Advanced usage
Downloading the binary
$ curl -q https://storage.googleapis.com/thog-releases/trufflehog-scanner/latest/fetch.sh | bash
$ ./trufflehog version
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
version: v1.58.3
built for: you
built with: ❤ love ❤
Running as a Systemd daemon
If you’re looking to run the scanner on a Linux system, setting it up to run as a systemd unit is a good way to ensure that it
- starts automatically on startup
- has logs rotated
- is able to run without any users connected to the server
Most modern Linux distributions include systemd to manage daemons and other configuration.
We’ll provide an example below that is tailored for Ubuntu, but compatible with other systems with some minor alterations.
Extract the TruffleHog scanner archive to
/home/ubuntu
Copy your
config.yaml
into/home/ubuntu
Copy the Systemd Unit file given below into
/etc/systemd/system/trufflehog.service
Systemd Unit file:
[Unit] Description=Run the TruffleHog scanner as a daemon [Service] Type=simple ExecStart=/home/ubuntu/scanner scan --config /home/ubuntu/config.yaml Restart=on-failure RestartSec=15s User=ubuntu PrivateUser=yes [Install] WantedBy=multi-user.target
Reload Systemd to make it aware of the new service unit file:
systemctl daemon-reload
Configure the Systemd to run TruffleHog at boot:
systemctl enable trufflehog.service
Start TruffleHog right now:
systemctl start trufflehog.service
View the status of TruffleHog
systemctl status trufflehog.service
View the TruffleHog logs:
journalctl logs -u trufflehog
Tail the TruffleHog logs:
journalctl logs -fu trufflehog
Deploying to Kubernetes via manifest
The following instructions will help you setup a basic deployment of the TruffleHog scanner in Kubernetes. Kubernetes will ensure that TruffleHog stays running, manage your configuration secrets, and collect the logs.
- Create the namespace
$ kubectl create namespace trufflehog namespace/trufflehog created
- Create the configuration secret
$ kubectl create secret --namespace trufflehog generic --from-file config.yaml config secret/config created
- Create the deployment
- Create a yaml file with these contents:
apiVersion: apps/v1 kind: Deployment metadata: name: trufflehog labels: app: trufflehog spec: replicas: 1 selector: matchLabels: app: trufflehog template: metadata: labels: app: trufflehog spec: volumes: - name: config-secret-volume secret: secretName: config containers: - name: trufflehog image: us-docker.pkg.dev/thog-artifacts/public/scanner:latest terminationMessagePolicy: FallbackToLogsOnError command: ["/usr/local/bin/scanner", "scan", "--config=/secret/config.yaml", "--port=8080"] livenessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 3 periodSeconds: 3 volumeMounts: - name: config-secret-volume mountPath: /secret/
- Apply the manifest
$ kubectl apply -f /tmp/thog.yaml --namespace trufflehog deployment.apps/trufflehog configured
- Create a yaml file with these contents:
- Wait for TruffleHog to be running
$ kubectl get pods --namespace trufflehog --watch NAME READY STATUS RESTARTS AGE trufflehog-7f76dc4c49-szxwv 1/1 Running 0 0m22s
- Follow the logs
$ kubectl logs --namespace trufflehog -f -l app=trufflehog 🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷 version: v1.50.22 INFO[0000] starting scanner service client scanner_group=On-prem