Why is the ACR name report as a secret?

[zioalex]

Please review the Community Note before submitting

TruffleHog Version

trufflehog 3.68.4

Trace Output

Gist has been cleaned by real data

https://gist.github.com/zioalex/75b0ffe71528704d9a54acc6e416dbf5

Expected Behavior

Actual Behavior

The ACR name shouldn't be reported as a secret.

The ACR name is reported as a secret while the actual ACR password is not.

Steps to Reproduce

1. Run with trufflehog --trace --no-verification --no-update filesystem file.txt
2. Analyze the output

Environment

• OS: Linux Ubuntu 20.04.05

Additional Context

References

• 0000

[zricethezav]

@zioalex valid point. You can see how the output data is set: https://github.com/trufflesecurity/trufflehog/blob/9ad24f69992b53102be73c796cfc401323849b04/pkg/detectors/azurecontainerregistry/azurecontainerregistry.go#L52-L57. RawV2 contains both the endpoint and password which is the entry that should be logged.

@ahrav @rosecodym curious to hear your thoughts on this but what about just checking if len(rawv2) > len(raw) and using the greater of the two as the output here. Dumb and simple solution that would probably work for most cases? https://github.com/trufflesecurity/trufflehog/blob/9ad24f69992b53102be73c796cfc401323849b04/pkg/output/plain.go#L37.

[rosecodym]

That's one of those changes that's so simple and obvious that I'd like to ask around a bit to see why we're not already doing it.