Using TruffleHog with Git hooks
Using TruffleHog with Git hooks is a good way to ensure that you don’t push or receive secrets to git. Catching the secrets before they end up in history is always the preferable time to do so.
Using pre-commit hooks
An easy way to get started is to use the pre-commit framework.
Install it via pip:
pip install pre-commit
Then, you will need a .pre-commit-config.yaml
file in your repository.
You can place the launcher in your path to use directly, or use Docker.
Pre-commit config for TruffleHog in Docker
repos:
- repo: local
hooks:
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c 'docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git main HEAD /workdir'
language: system
stages: ["commit", "push"]
Pre-commit config for TruffleHog in your PATH
repos:
- repo: local
hooks:
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c 'trufflehog-launcher git main HEAD'
language: system
stages: ["commit", "push"]
Once your config is in place, you just need to install the hook and you should be good to go!
$ pre-commit install --allow-missing-config
pre-commit installed at .git/hooks/pre-commit