Description
While integrating TruffleHog into our CircleCI pipeline, I noticed that certain hardcoded configuration secrets are not being detected during repository scans.
Below is an example:
knox.auth.client.secret=Ntde8=qa.wi6
jwt.secretkey=abcdsecret
test.auth.password=hello@01
The following command does not report any findings for the above values:
trufflehog git file://. --fail
I also tested similar hardcoded secrets in .properties files and observed that they are not detected during scans.
I would like clarification on whether this is expected behavior, whether additional configuration is required, or whether support for detecting generic hardcoded configuration secrets is planned.
Preferred Solution
It would be helpful if TruffleHog could optionally detect common hardcoded configuration secrets such as:
*.password=
*.secret=
*.client.secret=
*.api.key=
especially within:
.properties.yaml.env- application configuration files
Ideally this could be:
- configurable
- optional
- rule-based
- with allowlist support to reduce false positives
This would improve detection coverage for CI/CD pipelines where teams want to prevent accidental commits of hardcoded configuration credentials.
Additional Context
Environment:
- CircleCI pipeline
- Docker image:
trufflesecurity/trufflehog:latest
Current scan command:
trufflehog git file://. --fail
The same behavior is observed both locally and in CircleCI.
The request is mainly to understand:
- whether this behavior is intentional
- whether additional detectors/rules are recommended
- or whether this would be considered a potential enhancement request
References
None currently.
Description
While integrating TruffleHog into our CircleCI pipeline, I noticed that certain hardcoded configuration secrets are not being detected during repository scans.
Below is an example:
The following command does not report any findings for the above values:
I also tested similar hardcoded secrets in
.propertiesfiles and observed that they are not detected during scans.I would like clarification on whether this is expected behavior, whether additional configuration is required, or whether support for detecting generic hardcoded configuration secrets is planned.
Preferred Solution
It would be helpful if TruffleHog could optionally detect common hardcoded configuration secrets such as:
especially within:
.properties.yaml.envIdeally this could be:
This would improve detection coverage for CI/CD pipelines where teams want to prevent accidental commits of hardcoded configuration credentials.
Additional Context
Environment:
trufflesecurity/trufflehog:latestCurrent scan command:
The same behavior is observed both locally and in CircleCI.
The request is mainly to understand:
References
None currently.