Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable use of .gitignore for exclusions in filesystem scans #3356

Open
bawgz opened this issue Oct 1, 2024 · 4 comments
Open

Enable use of .gitignore for exclusions in filesystem scans #3356

bawgz opened this issue Oct 1, 2024 · 4 comments
Labels
enhancement

Comments

@bawgz
Copy link

bawgz commented Oct 1, 2024

Please review the Community Note before submitting

Description

The flag for --exclude-paths expects a file with line separated regexes to be provided. Most projects will have a .gitignore file with line separated glob patterns that would likely be the set of files you'd want excluded from a TruffleHog scan. It seems natural to accept a file with glob patterns as an exclusion list.

Preferred Solution

A new flag --exclude-paths-glob that takes in a file with new line separated glob patterns. These glob patterns can be read in, translated to regex using the glob package and included in the exclude Filter rules alongside any regexes coming from --exclude-paths.

Additional Context

N/A

References

N/A
@rgmz
Copy link
Contributor

rgmz commented Oct 1, 2024

Most projects will have a .gitignore file with line separated glob patterns that would likely be the set of files you'd want excluded from a TruffleHog scan.

Typically the files you don't want to commit are the most likely to contain credentials — but I agree it would be useful.

@bawgz
Copy link
Author

bawgz commented Oct 1, 2024

Most projects will have a .gitignore file with line separated glob patterns that would likely be the set of files you'd want excluded from a TruffleHog scan.

Typically the files you don't want to commit are the most likely to contain credentials — but I agree it would be useful.

Exactly. It's safe to exclude a .env file for example--which would contain secrets--from the Truffle Hog scan because it's in the .gitignore file and thus is not in danger of being committed to a remote repository.

@rgmz
Copy link
Contributor

rgmz commented Oct 1, 2024
edited
Loading

It's safe to exclude a .env file for example--which would contain secrets--from the Truffle Hog scan because it's in the .gitignore file and thus is not in danger of being committed to a remote repository.

Ah, but what if that wasn't always the case? What if it was only added to the .gitignore after someone accidentally pushed theirs?

This is a frequent mistake and source of leaks in my experience.

@bawgz
Copy link
Author

bawgz commented Oct 1, 2024

Ah, but what if that wasn't always the case? What if it was only added to the .gitignore after someone accidentally pushed theirs?

This is a frequent mistake and source of leaks in my experience.

I don't think they should be using a filesystem scan if their concern is finding things that have already been pushed to a remote repository. I see the filesystem scan serving the purpose of preventing future leaks, whereas a git scan can help find and remediate past leaks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bawgz @rgmz