From e0add9ba6f8f71b796bae7a580e8da0fe1373c3a Mon Sep 17 00:00:00 2001 From: Jan Olderdissen Date: Thu, 25 Sep 2025 19:37:51 +0200 Subject: [PATCH] Mask detections of github token is commit messages. --- checks/check_trufflehog.py | 11 ++++++++++- .../fixtures/trufflehog/merge_message/trufflehog.json | 1 + checks/test_checks.py | 5 +++++ 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 checks/fixtures/trufflehog/merge_message/trufflehog.json diff --git a/checks/check_trufflehog.py b/checks/check_trufflehog.py index 2c2e362..b580543 100644 --- a/checks/check_trufflehog.py +++ b/checks/check_trufflehog.py @@ -60,12 +60,21 @@ def check_trufflehog(json_path): if len(line) == 0: continue finding = json.loads(line) + detector_name = finding["DetectorName"] git_info = finding["SourceMetadata"]["Data"]["Git"] - fn = git_info["file"] + fn = git_info.get("file") line_num = git_info["line"] + + # Special handling for github tokens in commit messages: + if detector_name == "Github" and fn is None: + print(f"Skipping {detector_name} finding because detection is in commit message") + continue if is_overridden(fn, line_num, cred_overrides): print(f"Skipping {fn}:{line_num} because it is in the creds.yml file") continue + if fn is None: + # Clarify that the finding is in a commit message. + print(f"") print(f"Found secret in {fn}:{line_num}") return False print("No secrets found") diff --git a/checks/fixtures/trufflehog/merge_message/trufflehog.json b/checks/fixtures/trufflehog/merge_message/trufflehog.json new file mode 100644 index 0000000..e2a96ed --- /dev/null +++ b/checks/fixtures/trufflehog/merge_message/trufflehog.json @@ -0,0 +1 @@ +{"SourceMetadata":{"Data":{"Git":{"commit":"306419ec2a79f5ddb4117185f104c80004e342b6","email":"Jan Olderdissen \u003cjo@devrev.ai\u003e","repository":"git@github.com:devrev/jano-experimental.git","timestamp":"2025-09-25 17:20:44 +0000","line":4,"repository_local_path":"."}}},"SourceID":1,"SourceType":16,"SourceName":"trufflehog - git","DetectorType":8,"DetectorName":"Github","DetectorDescription":"GitHub is a platform for version control and collaboration. Personal access tokens (PATs) can be used to access and modify repositories and other resources.","DecoderName":"PLAIN","Verified":false,"VerificationFromCache":false,"Raw":"ghp_c2cc08e5b98f8995bb8042c5adb024e46f42","RawV2":"","Redacted":"","ExtraData":{"rotation_guide":"https://howtorotate.com/docs/tutorials/github/","version":"2"},"StructuredData":null} diff --git a/checks/test_checks.py b/checks/test_checks.py index 6a3283b..8da5e4c 100644 --- a/checks/test_checks.py +++ b/checks/test_checks.py @@ -63,6 +63,11 @@ def test_two_overrides(self): self.assertTrue(checks.check_trufflehog.check_trufflehog( "./trufflehog.json")) + def test_merge_message(self): + with change_dir("checks/fixtures/trufflehog/merge_message"): + self.assertTrue(checks.check_trufflehog.check_trufflehog( + "./trufflehog.json")) + class TestCommitEmails(unittest.TestCase): def test_good(self): with change_dir("checks/fixtures/emails/good"):