trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
17.47k stars 1.72k forks source link

[request] Add detector for credentials in .pypirc file #951

Open bugbaba opened 2 years ago

bugbaba commented 2 years ago

Community Note

Description

Hello Team :)

Currently the truffleHog is not having any detector for credentials and API token hardcoded inside the .pypirc file. It allows authenticated access to pypi.org

Problem to be Addressed

Credentials and API token hardcoded inside the .pypirc file not detected by trufflehog.

Description of the Preferred Solution

Add a detector to detect Credentials and API token in the .pypirc file.

References

https://packaging.python.org/en/latest/specifications/pypirc/

-- Regards, @bugbaba

tbenthompson commented 1 year ago

This is partially related to https://github.com/trufflesecurity/trufflehog/issues/716

The password format for a pypirc file would be caught by that generic scanner:

[distutils]
index-servers =
    pypi
    testpypi

[pypi]
username = ...
password = ...

But it would be great to also verify these credentials!