search

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
15.65k stars 1.63k forks source link

Local git repo: how to tell if Trufflehog actually scanned it? #3251

Open TheTechromancer opened 2 weeks ago

TheTechromancer commented 2 weeks ago

When running trufflehog on a local repo, I get the same output whether or not the path exists:

Output for nonexistent path:

$ trufflehog --debug git file:///tmp/nonexistent.git
2024/08/27 14:44:59 [updater parent] run
2024/08/27 14:45:00 [updater parent] checking for updates...
2024/08/27 14:45:00 [updater parent] failed to get latest version: already up to date
2024/08/27 14:45:00 [updater parent] starting /home/bls/.local/bin/trufflehog
2024/08/27 14:45:01 [updater child#1] run
2024/08/27 14:45:01 [updater child#1] start program
2024-08-27T14:45:01-04:00   info-2  trufflehog  trufflehog 3.81.9
πŸ·πŸ”‘πŸ·  TruffleHog. Unearth your secrets. πŸ·πŸ”‘πŸ·

2024-08-27T14:45:01-04:00   info-2  trufflehog  starting scanner workers    {"count": 12}
2024-08-27T14:45:01-04:00   info-2  trufflehog  starting detector workers   {"count": 48}
2024-08-27T14:45:01-04:00   info-2  trufflehog  starting verificationOverlap workers    {"count": 12}
2024-08-27T14:45:01-04:00   info-2  trufflehog  starting notifier workers   {"count": 3}
2024-08-27T14:45:01-04:00   info-1  trufflehog  cloned repo {"path": "/tmp/nonexistent.git"}
2024-08-27T14:45:01-04:00   info-0  trufflehog  running source  {"source_manager_worker_id": "bdRKl", "with_units": true}
2024-08-27T14:45:01-04:00   info-2  trufflehog  enumerating source  {"source_manager_worker_id": "bdRKl"}
2024-08-27T14:45:01-04:00   info-0  trufflehog  finished scanning   {"chunks": 0, "bytes": 0, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "3.075326ms", "trufflehog_version": "3.81.9"}
2024/08/27 14:45:01 [updater parent] prog exited with 0

Output for real path:

$ trufflehog --debug git file:///tmp/existent.git
2024/08/27 14:47:58 [updater parent] run
2024/08/27 14:47:59 [updater parent] checking for updates...
2024/08/27 14:47:59 [updater parent] failed to get latest version: already up to date
2024/08/27 14:47:59 [updater parent] starting /home/bls/.local/bin/trufflehog
2024/08/27 14:48:00 [updater child#1] run
2024/08/27 14:48:00 [updater child#1] start program
2024-08-27T14:48:00-04:00   info-2  trufflehog  trufflehog 3.81.9
πŸ·πŸ”‘πŸ·  TruffleHog. Unearth your secrets. πŸ·πŸ”‘πŸ·

2024-08-27T14:48:00-04:00   info-2  trufflehog  starting scanner workers    {"count": 12}
2024-08-27T14:48:00-04:00   info-2  trufflehog  starting detector workers   {"count": 48}
2024-08-27T14:48:00-04:00   info-2  trufflehog  starting verificationOverlap workers    {"count": 12}
2024-08-27T14:48:00-04:00   info-2  trufflehog  starting notifier workers   {"count": 3}
2024-08-27T14:48:00-04:00   info-1  trufflehog  cloned repo {"path": "/tmp/existent.git"}
2024-08-27T14:48:00-04:00   info-0  trufflehog  running source  {"source_manager_worker_id": "6Uric", "with_units": true}
2024-08-27T14:48:00-04:00   info-2  trufflehog  enumerating source  {"source_manager_worker_id": "6Uric"}
2024-08-27T14:48:00-04:00   info-0  trufflehog  finished scanning   {"chunks": 0, "bytes": 0, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "3.065292ms", "trufflehog_version": "3.81.9"}
2024/08/27 14:48:00 [updater parent] prog exited with 0

How can I make sure trufflehog is actually scanning the repo?

Thanks

rgmz commented 2 weeks ago

Related to #3005.