search

trufflesecurity / trufflehog

Find and verify secrets
https://trufflesecurity.com
GNU Affero General Public License v3.0
14.38k stars 1.57k forks source link

Git source should fail if directory doesn't exists #3005

Open rgmz opened 1 week ago

rgmz commented 1 week ago

Please review the Community Note before submitting

TruffleHog Version

HEAD

Description

When using TruffleHog with a file:// uri, the scan will complete with a 0 exit code even if the directory doesn't exist.

$ ls /tmp/fake-dir/
ls: cannot access '/tmp/fake-dir/': No such file or directory
$ ./trufflehog git file:///tmp/fake-dir/
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-06-23T18:12:55-04:00       info-0  trufflehog      running source  {"source_manager_worker_id": "XIh5z", "with_units": true}
2024-06-23T18:12:55-04:00       info-0  trufflehog      finished scanning       {"chunks": 0, "bytes": 0, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "4.326315ms", "trufflehog_version": "dev"}
$ echo $?
0
rgmz commented 1 week ago

It seems that git.scanDir returns an error (repository does not exist), however, the error seems to vanish into a void.

https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/sources/git/git.go#L324-L330

https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/sources/git/git.go#L1272

https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/sources/source_manager.go#L369-L372

Confusingly, scanDirs and scanRepos — which would log such an error — don't seem to run in any configuration I tested. They only get called runWithoutUnits.

https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/sources/source_manager.go#L286