False positive with new text-based bun.lock

[notramo]

A text-based lockfile (bun.lock) was recently added to Bun (to replace the previously used binary bun.lockb file). It can be created with bun install --save-text-lockfile. (Currently only the nightly builds have this feature.)

The plain-text file contains many checksums, and trufflehog mistakenly detects some checksums as access tokens.

This is a line from bun.lock that triggers a false positive:

    "@oxlint/linux-x64-gnu": ["@oxlint/linux-x64-gnu@0.15.0", "", { "os": "linux", "cpu": "x64" }, "sha512-e/KSj4fg5EFdK/bJLJjGRzaw2KZdYgr2mTt3k9HF9YIGl0UnBoX5h+q0hJ9scDTNNailT8qytvOjuiUhyJpAPA=="],

It says q0hJ9scDTNNailT8qytvOjuiUhyJpAPA (part of the checksum) is a Box access token.

[shahzadhaider1]

Hey @notramo,

Thank you for taking the time to open this issue, we really appreciate your contribution to the project!
We’ll take a look and get back to you as soon as we can. If we need any clarification, we’ll follow up here.

Thanks again for helping make this project better!

[shahzadhaider1]

This is somewhat related to this issue.

For now, you can try ignoring this file as explained here, the --exclude-paths flag can be used to skip specific files or directories during scanning.

How to do that:

Create a file exclude.txt and add all the paths separated by newline that need to be excluded. and then add the following to your command:

--exclude-paths exclude.txt

This approach offers greater flexibility compared to permanently excluding a file or updating the detector, as there may be scenarios where scanning that file is desired. We’d appreciate your thoughts on this.