search

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
15.57k stars 1.62k forks source link

Codacy detector should be more specific and should not use /version endpoint for token verification #724

Closed dinvlad closed 1 year ago

dinvlad commented 2 years ago

Community Note

Description

Currently, Codacy detector detects lines like

2022-08-19 19:22:38.155Z  info [ReportRules] Generated coverage report: /tmp/codacy-coverage-15620814908828598437.json (145.15 kB)  - (ReportRules.scala:265)

as verified secrets (15620814908828598437 in this case).

Btw, this is from off-the-shelf codacy/codacy-coverage-reporter-action.

Problem to be Addressed

Codacy detector should be more sensitive and should not be using https://app.codacy.com/api/v3/version as token verification endpoint, as this endpoint is unauthenticated and always returns 200.

Description of the Preferred Solution

Perhaps we should add /tmp/codacy-coverage to the list of known FPs for this detector? This seems like it will be a common occurrence, coming from the official codacy/codacy-coverage-reporter-action.

Additionally, FPs marked in this pattern consist of 20 digit-only characters, which seems like an outlier because typical Codacy tokens have various alphanumeric characters, not just digits. Perhaps there's improvement to be made there in the regex.

Also, we should use an authenticated endpoint for verification (I'm not sure which one, however).

Additional Context

References

dustin-decker commented 2 years ago

Thank you, this should be fixed in #758 and should be released soon.

dinvlad commented 2 years ago

Thanks! Would it be possible to make this detector more specific also?

dxa4481 commented 1 year ago

Hey Dinvlad, feel free to open up another issue for making the detector more specific, closing this one for the verification being resolved