search

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
15.78k stars 1.64k forks source link

GitHub scan does not include private repos for the user specified in --org, even when authenticated #3349

Open CameronLonsdale opened 3 hours ago

CameronLonsdale commented 3 hours ago

Please review the Community Note before submitting

TruffleHog Version

trufflehog 3.82.6

Trace Output

Can be provided if necessary

Expected Behavior

I would have expected trufflehog github --org cameronlonsdale to scan all my public and private repositories / gists IF I provide a GItHub API token with the appropriate scopes. However it seems like only public repositories were scanned.

The API token I'm using has the following scopes gist, read:org, read:user, repo

Actual Behavior

Only public repositories were scanned (and no private repositories)

Steps to Reproduce

Create an appropriately scoped GitHub Token and then scan your own user with trufflehog github --org <my-username> and evaluate the output to see how many repositories were scanned, e.g. Completed enumeration {"source_manager_worker_id": "qtPLB", "num_repos": 32, "num_orgs": 1, "num_members": 0}. Compare this with the number of repositories that belong to your user (ignoring forks)

Environment

rgmz commented 2 hours ago

trufflehog github --org <my-username>

It should. How are you specifying the token?

CameronLonsdale commented 1 hour ago

Via the GITHUB_TOKEN environment variable. Also tried out the --token CLI parameter but was no different.

CameronLonsdale commented 1 hour ago

From my testing it will scan private gists, but not private repositories