Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

badlist.txt filters out valid secrets when "no-verification" is used #3246

Open
AlfredBerg opened this issue Aug 24, 2024 · 0 comments
Open

badlist.txt filters out valid secrets when "no-verification" is used #3246

AlfredBerg opened this issue Aug 24, 2024 · 0 comments
Labels
bug

Comments

@AlfredBerg
Copy link

TruffleHog Version

trufflehog 3.81.9

Trace Output

Expected Behavior

The slack webhook should be detected

Actual Behavior

The detector finds the webhook, but it is then filtered out by FilterKnownFalsePositives. The slack webhook is filtered out here

trufflehog/pkg/detectors/falsepositives.go

Line 82 in 3b0b290

return true, "matches wordlist: " + m.MatchString()
since it matches https: over in the badlist

trufflehog/pkg/detectors/badlist.txt

Line 210 in 3b0b290

https:

At least https: and http: should probably be removed from that list.

Steps to Reproduce

  1. Create a file named slack with a valid slack webhook (looks something like https://hooks.slack.com/services/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, this one is not valid though)
  2. run trufflehog --no-update filesystem slack
  3. The secret is not detected

Environment

  • OS: Debian GNU/Linux 12

Additional Context

References
@AlfredBerg AlfredBerg added the bug label Aug 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlfredBerg