Skip to content

Add the ability to reverify a secret knowing the secret type #4170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
CameronLonsdale opened this issue May 23, 2025 · 5 comments
Open

Add the ability to reverify a secret knowing the secret type #4170

CameronLonsdale opened this issue May 23, 2025 · 5 comments
Labels
enhancement

Comments

@CameronLonsdale
Copy link

CameronLonsdale commented May 23, 2025
edited
Loading

Description

Reverifying a secret with trufflehog requires re-scanning the source file, since many of the detectors depend on keywords before the secret itself, if you only have access to the secret trufflehog may not identify it as verified.

Preferred Solution

Expose a method to call the verify function on a secret type knowing the secret itself. The scope would be all secrets in trufflehog that have a verifier function, not just those listed in Analyze

Additional Context

It's very similar to the new trufflehog analyze except it's only focused on yes/no verification, not what scopes are present for that secret.
@shahzadhaider1
Copy link
Contributor

Hi @CameronLonsdale

Thank you for opening this issue. We sincerely appreciate your contribution to the project.
We'll review it and get back to you as soon as possible. If we need any further details, we'll follow up here.

Thanks again for helping improve the project!

@rgmz
Copy link
Contributor

rgmz commented May 24, 2025

Somewhat related to #2128 and #3634 (comment).

@CameronLonsdale
Copy link
Author

Very much related to those issues. I've thought through the same solution as #2128 also, and think that the most reliable would be to expose the Verify functions for each secret type via command line argument. For example trufflehog verify Buildkite.

You would likely have to update the function signature of the verify functions so that they all have the same name (cause right now they're often named VerifyBuildkite instead of just Verify), then you can just find the scanner type from the terminal argument and then call the corresponding verify function.

@CameronLonsdale
Copy link
Author

Oh but TIL on #3634 (comment), not all rawV2 values are the secret themselves, that does make it trickier 🤔, and uplift might be needed there first.

@CameronLonsdale
Copy link
Author

The other caveat here is that not all secrets are a single token, sometimes requiring multiple values and how to structure them (e.g. and ID & secret, or maybe a URL of the host too). That complicates things also, if we update all Verify functions to have the same signature we need to define some kind of shared struct which you can pack, and then each verifier unpacks and uses whatever values it requires to verify. There may be some other elegant solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@CameronLonsdale @rgmz @shahzadhaider1