You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Had read a blog were the author mentioned that user's might have secrets set in their git commit configurations. So I started logging the commit metadata for public repositories and found two instance of credentials being configured in the Commit email address. What looks like its occurs mainly due to mistake made while copy pasting the commands during git configuration.
This fixes#2683. It scans the commit author, committer (which is typically GitHub <noreply@github.com> for GitHub, but can be different), and message.
It also scans Git notes.
Hi Team,
Description
Had read a blog were the author mentioned that user's might have secrets set in their git commit configurations. So I started logging the commit metadata for public repositories and found two instance of credentials being configured in the Commit email address. What looks like its occurs mainly due to mistake made while copy pasting the commands during git configuration.
One of the findings that I found in the wild
![image](https://private-user-images.githubusercontent.com/29960776/320282843-9ce7b957-fd42-49fb-b84f-1ccae767c95a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA5NDAyNDAsIm5iZiI6MTcyMDkzOTk0MCwicGF0aCI6Ii8yOTk2MDc3Ni8zMjAyODI4NDMtOWNlN2I5NTctZmQ0Mi00OWZiLWI4NGYtMWNjYWU3NjdjOTVhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTQlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE0VDA2NTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTFiMmQwYzhjOTQ2ZTQxMWUyY2YyYTI0YzVlYzMwNmY0ZDQwYTYxN2ZkMzc1MDZkNDBlMjYzYmExMzhkMjU4ZGUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.VC_EHccfVhlu3idjd7d0kUWQ6MMNAL2x2xiwPjLJid0)
To replicate the same, I have set the hugginface API key in the email field which doesn't gets detected by the trufflehog https://github.com/bugbaba/testwa54321/commit/6819bdd07fba20de2a1249bc8bf5341530b53d4a.patch
Preferred Solution
While parsing the git commits saved the commit metadata to a file which is later scanned for secrets.
--
Regards,
@bugbaba
The text was updated successfully, but these errors were encountered: