Using TruffleHog with Git hooks

Using TruffleHog with Git hooks is a good way to ensure that you don’t push or receive secrets to git. Catching the secrets before they end up in history is always the preferable time to do so.

Using pre-commit hooks

An easy way to get started is to use the pre-commit framework.

Install it via pip:

pip install pre-commit

Then, you will need a .pre-commit-config.yaml file in your repository.

You can place the launcher in your path to use directly, or use Docker.

Pre-commit config for TruffleHog in Docker

repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git main HEAD /workdir'
      language: system
      stages: ["commit", "push"]

Pre-commit config for TruffleHog in your PATH

repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'trufflehog-launcher git main HEAD'
      language: system
      stages: ["commit", "push"]

Once your config is in place, you just need to install the hook and you should be good to go!

$ pre-commit install --allow-missing-config
pre-commit installed at .git/hooks/pre-commit