Scan GitHub and GitLab refs that aren't cloned by default

[rgmz]

Description:

This fixes #1588.

In my experience, this find significantly more secrets with a negligible performance impact.

The only issue is that these secrets are technically not a part of the repository, so refactoring may be necessary to indicate that a result comes from a historical PR/MR branch. It now outputs the source pull/merge request (based on git log --source), in case the commit only exists in the PR history and not the actual repo history, which can happen when PRs are squashed.

✅ Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
Raw result: AKIAXYZDQCEN4B6JSJQI
Resource_type: Access key
Account: 534261010715
Is_canary: true
Message: This is an AWS canary token generated at canarytokens.org, and was not set off; learn more here: https://trufflesecurity.com/canaries
Arn: arn:aws:iam::534261010715:user/canarytokens.com@@88uc3ciwodujg5f18inco2yvu
Pull Request: 2387
Commit: e47780e2e4d2dbaa3d1e63bdfe1cf00eb2c5681b
Email: Ahrav Dutta <[email protected]>
File: pkg/gitparse/gitparse_test.go
Line: 715
Link: https://github.com/trufflesecurity/trufflehog/blob/e47780e2e4d2dbaa3d1e63bdfe1cf00eb2c5681b/pkg/gitparse/gitparse_test.go#L715
Repository: https://github.com/trufflesecurity/trufflehog.git
Timestamp: 2024-02-05 17:37:58 +0000

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

[CLAassistant]

All committers have signed the CLA.

[rosecodym]

This is awesome! Just to make sure I understand: This PR has two discrete changes, right? (Pulling down all the refs and printing the source ref of found secrets.)

[rosecodym]

This is pretty neat - I'm only requesting changes because of the fact that the PR adds the expanded refs functionality unilaterally, no matter whether it's enabled. (I suspect this is a rebase artifact.)

[rosecodym]

Can I ask why you reordered these fields everywhere, or, alternatively, how the new order was picked? This isn't blocking or anything but it does add review noise so I'm curious about whether there's a reason for it I'm not picking up on.

[rgmz]

It's been a while; IIRC, I ran into issues caused by SourceMetadataFunc being a long list of strings with an arbitrary order. I tried to order the fields semantically (based on git log) so that it was easier to grok at a glance and compare uses of SourceMetadataFunc like-for-like.

commit 8d2c7e6760b9bdc4fe36fee11cb3f28d7e469203 (HEAD -> feat/additional-refspecs)
Author: Richard Gomez <[email protected]>
Date:   Fri Apr 12 08:53:18 2024 -0400

    feat(gitparse): track ref sources

diff --git a/hack/snifftest/main.go b/hack/snifftest/main.go
...

[rosecodym]

Why did you add this?

[rgmz]

It's from this hidden comment thread. GitHub's PR UI is a nightmare.

[rosecodym]

Does "hidden" just mean "not visible via the respective web UI?" My small concern here is that this also happens if we simply fail to parse the relevant ref because we made a mistake somewhere. What do you think of just returning the ref as-is in that case - would it be confusing?

[rgmz]

Does "hidden" just mean "not visible via the respective web UI?"

It means "not visible with default Git behaviour"; sometimes these refs are only discoverable via the web UI or API. The term is inspired by this blog post.

The Git ref namespace (refs/*) can store almost any path, however, Git and Git-adjacent tools only look at refs/heads/* and refs/tags/*. Other refs (if they exist) aren't fetched unless you explicitly request them from a remote.

Two examples of this are:

1. Deleted GitHub/GitLab pull request branches being stored under refs/pull/* and refs/merge-requests/*
2. Deleted commits that are manually fetched

My small concern here is that this also happens if we simply fail to parse the relevant ref because we made a mistake somewhere. What do you think of just returning the ref as-is in that case - would it be confusing?

I think it's worth signaling that these refs are special and don't technically exist in the repository. Returning the ref as-is is already a source of confusion (#3493).