trufflesecurity/trufflehog

user (instead of org) with token is not working

Open

#4517 opened on Oct 26, 2025

View on GitHub
 (3 comments) (1 reaction) (1 assignee)Go (26,285 stars) (2,397 forks)batch import
help wantedneeds-reconciliationpkg/sources

Description

TruffleHog Version

trufflehog 3.90.11

Expected Behavior

Considering this checks an user's repositories:

trufflehog github --org $user

And this checks an organization's repositories:

trufflehog github --org $org --token $GITHUB_TOKEN

This also should check an user's repositories, but now using a token:

trufflehog github --org $user --token $GITHUB_TOKEN

Actual Behavior

When a user is passed to --org and --token is specified, the repositories of the token's owner are being analyzed (instead of the specified user).

Steps to Reproduce

  1. Run the following command using a user instead of an organization:
trufflehog github --org $user --token $GITHUB_TOKEN
  1. Notice that the specified user' repositories will not be checked.

Potential Solution

I have a suggestion that worked here:

  1. Go to the function getReposByOrgOrUser inside pkg/sources/github/repo.go;
  2. Remove the parameter authenticated, and pass false to the function getReposByUser();
  3. Inside pkg/sources/github/github.go, update all the references that call getReposByOrgOrUser, removing the boolean parameter.

I did not create a PR because I feel this solution may have collateral effects that I cannot understand now, having a very superficial context of the code.

Contributor guide

Tech stack
go
Domain
backendclisecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Go programming basicsGitHub API familiarityTruffleHog project structure
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
The issue reports that when using ` org` with a user (not an org) and providing a token, the tool incorrectly checks the token owner's repos instead of the specified user. The potential solution suggests modifying `getReposByOrgOrUser` in `pkg/sources/github/repo.go` to remove the `authenticated` parameter and pass `false` to `getReposByUser()`, and updating references in `pkg/sources/github/github.go`. Investigate the function `getReposByOrgOrUser` and its callers to understand the logic of org vs user detection. Review the comments in the issue for any maintainer feedback. Ensure the fix does not break the case where a real org is passed with a token.