Open zioalex opened 1 week ago
@zioalex valid point. You can see how the output data is set: https://github.com/trufflesecurity/trufflehog/blob/9ad24f69992b53102be73c796cfc401323849b04/pkg/detectors/azurecontainerregistry/azurecontainerregistry.go#L52-L57. RawV2
contains both the endpoint and password which is the entry that should be logged.
@ahrav @rosecodym curious to hear your thoughts on this but what about just checking if len(rawv2) > len(raw)
and using the greater of the two as the output here. Dumb and simple solution that would probably work for most cases? https://github.com/trufflesecurity/trufflehog/blob/9ad24f69992b53102be73c796cfc401323849b04/pkg/output/plain.go#L37.
That's one of those changes that's so simple and obvious that I'd like to ask around a bit to see why we're not already doing it.
Please review the Community Note before submitting
TruffleHog Version
trufflehog 3.68.4
Trace Output
Gist has been cleaned by real data
https://gist.github.com/zioalex/75b0ffe71528704d9a54acc6e416dbf5
Expected Behavior
Actual Behavior
The ACR name shouldn't be reported as a secret.
The ACR name is reported as a secret while the actual ACR password is not.
Steps to Reproduce
Environment
Additional Context
References
0000