TruffleHog
Discover leaked credentials.
Be a part of The Slack
Have questions? Suggestions? Bounce in slack and hang around with us
https://be part of.slack.com/t/trufflehog-community/shared_invite/zt-pw2qbi43-Aa86hkiimstfdKH9UCpPzQ
Demo
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:newest github --org=trufflesecurity
TruffleHog v3 is a whole rewrite in Go together with many new highly effective options.
- We have added over 700 credential detectors that assist energetic verification in opposition to their respective APIs.
- We have additionally added native assist for scanning GitHub, GitLab, filesystems, and S3.
- Immediately confirm non-public keys in opposition to thousands and thousands of github customers and billions of TLS certificates utilizing our Driftwood expertise.
What’s credential verification?
For each potential credential that’s detected, we have painstakingly carried out programatic verification in opposition to the API that we predict it belongs to. Verification eliminates false positives. For instance, the AWS credential detector performs a GetCallerIdentity
API name in opposition to the AWS API to confirm if an AWS credential is energetic.
Set up
A number of choices:
1. Go
git clone https://github.com/trufflesecurity/trufflehog.gitcd trufflehog; go set up
2. Launch binaries
3. Docker
Observe: Apple M1 {hardware} customers ought to run with
docker run --platform linux/arm64
for higher efficiency.
Most customers
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:newest github --repo https://github.com/trufflesecurity/test_keys
Apple M1 customers
The linux/arm64
picture is best to run on the M1 than the amd64 picture. Even higher is working the native darwin binary avilable, however there may be not container picture for that.
docker run --platform linux/arm64 -it -v "$PWD:/pwd" trufflesecurity/trufflehog:newest github --repo https://github.com/trufflesecurity/test_keys
4. Pip (assist wished)
It is potential to distribute binaries in pip wheels.
Right here is an instance of a venture that does it.
Assist with establishing this packaging can be appreciated!
5. Brew
brew faucet trufflesecurity/trufflehog
brew set up trufflehog
Utilization
TruffleHog has a sub-command for every supply of information that you could be wish to scan:
- git
- github
- gitlab
- S3
- filesystem
- syslog
- file and stdin (coming quickly)
Every subcommand can have choices that you may see with the -h
flag supplied to the sub command:
$ trufflehog git --help
utilization: TruffleHog git [<flags>] <uri>Discover credentials in git repositories.
Flags:
--help Present context-sensitive assist (additionally attempt --help-long and --help-man).
--debug Run in debug mode
--version Prints trufflehog model.
-j, --json Output in JSON format.
--json-legacy Use the pre-v3.0 JSON format. Solely works with git, gitlab, and github sources.
--concurrency=1 Variety of concurrent staff.
--no-verification Do not confirm the outcomes.
--only-verified Solely output verified outcomes.
--print-avg-detector-time Print the common time spent on every detector.
--no-update Do not test for updates.
-i, --include-paths=INCLUDE-PATHS
Path to file with newline separated regexes for information to incorporate in scan.
-x, --exclude-paths=EXCLUDE-PATHS
Path to file with newline separated regexes for information to exclude in scan.
--since-commit=SINCE-COMMIT
Commit to start out scan from.
--branch=BRANCH Department to scan.
--max-depth=MAX-DEPTH Most depth of commits to scan.
--allow No-op flag for backwards compat.
--entropy No-op flag for backwards compat.
--regex No-op flag for backwards compat.
Args:
<uri> Git repository URL. https:// or file:// schema anticipated.
For instance, to scan a git
repository, begin with
$ trufflehog git https://github.com/trufflesecurity/trufflehog.git
Exit Codes:
- 0: No errors and no outcomes have been discovered.
- 1: An error was encountered. Sources could not have accomplished scans.
- 183: No errors have been encountered, however outcomes have been discovered. Will solely be returned if
--fail
flag is used.
Scanning a company
Strive scanning a complete GitHub group with the next:
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:newest github --org=trufflesecurity
TruffleHog OSS Github Motion
- title: TruffleHog OSS
makes use of: trufflesecurity/[email protected]
with:
# Repository path
path:
# Begin scanning from right here (often most important department).
base:
# Scan commits till right here (often dev department).
head: # optionally available
The TruffleHog OSS Github Motion can be utilized to scan a variety of commits for leaked credentials. The motion will fail if any outcomes are discovered.
For instance, to scan the contents of pull requests you might use the next workflow:
title: Leaked Secrets and techniques Scan
on: [pull_request]
jobs:
TruffleHog:
runs-on: ubuntu-latest
steps:
- title: Checkout code
makes use of: actions/[email protected]
with:
fetch-depth: 0
- title: TruffleHog OSS
makes use of: trufflesecurity/[email protected]
with:
path: ./
base: ${{ github.occasion.repository.default_branch }}
head: HEAD
Contributors
This venture exists due to all of the individuals who contribute. [Contribute].
Contributing
Contributions are very welcome! Please see our contribution pointers first.
We now not settle for contributions to TruffleHog v2, however that code is offered within the v2
department.
Including new secret detectors
Now we have revealed some documentation and tooling to get began on including new secret detectors. Let’s enhance detection collectively!
License Change
Since v3.0, TruffleHog is launched beneath a AGPL 3 license, included in LICENSE
. TruffleHog v3.0 makes use of not one of the earlier codebase, however care was taken to protect backwards compatibility on the command line interface. The work earlier to this launch remains to be out there licensed beneath GPL 2.0 within the historical past of this repository and the earlier package deal releases and tags. A accomplished CLA is required for us to simply accept contributions going ahead.