Scanning in CI
You can use TruffleHog in CI to prevent secrets from being merged in Git.
GitHub Actions
If you use GitHub Actions, use the TruffleHog Enterprise Action on the marketplace and follow the instructions there.
CircleCI
Adjust the --since-commit
value to match your default branch that people merge into.
# See: https://circleci.com/docs/2.0/configuration-reference
version: 2.1
jobs:
scan-secrets:
docker:
- image: trufflesecurity/trufflehog:latest
steps:
- checkout
- run:
name: "Scan for secrets"
# change --since-commit to match your default branch
command: trufflehog git file://. --since-commit main --branch "$CIRCLE_BRANCH" --fail --only-verified
workflows:
scan-secrets:
jobs:
- scan-secrets
General Usage
You can run TruffleHog using the binary directly, or with Docker.
The first expected argument is the base reference, typically the main branch that you merge into, such as main
or master
. The second argument is the HEAD reference. If your branch is already checked out, you can simply use HEAD
, otherwise give a branch, tag, or commit reference.
TruffleHog will return a non-zero exit code if there are findings.
You can see the all of the available flags for the trufflehog-launcher git
command below:
$ trufflehog-launcher git --help
usage: TruffleHog git [<flags>] <base> <head> [<workdir>]
Scans a local git repo.
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
-v, --debug Enable debug mode.
--trace Enable tracing of code line numbers.
--json Enable JSON output.
--send-error-telemetry Turns error telemetry off.
--fail-verified Only emit failure code for verified findings.
--quiet Only show results.
--config=CONFIG Path to configuration file. You can also specify Google Secrets Manager secrets with
'gsm://<project_id>/<secret_name>'.
Args:
<base> Start scanning from here (usually main branch).
<head> Scan commits until here (usually dev branch).
[<workdir>] Optional path to the repo to scan.
With Docker
$ docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git --fail-verified main HEAD /workdir
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
version: dev
WARN[0004] found secret commit=unstaged email=unstaged file=aws redacted=AKIAXYZDQCENUFS46CE4 type=AWS verified=true
INFO[0004] scanned 4 commits
WARN[0004] found 1 VERIFIED secrets
exit status 1
With the TruffleHog binary
$ curl -q "https://storage.googleapis.com/thog-releases/trufflehog-scanner/latest/fetch.sh" | bash
$ ./trufflehog --fail-verified git main HEAD
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
version: v1.58.3
WARN[0004] found secret commit=unstaged email=unstaged file=aws redacted=AKIAXYZDQCENUFS46CE4 type=AWS verified=true
INFO[0004] scanned 4 commits
WARN[0004] found 1 VERIFIED secrets
exit status 1
That’s all there is to it!