Scanning in CI

Using TruffleHog in CI #

You can use TruffleHog in CI to prevent secrets from being merged in Git.

Be sure to create a scanning group that is only used for CI to prevent giving access to sources that might be attached to other scanning groups. You will need to provide the credentials to TruffleHog, using one of the methods specified in the Secrets Management part of the documentation. The Docker example uses the --env-file flag to pass in the credential information, and the binary example uses the recommended Secret Manager URI to provide credentials via GCP Secrets Manager.

GitHub Actions #

If you use GitHub Actions, use the TruffleHog Enterprise Action on the marketplace and follow the instructions there.

CircleCI #

Adjust the --since-commit value to match your default branch that people merge into.

# See: https://circleci.com/docs/2.0/configuration-reference
version: 2.1

jobs:
  scan-secrets:
    docker:
      - image: trufflesecurity/trufflehog:latest
    steps:
      - checkout
      - run:
          name: "Scan for secrets"
          # change --since-commit to match your default branch
          command: trufflehog git file://. --since-commit main --branch "$CIRCLE_BRANCH" --fail --only-verified

workflows:
  scan-secrets:
    jobs:
      - scan-secrets

General Usage #

You can run TruffleHog using the binary directly, or with Docker.

The first expected argument is the base reference, typically the main branch that you merge into, such as main or master. The second argument is the HEAD reference. If your branch is already checked out, you can simply use HEAD, otherwise give a branch, tag, or commit reference.

TruffleHog will return a non-zero exit code if there are findings.

You can see the all of the available flags for the trufflehog-launcher git command below:

$ trufflehog-launcher git --help
usage: TruffleHog git [<flags>] <base> <head> [<workdir>]

Scans a local git repo.

Flags:
      --help                  Show context-sensitive help (also try --help-long and --help-man).
  -v, --debug                 Enable debug mode.
      --trace                 Enable tracing of code line numbers.
      --json                  Enable JSON output.
      --send-error-telemetry  Turns error telemetry off.
      --fail-verified         Only emit failure code for verified findings.
      --quiet                 Only show results.
      --config=CONFIG         Path to configuration file. You can also specify Google Secrets Manager secrets with
                              'gsm://<project_id>/<secret_name>'.

Args:
  <base>       Start scanning from here (usually main branch).
  <head>       Scan commits until here (usually dev branch).
  [<workdir>]  Optional path to the repo to scan.

With Docker #

$ docker run --env-file /path/to/trufflehog.env -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git master HEAD /workdir

🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
version:  dev

WARN[0004] found secret                                  commit=unstaged email=unstaged file=aws redacted=AKIAXYZDQCENUFS46CE4 type=AWS verified=true
INFO[0004] scanned 4 commits                            
WARN[0004] found 1 VERIFIED secrets                     
exit status 1

With the TruffleHog binary #

$ ./trufflehog-launcher git --config="gsm://your-gcp-project/your-gcp-secret" master HEAD 

🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
version:  dev

WARN[0004] found secret                                  commit=unstaged email=unstaged file=aws redacted=AKIAXYZDQCENUFS46CE4 type=AWS verified=true
INFO[0004] scanned 4 commits                            
WARN[0004] found 1 VERIFIED secrets                     
exit status 1

That’s all there is to it!