search

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
17.23k stars 1.71k forks source link

Trufflehog not detecting valid secrets as verified result #3262

Open rnillavazagan opened 2 months ago

rnillavazagan commented 2 months ago

TruffleHog Version

3.81.9

trufflehog filesystem scan not detecting a valid Github Server-Server token (GHS) when --only-verified is applied.

Expected Behavior

Scan results should report the GHS secret as verified result.

Actual Behavior

No secrets are reported but instead the secret is shown as unverified result when --only-verified is removed.

Steps to Reproduce

  1. Place a valid Github Server-Server token (GHS) in any of the sample file.
  2. Execute trufflehog filesystem scan against this file.

Additional Context

Same issues persists for GHS tokens present in docker images as well.

kashifkhan0771 commented 1 month ago

I conducted testing and discovered that the GitHub Server-to-Server token (ghs_*) must have the appropriate permissions granted in order to perform specific operations. If the token lacks the required permissions, it results in a 403 Forbidden error. Conversely, if the token is expired or invalid, it returns a 401 Unauthorized error.

In our GitHub verification call using the /user API, it’s important to note that not all ghs_* tokens will necessarily have the permission to access user profile information. This means that requests to the /user endpoint can fail if the token lacks the necessary permissions. During my testing, even after granting user information access to the token, the API still returned a 403 error, which was perplexing.

On the other hand, when I made a request to the /issues API after providing the token with the necessary issues read access, it worked as expected.

Therefore, I guess we need a more refined approach to handle Server-to-Server(ghs_*) tokens.

@zricethezav @abasit-folio3