[Request] Scan the Commit Metadata (email, name and commit message) for secrets #2683
Labels
Comments
rosecodym
pushed a commit
that referenced
this issue
Apr 25, 2024
This fixes #2683. It scans the commit author, committer (which is typically GitHub <noreply@github.com> for GitHub, but can be different), and message. It also scans Git notes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Team,
Description
Had read a blog were the author mentioned that user's might have secrets set in their git commit configurations. So I started logging the commit metadata for public repositories and found two instance of credentials being configured in the Commit email address. What looks like its occurs mainly due to mistake made while copy pasting the commands during git configuration.
One of the findings that I found in the wild
To replicate the same, I have set the hugginface API key in the email field which doesn't gets detected by the trufflehog https://github.com/bugbaba/testwa54321/commit/6819bdd07fba20de2a1249bc8bf5341530b53d4a.patch
Preferred Solution
While parsing the git commits saved the commit metadata to a file which is later scanned for secrets.
--
Regards,
@bugbaba
The text was updated successfully, but these errors were encountered: