[Docs] Hint on challenge-1 needs an update (trufflehog)
za opened this issue · 10 comments
Hi there,
I think the hint on challenge-1 needs an update:
Scan the files using
trufflehog . | grep passwordand the password will be in the output.
➜ wrongsecrets git:(master) trufflehog --version
trufflehog 3.59.0
➜ wrongsecrets git:(master) trufflehog .
trufflehog: error: expected command but got ".", try --help
It seems trufflehog needs to scan it using generic detector https://github.com/trufflesecurity/trufflehog/blob/main/examples/generic.yml#L15
It seems to be version-dependent indeed:
- version 2: it is
trufflehog . - version 3: it seems to work with
trufflehog filesystem .only this seems to be much slower.
Would you like to file a PR to show how both can be used properly?
Hi @commjoen this command seems not working
➜ wrongsecrets git:(master) trufflehog filesystem . | grep password
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
2024-01-22T09:57:25+07:00 info-0 trufflehog finished scanning {"chunks": 16579, "bytes": 206885751, "verified_secrets": 0, "unverified_secrets": 45, "scan_duration": "11.028594104s"}
I have prepared the PR and it's working with generic detector https://github.com/OWASP/wrongsecrets/pull/1195/files#diff-7cb51d7f736e82d7762d13369216848fc6eeae335a63aab3867542659f6eb825R24
I am wondering, is there a simpler way on trufflehog to scan by default using generic detector?
It seems to be version-dependent indeed:
- version 2: it is
trufflehog .Would you like to file a PR to show how both can be used properly?
Hi @commjoen I am not recommending to use trufflehog version 2.x as it was released > 5 years ago https://github.com/trufflesecurity/trufflehog/tags?after=v3.0.0
What do you think?
Some installment paths only give version 2 ;-). So I am fine with showing both.
Haha... ok, because I was wondering how to install the version 2.
In that case, I'll just write as it is for version 2 and update the PR.
pip3 install trufflehog
Collecting trufflehog
Downloading truffleHog-2.2.1-py2.py3-none-any.whl (13 kB)
Collecting GitPython==3.0.6 (from trufflehog)
Downloading GitPython-3.0.6-py3-none-any.whl (451 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 451.8/451.8 kB 8.8 MB/s eta 0:00:00
Collecting truffleHogRegexes==0.0.7 (from trufflehog)
Downloading truffleHogRegexes-0.0.7-py2.py3-none-any.whl (2.5 kB)
Collecting gitdb2>=2.0.0 (from GitPython==3.0.6->trufflehog)
Downloading gitdb2-4.0.2-py3-none-any.whl (1.1 kB)
Collecting gitdb>=4.0.1 (from gitdb2>=2.0.0->GitPython==3.0.6->trufflehog)
Downloading gitdb-4.0.11-py3-none-any.whl.metadata (1.2 kB)
Collecting smmap<6,>=3.0.1 (from gitdb>=4.0.1->gitdb2>=2.0.0->GitPython==3.0.6->trufflehog)
Downloading smmap-5.0.1-py3-none-any.whl.metadata (4.3 kB)
Downloading gitdb-4.0.11-py3-none-any.whl (62 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.7/62.7 kB 2.2 MB/s eta 0:00:00
Downloading smmap-5.0.1-py3-none-any.whl (24 kB)
Installing collected packages: truffleHogRegexes, smmap, gitdb, gitdb2, GitPython, trufflehog
Successfully installed GitPython-3.0.6 gitdb-4.0.11 gitdb2-4.0.2 smmap-5.0.1 truffleHogRegexes-0.0.7 trufflehog-2.2.1
[notice] A new release of pip is available: 23.3.1 -> 23.3.2
[notice] To update, run: python3.11 -m pip install --upgrade pip
[22/01 9:31:55] ➜ wrongsecrets git:(only-publish-non-fork)
so pip3 results in trufflehog 2 :(
If we can have both that would be awesome!
Added a suggestion to your PR.