Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Still finding secrets in GitHub after modifying history #521

Open
luigi-benvenaglia opened this issue Oct 22, 2024 · 0 comments
Open

Still finding secrets in GitHub after modifying history #521

luigi-benvenaglia opened this issue Oct 22, 2024 · 0 comments

Comments

@luigi-benvenaglia
Copy link

I ran trufflehog against my GitHub Org. I discovered some secrets.

I then followed the steps below to cleanup my history

  1. Installed bfg repo cleaner and trufflehog

  2. Performed git clone --bare [email protected]:MyOrg/MyRepo.git

  3. Created a file named sensitive.txt with one line, containing a password that had been leaked into GitHub.

  4. Executed bfg --replace-text sensitive.txt

  5. Run git reflog expire --expire=now --all && git gc --prune=now --aggressive from within the bare repo's folder

  6. Run git push --force --all

Now comes the interesting part.

The secret is still available in GitHub when I visit

https://github.com/MyOrg/MyRepo/blob/<commit-sha-where-the-sensitive-data-was-added>/folder1/folder2/filename.php#L13

This is more or less expected since github states that:

those commits may still be accessible elsewhere:

  • In any clones or forks of your repository

  • Directly via their SHA-1 hashes in cached views on GitHub

  • Through any pull requests that reference them

So running

trufflehog github --only-verified [email protected]:MyOrg/MyRepo.git

still finds that commit and the secret.

What I don't understand is why

trufflehog git --only-verified [email protected]:MyOrg/MyRepo.git

i.e. the git scanner still finds the secret, while at the same time trying to checkout the specific commit results in an error

git checkout <commit-sha-where-the-sensitive-data-was-added>
error: pathspec '<commit-sha-where-the-sensitive-data-was-added>' did not match any file(s) known to git
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant