Please review the Community Note before submitting

TruffleHog Version

v3.94.3 (47e7b7c)

Trace Output

N/A - no error occurs; the token is silently missed.

Expected Behavior

The GitLab v1 detector should match personal access tokens generated by older self-hosted GitLab instances that use the newer dotted format (e.g. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.XX.XXXXXXXXX) but do not include the glpat- prefix.

Actual Behavior

Tokens in this format are not detected by any of the three GitLab detectors:

• v1 only matches 20-22 character tokens — too short for the dotted format
• v2 requires the glpat- prefix with a 20-22 character body
• v3 requires the glpat- prefix with the dotted format

This means personal access tokens from self-hosted GitLab instances that adopted the dotted token structure before adding the glpat- prefix are completely undetected.

Steps to Reproduce

1. Create a file containing a dotted-format GitLab token without a glpat- prefix:

   gitlab_token ="ThisIsNotAValidTokenAtAllNoWayXx.01.a1b2c3d4e"
   

2. Commit it to a git repository
3. Scan with TruffleHog:

   trufflehog git file:///path/to/repo --json

4. No GitLab detector result is produced (the only finding, if any, comes from the URI detector if the token appears in a URL)

Environment

• OS: macOS (Darwin 25.3.0), also applicable to Linux
• Version: v3.94.3