search

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
17.39k stars 1.72k forks source link

GitHub scan does not include private repos for the user specified in --org, even when authenticated #3349

Open CameronLonsdale opened 1 month ago

CameronLonsdale commented 1 month ago

Please review the Community Note before submitting

TruffleHog Version

trufflehog 3.82.6

Trace Output

Can be provided if necessary

Expected Behavior

I would have expected trufflehog github --org cameronlonsdale to scan all my public and private repositories / gists IF I provide a GItHub API token with the appropriate scopes. However it seems like only public repositories were scanned.

The API token I'm using has the following scopes gist, read:org, read:user, repo

Actual Behavior

Only public repositories were scanned (and no private repositories)

Steps to Reproduce

Create an appropriately scoped GitHub Token and then scan your own user with trufflehog github --org <my-username> and evaluate the output to see how many repositories were scanned, e.g. Completed enumeration {"source_manager_worker_id": "qtPLB", "num_repos": 32, "num_orgs": 1, "num_members": 0}. Compare this with the number of repositories that belong to your user (ignoring forks)

Environment

rgmz commented 1 month ago

trufflehog github --org <my-username>

It should. How are you specifying the token?

CameronLonsdale commented 1 month ago

Via the GITHUB_TOKEN environment variable. Also tried out the --token CLI parameter but was no different.

CameronLonsdale commented 1 month ago

From my testing it will scan private gists, but not private repositories

benjamin-issa commented 1 month ago

Very new to trufflehog, but also seeing this today on MacOS 14.7 with trufflehog 3.82.6. also tried env var and specifying --token parameter.

JonZeolla commented 1 month ago

Interesting enough, if I run with --org it does properly scan my private repo, and finds my testing creds properly, but when I swap that with --repo (same exact token) I get:

2024-10-09T10:08:42Z error trufflehog error running scan {"error": "engine failed to finish execution: fatal: no repoInfo for URL: https://github.com//.git"}

I'm using the docker image like docker run -e GITHUB_TOKEN ghcr.io/trufflesecurity/trufflehog github --repo=https://github.com/<private_org>/<private_repo>.git --no-verification --issue-comments --pr-comments --fail

This is an M3 mac running 15.0.1. The container is running trufflehog 3.82.7