Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add trufflehog for secret detection #152

Open
edoardottt opened this issue Apr 22, 2024 · 6 comments · May be fixed by #150
Open

Add trufflehog for secret detection #152

edoardottt opened this issue Apr 22, 2024 · 6 comments · May be fixed by #150
Assignees
Labels
enhancement New feature or request Go

Comments

@edoardottt
Copy link
Owner

See #150

@edoardottt edoardottt added enhancement New feature or request Go labels Apr 22, 2024
@edoardottt edoardottt self-assigned this Apr 22, 2024
@edoardottt edoardottt linked a pull request Apr 22, 2024 that will close this issue
@edoardottt
Copy link
Owner Author

Hi @hugo-syn , you can find here https://github.com/edoardottt/cariddi/tree/trufflehog a working code for trufflehog secrets detection support.
The problem of trufflehog is that A LOT of false positives are found. See the image below (scanned my website).
None of those are valid.
Screenshot from 2024-08-06 10-37-02

@hugo-syn
Copy link
Contributor

hugo-syn commented Aug 6, 2024

Hi @edoardottt, that's why I initially add the option to filter some file extensions but I also enabled the secret verification feature of trufflhog. Normally each secret has a verifier that ignore invalid one. This is enabled here:

The detector might be broken try to reproduce the logic with one of the "secret" in your screenshot. For example for Rechargpayment: https://github.com/trufflesecurity/trufflehog/blob/8c6f852a9cc98c29e7f3d666328ab45acef65658/pkg/detectors/rechargepayments/rechargepayments.go#L49

It shouldn't be reported as a secret 🤔

@edoardottt
Copy link
Owner Author

Tbh the verify option was set to True, but nothing changed. Seems not working fine (or maybe it's my fault, idk...).
Obviously there should be an option also for this, it's not obvious that cariddi will send HTTP requests to these services.
Then, I scanned my website (quite small, few content) and trufflehog found many false positives, what about big targets? Will it find thousands of false positives? (and so thousands of HTTP requests to verify the findings?)
It would be a huge improvement, but I don't know how to proceeed to be honest...

@hugo-syn
Copy link
Contributor

hugo-syn commented Aug 7, 2024

Hi @edoardottt It was my fault, I fixed it here:

  • 00d38c6
    There is no truffelhog documentation so the code is the doc I missed this.

However, it does not work with your -proxy I don't know how trufflehog handle the proxy but if fix the false positive problem. You can still use export HTTPS_PROXY="http://127.0.0.1:8080" and it will work.

What's the problem with the fact that the tool verify the secrets by making HTTP request? By verifying them it will reduce the number of false positive.

@hugo-syn
Copy link
Contributor

hugo-syn commented Aug 7, 2024

Otherwise you could add an option --enable-trufflehog to enable or not the usage of trufflhog and add a warning in the readme stating that it will verify the potential secrets and that it will result in additional request being made to the différent services

@edoardottt
Copy link
Owner Author

Hi @hugo-syn !

Yes, I've to admit that would be an interesting option...
My only concern is if that would be useful. Integrating trufflehog means adding a huge amount of dependencies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request Go
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants