Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In Github actions, Tufflehog flags the SHA pin of a Cloudflare action as an unverified Cloudflare secret #3266

Open
nishils opened this issue Sep 4, 2024 · 1 comment
Open

In Github actions, Tufflehog flags the SHA pin of a Cloudflare action as an unverified Cloudflare secret #3266

nishils opened this issue Sep 4, 2024 · 1 comment
Labels
bug

Comments

@nishils
Copy link

nishils commented Sep 4, 2024

Please review the Community Note before submitting

TruffleHog Version

latest via the docker registry

Trace Output

Expected Behavior

Do not flag cloudflare actions that are SHA pinned as issues.

Actual Behavior

Found unverified result 🐷🔑❓
Detector Type: CloudflareApiToken
Decoder Type: PLAIN
Raw result: f84a562284fc78278ff90525d9526f9c718361
Commit: <redacted>
Email: <redacted>
File: .github/workflows/test.yml
Line: 29
Repository: <redacted>
Timestamp: 2024-09-03 23:11:59 +0000

Steps to Reproduce

            - name: Publish
              uses: cloudflare/wrangler-action@f84a562284fc78278ff9052435d9526f9c718361

Have a cloudflare action like the above and the SHA pin will get flagged as an unverified Cloudflare secret

Environment

Github CI/Docker

Additional Context

References

  • #0000
@nishils nishils added the bug label Sep 4, 2024
@nishils nishils changed the title In Github actions, Tufflehog flags the SHA pin of a Cloudflare action as a unverified Cloudflare secret In Github actions, Tufflehog flags the SHA pin of a Cloudflare action as an unverified Cloudflare secret Sep 4, 2024
@rgmz
Copy link
Contributor

rgmz commented Sep 25, 2024

IMO this is related to: #1517 (#3302, #1460, #1456 as well).

Need a comprehensive way to filter known false-positives from detectors.

@rgmz rgmz mentioned this issue Oct 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rgmz @nishils