CompTIA PenTest+ (PT0-003) — Question 24

During a penetration test of a web application, the tester gains full access to the application's source code. The application repository includes thousands of code files. Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard-coded credentials most effectively?

Answer options

• A. Run TruffleHog against a local clone of the application.
• B. Scan the live web application using Nikto.
• C. Perform a manual code review of the Git repository.
• D. Use SCA software to scan the application source code.

Correct answer: A

Explanation

Running TruffleHog against a local clone of the application is the most effective method because it specializes in detecting hard-coded secrets in source code. Scanning the live application with Nikto focuses on vulnerabilities rather than source code analysis, while manual code reviews are time-consuming and less efficient for a large codebase. SCA software may help but is generally less targeted than TruffleHog for this specific task.