-
-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add trufflehog for secret detection #152
Comments
Hi @hugo-syn , you can find here https://github.com/edoardottt/cariddi/tree/trufflehog a working code for trufflehog secrets detection support. |
Hi @edoardottt, that's why I initially add the option to filter some file extensions but I also enabled the secret verification feature of trufflhog. Normally each secret has a verifier that ignore invalid one. This is enabled here:
The detector might be broken try to reproduce the logic with one of the "secret" in your screenshot. For example for Rechargpayment: https://github.com/trufflesecurity/trufflehog/blob/8c6f852a9cc98c29e7f3d666328ab45acef65658/pkg/detectors/rechargepayments/rechargepayments.go#L49 It shouldn't be reported as a secret 🤔 |
Tbh the verify option was set to |
Hi @edoardottt It was my fault, I fixed it here:
However, it does not work with your What's the problem with the fact that the tool verify the secrets by making HTTP request? By verifying them it will reduce the number of false positive. |
Otherwise you could add an option |
Hi @hugo-syn ! Yes, I've to admit that would be an interesting option... |
See #150
The text was updated successfully, but these errors were encountered: