GitHub Zipball URL Detected as Token (False Positive) #4364
Description
TruffleHog Version
3.90.3
Trace Output
2025-08-04T18:02:42+03:00 info-2 trufflehog trufflehog 3.90.3
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
2025-08-04T18:02:42+03:00 info-4 trufflehog default engine options set
2025-08-04T18:02:42+03:00 info-4 trufflehog engine initialized
2025-08-04T18:02:42+03:00 info-4 trufflehog setting up aho-corasick core
2025-08-04T18:02:42+03:00 info-4 trufflehog set up aho-corasick core
2025-08-04T18:02:42+03:00 info-2 trufflehog starting scanner workers {"count": 12}
2025-08-04T18:02:42+03:00 info-2 trufflehog starting detector workers {"count": 96}
2025-08-04T18:02:42+03:00 info-2 trufflehog starting verificationOverlap workers {"count": 12}
2025-08-04T18:02:42+03:00 info-2 trufflehog starting notifier workers {"count": 12}
2025-08-04T18:02:42+03:00 info-0 trufflehog running source {"source_manager_worker_id": "RiiZJ", "with_units": true}
2025-08-04T18:02:42+03:00 info-2 trufflehog enumerating source {"source_manager_worker_id": "RiiZJ"}
2025-08-04T18:02:42+03:00 info-3 trufflehog chunking unit {"source_manager_worker_id": "RiiZJ", "unit_kind": "unit", "unit": "demo.php"}
2025-08-04T18:02:42+03:00 info-3 trufflehog scanning file {"source_manager_worker_id": "RiiZJ", "unit_kind": "unit", "unit": "demo.php", "path": "demo.php"}
2025-08-04T18:02:42+03:00 info-5 trufflehog dataErrChan closed, all chunks processed {"source_manager_worker_id": "RiiZJ", "unit_kind": "unit", "unit": "demo.php", "path": "demo.php", "mime": "text/x-php", "timeout": 60}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "CyJ48"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "FcMh8"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "iYblC"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "sH3PW"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "78JxB"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "2KWRN"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "9vmsO"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "RfXeW"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "F3VcD"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "rYaPS"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "KVwoD"}
2025-08-04T18:02:42+03:00 info-4 trufflehog finished scanning chunks {"scanner_worker_id": "nyaUL"}
2025-08-04T18:02:42+03:00 info-5 trufflehog Starting to detect chunk {"detector_worker_id": "s8QAX", "detector": {"type":"Github","version":1}, "decoder_type": "PLAIN", "chunk_source_name": "trufflehog - filesystem", "chunk_source_id": 1, "chunk_source_metadata": "filesystem:{file:\"demo.php\"}"}
2025-08-04T18:02:43+03:00 info-4 trufflehog link is empty, skipping update {"detector_worker_id": "s8QAX", "detector": {"type":"Github","version":1}, "decoder_type": "PLAIN", "chunk_source_name": "trufflehog - filesystem", "chunk_source_id": 1, "chunk_source_metadata": "filesystem:{file:\"demo.php\"}", "timeout": 10}
2025-08-04T18:02:43+03:00 info-5 trufflehog Finished detecting chunk {"detector_worker_id": "s8QAX", "detector": {"type":"Github","version":1}, "decoder_type": "PLAIN", "chunk_source_name": "trufflehog - filesystem", "chunk_source_id": 1, "chunk_source_metadata": "filesystem:{file:\"demo.php\"}"}
Found unverified result 🐷🔑❓
Detector Type: Github
Decoder Type: PLAIN
Raw result: 9d14621e59f22c2b6d030d92d37ffe5ae1e60452
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 1
File: demo.php
Line: 3
2025-08-04T18:02:43+03:00 info-0 trufflehog finished scanning {"chunks": 1, "bytes": 130, "verified_secrets": 0, "unverified_secrets": 1, "scan_duration": "312.687667ms", "trufflehog_version": "3.90.3", "verification_caching": {"Hits":0,"Misses":1,"HitsWasted":0,"AttemptsSaved":0,"VerificationTimeSpentMS":308}}
Expected Behavior
TruffleHog shouldn't flag https://api.github.com/repos/symfony/monolog-bridge/zipball/9d14621e59f22c2b6d030d92d37ffe5ae1e60452 as a GitHub token. It's a valid URL for a GitHub repository's zipball, not a sensitive credential.
Actual Behavior
TruffleHog version 3.90.3 incorrectly detected the GitHub repository URL provided as a GitHub token, causing a false positive.
Steps to Reproduce
- Create a file named
demo.php(or any text file) with the following content:<?php $package = 'https://api.github.com/repos/symfony/monolog-bridge/zipball/9d14621e59f22c2b6d030d92d37ffe5ae1e60452'; // ...
- Run TruffleHog against this file:
trufflehog filesystem demo.php
- Observe the false positive detection of a GitHub token.
Environment
- OS: MacOS
- Version 15.5
Additional Context
This commonly affects composer.lock, which is generated by Composer, the PHP package manager. These files often contain GitHub zipball URLs as package references.
