Still finding secrets in GitHub after modifying history #521

[luigi-benvenaglia]

I ran trufflehog against my GitHub Org. I discovered some secrets.

I then followed the steps below to cleanup my history

1. Installed bfg repo cleaner and trufflehog

2. Performed git clone --bare [email protected]:MyOrg/MyRepo.git

3. Created a file named sensitive.txt with one line, containing a password that had been leaked into GitHub.

4. Executed bfg --replace-text sensitive.txt

5. Run git reflog expire --expire=now --all && git gc --prune=now --aggressive from within the bare repo's folder

6. Run git push --force --all

Now comes the interesting part.

The secret is still available in GitHub when I visit

https://github.com/MyOrg/MyRepo/blob/<commit-sha-where-the-sensitive-data-was-added>/folder1/folder2/filename.php#L13

This is more or less expected since github states that:

those commits may still be accessible elsewhere:

• In any clones or forks of your repository

• Directly via their SHA-1 hashes in cached views on GitHub

• Through any pull requests that reference them

So running

trufflehog github --only-verified [email protected]:MyOrg/MyRepo.git

still finds that commit and the secret.

What I don't understand is why

trufflehog git --only-verified [email protected]:MyOrg/MyRepo.git

i.e. the git scanner still finds the secret, while at the same time trying to checkout the specific commit results in an error

git checkout <commit-sha-where-the-sensitive-data-was-added>
error: pathspec '<commit-sha-where-the-sensitive-data-was-added>' did not match any file(s) known to git

[rgmz]

i.e. the git scanner still finds the secret, while at the same time trying to checkout the specific commit results in an error

git checkout <commit-sha-where-the-sensitive-data-was-added>
error: pathspec '<commit-sha-where-the-sensitive-data-was-added>' did not match any file(s) known to git

Try doing git clone --mirror ... and then running that.