[Question] New version can't find the secret for git？

[rufherg]

Scene

I use the k8s-goat to learn k8s security. And then it recomand the tool which named 'trufflehog'.
https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-1/sensitive-keys-in-codebases-in-kubernetes-containers/welcome/#-method-2
It's built in the pod. I can use the built-in trufflehog to find some secrets as the paper say.

But when i download the latest version about trufflehog to compare with built-in trufflehog. I find that i can't find any secret. I don't know what causes this result。Can u help me to search for the truth？Thank u~

The latest version command

./trufflehog git file:///app

# result
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2023-08-02T09:51:43Z    info-0  trufflehog      finished scanning       {"chunks": 6, "bytes": 3075, "verified_secrets": 0, "unverified_secrets": 0}

[zricethezav]

@rufherg that guide is referencing an old version of TruffleHog(v2). The secret it is likely scanning is not live and/or may be a multi-part credential. Trufflehog does not flag secrets based on entropy alone anymore as that caused a lot of false positives.

[rufherg]

@zricethezav Thanks for your answer！

[madhuakula]

Thanks @zricethezav and also updated the new trufflehog in the container