Skip to content

Trufflehog does not consider commits in quarantine when ran as a pre-receive hook #4035

Open
@mukesh-dream11

Description

@mukesh-dream11

TruffleHog Version

trufflehog 3.88.23

Trace Output

https://gist.github.com/mukesh-dream11/246820fa9d57c4019776f77a51856f67

Expected Behavior

After git push, trufflehog should detect the secret, fail with an error code and thus prevent the push from happening.

Actual Behavior

Trufflehog does not detect the secret, since the offending commit is in the quarantine area when the pre-receive hook is invoked.

Steps to Reproduce

Run the following script:

#!/bin/bash

rm -rf test-base.git test-workdir

git init --bare test-base.git
cat > test-base.git/hooks/pre-receive << '_EOF'
#!/bin/bash -e
while read oldrev newrev refname; do
  if [[ "$oldrev" =~ ^0{40}$ ]]; then
    trufflehog --no-update --log-level=5 git file://. --bare --only-verified --fail
  else
    trufflehog --no-update --log-level=5 git file://. --bare --since-commit="$oldrev" --only-verified --fail
  fi
done
_EOF
chmod +x test-base.git/hooks/pre-receive

git clone test-base test-workdir
cd test-workdir

# The following step should fail, but does not
echo "https://admin:[email protected]/basic_auth" >> README.md && git add . && git commit -m test && git push

# After the push is successful and the ref is updated, manually running trufflehog again will fail as expected
echo "Running trufflehog manually post ref update"
cd ../test-base.git
trufflehog --no-update --log-level=5 git file://. --bare --only-verified --fail

Environment

  • OS: macOS
  • Version Sequoia 15.3.2

References

  1. https://git-scm.com/docs/git-receive-pack#_quarantine_environment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions