[1] https://github.com/trufflesecurity/trufflehog#validation-
Gitlab must have been thrilled about a bot cloning 5.6 million repo's in 24 hours. That doesn't really sound responsible to me.
Think about this… every CI/CD Job runs a clone. That’s a lot..
Not surprising, Google SDK are sucking so much in term of authentication. It's never something simple like an API key, always a shitty iam like opaque function based on an opaque sdk needing to be installed that in the end requires a huge json. And most of the time, it is a pain in the ass to provide the token "as-is" in a buffer but the sdk expects that you give a file path to it. So, I easily guess that a lot of lazy devs will just store the credential json file in their project and consider it a job done.
vatsachak•2mo ago
You could make as much in a month creating those vulnerabilities