Scanning in CI

You can use TruffleHog in CI to prevent secrets from being merged in Git.

GitHub Actions

If you use GitHub Actions, use the TruffleHog Enterprise Action on the marketplace and follow the instructions there.

CircleCI

Adjust the --since-commit value to match your default branch that people merge into.

# See: https://circleci.com/docs/2.0/configuration-reference
version: 2.1

jobs:
  scan-secrets:
    docker:
      - image: trufflesecurity/trufflehog:latest
    steps:
      - checkout
      - run:
          name: "Scan for secrets"
          # change --since-commit to match your default branch
          command: trufflehog git file://. --since-commit main --branch "$CIRCLE_BRANCH" --fail --only-verified

workflows:
  scan-secrets:
    jobs:
      - scan-secrets

General Usage

You can run TruffleHog using the binary directly, or with Docker.

The first expected argument is the base reference, typically the main branch that you merge into, such as main or master. The second argument is the HEAD reference. If your branch is already checked out, you can simply use HEAD, otherwise give a branch, tag, or commit reference.

TruffleHog will return a non-zero exit code if there are findings.

You can see the all of the available flags for the trufflehog-launcher git command below:

$ trufflehog-launcher git --help
usage: TruffleHog git [<flags>] <base> <head> [<workdir>]

Scans a local git repo.

Flags:
      --help                  Show context-sensitive help (also try --help-long and --help-man).
  -v, --debug                 Enable debug mode.
      --trace                 Enable tracing of code line numbers.
      --json                  Enable JSON output.
      --send-error-telemetry  Turns error telemetry off.
      --fail-verified         Only emit failure code for verified findings.
      --quiet                 Only show results.
      --config=CONFIG         Path to configuration file. You can also specify Google Secrets Manager secrets with
                              'gsm://<project_id>/<secret_name>'.

Args:
  <base>       Start scanning from here (usually main branch).
  <head>       Scan commits until here (usually dev branch).
  [<workdir>]  Optional path to the repo to scan.

With Docker

$ docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git --fail-verified main HEAD /workdir

🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
version:  dev

WARN[0004] found secret                                  commit=unstaged email=unstaged file=aws redacted=AKIAXYZDQCENUFS46CE4 type=AWS verified=true
INFO[0004] scanned 4 commits                            
WARN[0004] found 1 VERIFIED secrets                     
exit status 1

With the TruffleHog binary

$ curl -q "https://storage.googleapis.com/thog-releases/trufflehog-scanner/latest/fetch.sh" | bash

$ ./trufflehog --fail-verified git main HEAD 

🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
version:  v1.58.3

WARN[0004] found secret                                  commit=unstaged email=unstaged file=aws redacted=AKIAXYZDQCENUFS46CE4 type=AWS verified=true
INFO[0004] scanned 4 commits                            
WARN[0004] found 1 VERIFIED secrets                     
exit status 1

That’s all there is to it!