Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub scan does not include private repos for the user specified in --org, even when authenticated #3349

Open
CameronLonsdale opened this issue Sep 30, 2024 · 5 comments
Labels

Comments

@CameronLonsdale
Copy link

Please review the Community Note before submitting

TruffleHog Version

trufflehog 3.82.6

Trace Output

Can be provided if necessary

Expected Behavior

I would have expected trufflehog github --org cameronlonsdale to scan all my public and private repositories / gists IF I provide a GItHub API token with the appropriate scopes. However it seems like only public repositories were scanned.

The API token I'm using has the following scopes gist, read:org, read:user, repo

Actual Behavior

Only public repositories were scanned (and no private repositories)

Steps to Reproduce

Create an appropriately scoped GitHub Token and then scan your own user with trufflehog github --org <my-username> and evaluate the output to see how many repositories were scanned, e.g. Completed enumeration {"source_manager_worker_id": "qtPLB", "num_repos": 32, "num_orgs": 1, "num_members": 0}. Compare this with the number of repositories that belong to your user (ignoring forks)

Environment

  • OS: MacOS
  • Version 14.6
@rgmz
Copy link
Contributor

rgmz commented Sep 30, 2024

trufflehog github --org <my-username>

It should. How are you specifying the token?

@CameronLonsdale
Copy link
Author

Via the GITHUB_TOKEN environment variable. Also tried out the --token CLI parameter but was no different.

@CameronLonsdale
Copy link
Author

From my testing it will scan private gists, but not private repositories

@benjamin-issa
Copy link

benjamin-issa commented Oct 4, 2024

Very new to trufflehog, but also seeing this today on MacOS 14.7 with trufflehog 3.82.6. also tried env var and specifying --token parameter.

@JonZeolla
Copy link
Contributor

Interesting enough, if I run with --org it does properly scan my private repo, and finds my testing creds properly, but when I swap that with --repo (same exact token) I get:

2024-10-09T10:08:42Z error trufflehog error running scan {"error": "engine failed to finish execution: fatal: no repoInfo for URL: https://github.com/<private_org>/<private_repo>.git"}

I'm using the docker image like docker run -e GITHUB_TOKEN ghcr.io/trufflesecurity/trufflehog github --repo=https://github.com/<private_org>/<private_repo>.git --no-verification --issue-comments --pr-comments --fail

This is an M3 mac running 15.0.1. The container is running trufflehog 3.82.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants