some reason, the compiler sees that the embedded struct matchesdetectors.Detector
, but does not see that the embedded struct matchesdetectors.CustomFalsePositiveChecker
.This may not be a type system bug per se, but it's clearly contrary to the intentions of the code and understanding of the developer.