search

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
17.34k stars 1.72k forks source link

NotGitBleed trufflehog support #392

Open carolosf opened 2 years ago

carolosf commented 2 years ago

Although trufflehog scans file systems and git repos as far as I am aware it doesn't currently scan commit metadata for passwords.

Recently this has been published: https://www.notgitbleed.com

A lot of Github users of large open source projects accidentally commit their GitHub credentials even when tools such as trufflehog are being used at an alarming rate.

Since this work has been published we have worked with GitHub to mitigate this on GitHub and they have built a scanning tool: https://github.blog/changelog/2022-04-11-secret-scanning-detects-and-revokes-leaked-passwords/

It would be great to confirm that trufflehog doesn't currently scan git commit metadata and to find out if this is something you can support in future.

dustin-decker commented 2 years ago

That's pretty interesting, thank you for sharing. TruffleHog does not currently scan commit metadata.