You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
This article featured on HackerNews reminded me that both GitHub and GitLab have refs for (merge|pull) requests that — to my knowledge — aren't pulled by default. This is especially juicy for TruffleHog because PRs may contain commits or alternate history with valid secrets that technically no longer exist in the repository.
Find valid secrets that may be hidden in old PR histories.
Description of the Preferred Solution
Off the top of my head, I do not have any ideas on how to tackle this. It seems that you need to manually query for (git ls-remote) and checkout each ref in a detached state. The history will not show up via git log otherwise.
Scanning refs could result in the same commits being scanned twice. I am not sure if this would produce duplicate results, or if we already deduplicate results.
Additional Context
N/A
References
N/A
The text was updated successfully, but these errors were encountered:
Community Note
Description
This article featured on HackerNews reminded me that both GitHub and GitLab have refs for (merge|pull) requests that — to my knowledge — aren't pulled by default. This is especially juicy for TruffleHog because PRs may contain commits or alternate history with valid secrets that technically no longer exist in the repository.
GitHub
$ git clone https://github.com/trufflesecurity/trufflehog.git $ cd trufflehog $ git ls-remote From https://github.com/trufflesecurity/trufflehog.git 69021f59c57b6a49bafcc8d1827e355405330014 HEAD aa3ba817175e1bcdf852f11ffa327c1d134ecb26 refs/heads/0x1/add-on-prem-verification-flag ade5d91d5ca94e996377b1909a802dd9dbc51b6b refs/heads/1560-error-during-git-scan-using-pre-commit ... c3644ccaf1bb0799ef919a5897b7737ebff428db refs/pull/1/head 180b9c288bfc2b0f0543f91dfd74740f4f1d410e refs/pull/100/head c36defae7818b738389815dd32a64db398e2d833 refs/pull/100/merge ... 3048c6429d80094b42fd44919e3d6768536178ce refs/tags/2.0.97 6d2dc5e965f9d5c23acea0c0c6377b06a8ae6c7c refs/tags/v0.1.0-alpha fda044631b344997a4556f52aadbd7c8275d0802 refs/tags/v3.0.0
GitLab
Others
Problem to be Addressed
Find valid secrets that may be hidden in old PR histories.
Description of the Preferred Solution
Off the top of my head, I do not have any ideas on how to tackle this. It seems that you need to manually query for (
git ls-remote
) and checkout each ref in a detached state. The history will not show up viagit log
otherwise.Scanning refs could result in the same commits being scanned twice. I am not sure if this would produce duplicate results, or if we already deduplicate results.
Additional Context
N/A
References
N/A
The text was updated successfully, but these errors were encountered: