1

I'm using trufflehog_3.33.0_linux_amd64.tar.gz to detect the passwords and tokens.

Actually i have hard-coded tokens & passwords and committed them into my github repository. But when i tried to scan it is not finding tokens and passwords.

$ ./trufflehog git git@github-company.com:org-demo/test.git --only-verified
2023-05-02T09:57:50+05:30       info-0  trufflehog      loaded decoders {"count": 3}
2023-05-02T09:57:50+05:30       info-0  trufflehog      loaded detectors        {"total": 737, "verification_enabled": 737, "verification_disabled": 0}
2023-05-02T09:57:50+05:30       info-0  trufflehog      possible duplicate detector configured  {"detector": "Square"}
  TruffleHog. Unearth your secrets.

Above command couldn't find the password & token. But in my repository files i have passwords & tokens like below in few files.

USERNAME="user"
PASSWORD="password"

HTTP_USER="user1"
HTTP_TOKEN="DRFuteQw$#riYhte69AwerDdf-$"

Can I know what is the issue with my command? Why it is not finding custom hard-coded password & token?

Any help would be appreciated

user4948798
  • 1,924
  • 4
  • 43
  • 89

1 Answers1

1

Trufflehog is not meant to detect standalone passwords like const myPass = abc123. You can read about their approach in It’s impossible to find every vulnerability, so we don’t try to.

Here you can see all the detectors they currently have.

They can detect for example:

  • leaked SSH keys like this one

  • DB URIs like mongodb+srv://my-user:my-password@clustername.mongodb.net/

  • tokens like Netlify abc12345abc12345abc12345abc12345abc12345abc - if you take a look at the code for the Netlify detector, you can see they first check for string "netlify" and only then search for Netlify tokens using a regex. In other words, if you have Netlify token in your codebase, but don't have the string "netlify" around, it won't get caught.

If Trufflehog still does not detect something for you, try to omit --only-verified or even use --no-verification flag. Trufflehog tries to verify the results to limit false positives (check here how they verify if a private key can be compromised).

Ales Trunda
  • 169
  • 1
  • 5