Comments (9)
I made some changes recently, and the documentation isn't up to date. For custom regexes, try the flag --rules
and then the path to a json object formatted like this: https://github.com/dxa4481/truffleHog/blob/dev/testRules.json
I will update the documentation shortly
from trufflehog.
Right now it looks like you have entropy enabled, which is why it flagged on a high source of entropy (highlighted in orange). Disable entropy with --entropy false
and enable regex checks with --regex
from trufflehog.
I provided --rules= and I am not getting the issue anymore. But the output still does not show the security keys in code. Tested the regex in rubular.com and it works perfectly.
Can you please guide me? I am new to Python.
from trufflehog.
Debugged the issue and found that the code checks only history, not the current changes in the local repository. That is the reason it is printing entropicDiff which does not go through regex check.
But what is the point of printing entropicDiff if that does not match any security regex? The purpose is to get details of commits where security keys got committed. Right?
Please tell your opinion on this @dxa4481
from trufflehog.
I'm not sure I follow what the issue is you're describing. Can you paste some output and tell me what the problem is?
I've updated the documentation
from trufflehog.
Though the code has some AWS access and secret key in the code, the output gives only this output, which is coming from the find_entropy method in truffleHog.py file.
I after getting the output from the find_entropy method the code should check whether that is matching to the security key regex or not. Otherwise, we will get a lot of false positive outputs like this.
from trufflehog.
This solution worked and now I am not getting any output.
Is there any way to check the current changes in code locally? Or truffleHog only checks the previous commits?
from trufflehog.
You need to commit your code to git for trufflehog to scan it. Trufflehog exclusively scans commits, it won't check your local file system.
from trufflehog.
I created custom regex for JWT and stored in json format, executed with
sudo trufflehog --regex --entropy=False --max_depth=5 --rules pat.json https://github.com/REDACT.git
but i have an error showing something like this ....
`Traceback (most recent call last):
File "/opt/homebrew/lib/python3.9/site-packages/truffleHog/truffleHog.py", line 60, in main
rules = json.loads(ruleFile.read())
File "/opt/homebrew/Cellar/[email protected]/3.9.10/Frameworks/Python.framework/Versions/3.9/lib/python3.9/json/init.py", line 346, in loads
return _default_decoder.decode(s)
File "/opt/homebrew/Cellar/[email protected]/3.9.10/Frameworks/Python.framework/Versions/3.9/lib/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/opt/homebrew/Cellar/[email protected]/3.9.10/Frameworks/Python.framework/Versions/3.9/lib/python3.9/json/decoder.py", line 353, in raw_decode
obj, end = self.scan_once(s, idx)
json.decoder.JSONDecodeError: Invalid \escape: line 2 column 41 (char 42)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/homebrew/bin/trufflehog", line 8, in
sys.exit(main())
File "/opt/homebrew/lib/python3.9/site-packages/truffleHog/truffleHog.py", line 64, in main
raise("Error reading rules file")
TypeError: exceptions must derive from BaseException`
can someone help me with this..!!
from trufflehog.
Related Issues (20)
- The Slack Webhook verifier returns False even for active secrets. HOT 1
- Orgs People HOT 2
- GitHub `--include-members` always logs 0 members
- Git handle binary error: Not a valid object name
- [archive] Gracefully handle EOF when max size is reached
- Add `--include-paths` and `--exclude-paths` flags for Docker scan
- unable to mine secrets in js files
- Unable to mine secrets in JavaScript files HOT 1
- Create a decoder for HTML entites
- Update feature
- [bug] Relative filepaths in GHA no longer work HOT 2
- [bug] Github Action fails if any commit msg contains a single quote HOT 2
- Avoid verifying the same key multiple times in a session HOT 4
- Adding Datadog secrets checks for all regions
- Multi-part secrets are not reliably detected
- GitParse should handle multiple authors and dates HOT 1
- GHA workflows failing with "jq missing" HOT 3
- Unhandled panic when reading RAR
- Exception thrown on run in NixOS HOT 4
- Incorrect AWS account number extraction HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trufflehog.