Open
Description
TruffleHog Version
trufflehog 3.88.23
Trace Output
https://gist.github.com/mukesh-dream11/246820fa9d57c4019776f77a51856f67
Expected Behavior
After git push
, trufflehog should detect the secret, fail with an error code and thus prevent the push from happening.
Actual Behavior
Trufflehog does not detect the secret, since the offending commit is in the quarantine area when the pre-receive hook is invoked.
Steps to Reproduce
Run the following script:
#!/bin/bash
rm -rf test-base.git test-workdir
git init --bare test-base.git
cat > test-base.git/hooks/pre-receive << '_EOF'
#!/bin/bash -e
while read oldrev newrev refname; do
if [[ "$oldrev" =~ ^0{40}$ ]]; then
trufflehog --no-update --log-level=5 git file://. --bare --only-verified --fail
else
trufflehog --no-update --log-level=5 git file://. --bare --since-commit="$oldrev" --only-verified --fail
fi
done
_EOF
chmod +x test-base.git/hooks/pre-receive
git clone test-base test-workdir
cd test-workdir
# The following step should fail, but does not
echo "https://admin:[email protected]/basic_auth" >> README.md && git add . && git commit -m test && git push
# After the push is successful and the ref is updated, manually running trufflehog again will fail as expected
echo "Running trufflehog manually post ref update"
cd ../test-base.git
trufflehog --no-update --log-level=5 git file://. --bare --only-verified --fail
Environment
- OS: macOS
- Version Sequoia 15.3.2