Using TruffleHog with Git hooks

Using TruffleHog with Git hooks is a good way to ensure that you don’t push or receive secrets to git. Catching the secrets before they end up in history is always the preferable time to do so.

Using pre-commit hooks

An easy way to get started is to use the pre-commit framework.

Install it via pip:

pip install pre-commit

Then, you will need a .pre-commit-config.yaml file in your repository.

You can place the launcher in your path to use directly, or use Docker.

Pre-commit config for TruffleHog in Docker

repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git main HEAD /workdir'
      language: system
      stages: ["commit", "push"]

Pre-commit config for TruffleHog in your PATH

repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'trufflehog-launcher git main HEAD'
      language: system
      stages: ["commit", "push"]

Once your config is in place, you just need to install the hook and you should be good to go!

$ pre-commit install --allow-missing-config
pre-commit installed at .git/hooks/pre-commit

Using pre-receive hooks

Pre-receive hooks are custom scripts executed by Git on the server-side every time new commits are pushed to a repository. They inspect incoming changes before they are accepted into the repository, allowing for enforcement of standards and rules without requiring users to install pre-commit hooks.

NOTE: Not all Git distributions are created equal; providers often require users to either self-host their Git instance or purchase an Enterprise plan. Generally, hooks are run as executable scripts, but specific implementation details of pre-receive hooks depend on the provider. Please consult your provider’s relevant documentation for setting up pre-receive hooks.

To run as a pre-receive hook, the scanner will need to be run via bash script, using the git scanner. The --bare option is needed as the full repository is not available in the context of a pre-receive hook.

The trufflehog binary will need to be set as executable and in the $PATH variable for the Git instance. The below example should work for most providers. Consult your provider documentation for appropriate file naming; some providers will accept arbitrary script names, e.g. trufflehog_hook.sh, while providers like GitLab require that the script name reflect the hook type, e.g. pre_receive.

NOTE: trufflehog in the script below refers to the open-source scanner.

Pre-receive config for TruffleHog

#!/bin/bash

/trufflehog --no-update git --bare file://. --only-verified --fail