Add extra data if the private github key doesnt have access

[jonathongardner]

Description

I commonly come across leaked github keys. The issue is TH shows them as verified (and shows the user who they belong to) but the key has been flagged so it doesnt provide access to any repositories. It would be helpful if there was a way to flag these types of findings.

Preferred Solution

Add an extra field KeyNeedsApproval to ExtraData.

Additional Context

You can see if a key needs approval:

$ ssh -F /dev/null -o IdentitiesOnly=yes -i testkey_ec.priv git@github.com "git-upload-pack 'trufflesecurity/trufflehog.git'"
ERROR: We're doing an SSH key audit.
Reason: unverified automatically (private key found in a public repository)
Please visit https://github.com/settings/keys/110617020 to approve this key so we know it's safe.

[shahzadhaider1]

Hi @jonathongardner,

Thank you for taking the time to open this issue, we really appreciate your contribution to the project!

Just to clarify - have you had a chance to try out the Analyzer in TruffleHog?

Detectors are focused on finding and verifying secrets, but Analyzers go a step further: they take a secret and enumerate the resources or permissions it grants. That sounds very similar to what you’re describing here with GitHub keys that may be valid but limited until approved. In detectors, we generally only try to check if the secret is valid or not.

[jonathongardner]

Hey I have heard about it but have not gotten a chance to check it out. It might cover it, if so that would be great!

How would i run the analyzer? I currently do:

trufflehog filesystem -j /foo

not sure how to run the analyzer on my secret than tried:

trufflehog analyze --help

but that wasnt helpful for how to use it

[shahzadhaider1]

trufflehog filesystem is used to scan the local filesystem.

To run the analyzer, simply run the following command:

trufflehog analyze

This launches an interactive terminal UI that lists all available analyzers. You can navigate with the arrow keys and hit Enter to pick the one you’d like to run. The next screen will prompt you for the required inputs. Once those are filled in and confirmed, the analyzer kicks off and evaluates the secret’s effective permissions, access levels, and resources.