What is TruffleHog?
TruffleHog is a powerful tool designed to scan repositories for secrets and credentials. It searches through git repositories for secrets, digging deep into commit history and branches. TruffleHog will detect secrets like API keys, passwords, and tokens across many providers, including AWS, GitHub, Google, Slack, and more. It's an essential tool for preventing secret leakage in your codebase.
Key Features
- Deep Git Scanning: Scans git repositories, including commit history and all branches, to find secrets that may have been committed in the past.
- Multiple Secret Types: Detects a wide range of secret types, including API keys, passwords, tokens, and more.
- High Signal Detection: Uses a combination of regex patterns and entropy checks to minimize false positives.
- Multiple Source Support: Can scan GitHub, GitLab, filesystems, S3 buckets, and more.
- CI/CD Integration: Easily integrates with CI/CD pipelines for automated secret scanning.
- Verification: Verifies detected secrets against their respective APIs to confirm they are valid.
Integration with DevOps Pipeline
TruffleHog can be integrated into your DevOps pipeline to automatically scan your codebase for secrets. Here's how you can integrate TruffleHog into your pipeline:
1. GitHub Actions Integration
Add TruffleHog scanning to your GitHub Actions workflow to scan your repository for secrets.
name: TruffleHog Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
trufflehog-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: TruffleHog OSS
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified2. GitLab CI Integration
Add TruffleHog scanning to your GitLab CI pipeline to scan your repository for secrets.
stages:
- build
- test
- scan
- deploy
trufflehog-scan:
stage: scan
image: trufflesecurity/trufflehog:latest
script:
- trufflehog git file:///builds/$CI_PROJECT_PATH --since-commit $CI_COMMIT_BEFORE_SHA --branch $CI_COMMIT_REF_NAME --only-verified
only:
- merge_requests
- main3. Jenkins Integration
Add TruffleHog scanning to your Jenkins pipeline to scan your repository for secrets.
pipeline {
agent any
stages {
stage('Build') {
steps {
echo 'Building application...'
}
}
stage('Test') {
steps {
echo 'Running tests...'
}
}
stage('TruffleHog Scan') {
steps {
sh '''
docker run --rm -v "$PWD:/pwd" trufflesecurity/trufflehog:latest git file:///pwd --only-verified
'''
}
}
stage('Deploy') {
steps {
echo 'Deploying application...'
}
}
}
}4. Pre-commit Hook
You can also use TruffleHog as a pre-commit hook to prevent secrets from being committed in the first place:
#!/bin/sh
# .git/hooks/pre-commit
# Run TruffleHog on staged files
docker run --rm -v "$(pwd):/pwd" trufflesecurity/trufflehog:latest git file:///pwd --only-verified --since-commit HEAD
# If TruffleHog finds secrets, abort the commit
if [ $? -ne 0 ]; then
echo "TruffleHog found secrets in your changes. Please remove them before committing."
exit 1
fi
exit 0Best Practices
- Scan your repositories regularly to catch any secrets that might have been accidentally committed.
- Implement pre-commit hooks to prevent secrets from being committed in the first place.
- Integrate TruffleHog into your CI/CD pipeline to automatically scan code changes for secrets.
- When a secret is found, consider it compromised and rotate it immediately.
- Use a secrets management solution like HashiCorp Vault or AWS Secrets Manager to store and manage secrets securely.
- Educate your team about the risks of hardcoding secrets and provide alternatives.
- Consider using environment variables or configuration files that are not checked into version control for storing sensitive information.
Conclusion
TruffleHog is a powerful tool for finding secrets in your codebase, helping you prevent security breaches caused by leaked credentials. By integrating TruffleHog into your DevOps pipeline, you can ensure that your code remains free of sensitive information.