Precommit Hooks

Using TruffleHog with Git Hooks #

Using TruffleHog with Git hooks is a good way to ensure that you don’t push or receive secrets to git. Catching the secrets before they end up in history is always the preferable time to do so.

Using pre-commit hooks #

An easy way to get started is to use the pre-commit framework .

Install it via pip:

pip install pre-commit

Then, you will need a .pre-commit-config.yaml file in your repository.

You can place the launcher in your path to use directly, or use Docker.

You will need to provide the credentials to TruffleHog, using one of the methods specified in the Secrets Management ) part of the documentation. Using the recommended Secret Manager URI is shown below.

Pre-commit config for TruffleHog in Docker #

repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git --config="gsm://your-gcp-project/your-gcp-secret" master HEAD /workdir'
      language: system
      stages: ["commit", "push"]

Pre-commit config for TruffleHog in your PATH #

repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'trufflehog-launcher git --config="gsm://your-gcp-project/your-gcp-secret" master HEAD'
      language: system
      stages: ["commit", "push"]

Once your config is in place, you just need to install the hook and you should be good to go!

$ pre-commit install --allow-missing-config
pre-commit installed at .git/hooks/pre-commit