GitHub

configuration options source integration to github , the developer platform web configuration you can configure this integration via the web ui through the integrations tab or you can use a local configuration file as outlined below local configuration the github integration supports using the following bearer token github app authentication personal access tokens (classic) should be created with the following scopes repo , gist , and read\ org (fine grained tokens are not supported ) access token sources \ connection '@type' type googleapis com/sources github endpoint https //github ourbusiness com token xxxxxxxxxxxxxxxxxxxxxxxxxx ignorerepos \ trufflesecurity/trufflehog includeforks false includegistcomments true includeissuecomments true includepullrequestcomments true scanusers false skipbinaries true name github scanperiod 12h type source type github verify true github app authentication configuration you may create/register a github app to utilize trufflehog it is possible to use a single github app to scan repos in multiple accounts/organizations as long as the app is installed on all of those accounts to run a locally configured scan using a github app, there are three steps create/register a new github app install the github app on the account(s) add a source configuration using the new github app to your local configuration file you will need to configure a separate trufflehog source integration for each account/organization you wish to scan with your app below are the steps to create/register https //docs github com/en/apps/creating github apps/writing code for a github app/quickstart#step 3 register a github app a new github app sign in to github in the upper right corner, click your profile photo navigate to your account settings for an app owned by a personal account, click ⚙️ settings for an app owned by an organization click your organizations to the right of the organization, click ⚙️ settings in the left sidebar, click <> developer settings click new github app under "github app name", enter a name for your app for example, trufflehog scanner app under "homepage url", enter your instance url https //\<myorgnamespace> c1 prod trufflehog org make sure that active is selected under "webhook" under "webhook url", enter the following webhook proxy url https //\<myorgnamespace> c1 prod trufflehog org/sources/github/webhook under "permissions" under "repository permissions" next to "contents" select read only access permission "metadata (mandatory)" select read only access permission "webhooks" select read and write access permissions under "organization permissions" next to "members" select read only access permission "webhooks" select read and write access permissions under "account permissions" "gists" select read and write access permissions under "where can this github app be installed?", select only on this account if you want to allow this github app to only be installed on the account that you are using to create the app any account if you are going to allow this github app to be installed on any user or organization click create github app after the github app is created/registered successfully you need to generate a new private key for your app from settings > developer settings > github apps > about > private keys > " generate a private key" keep in mind you can always come back here in the future and generate a new private key for your app if you are installing the app on multiple accounts you can use a single key for all of them navigate to settings / developer settings / github apps and select your app under about , find your appid example appid next, you need to install your app below are the steps to install https //docs github com/en/apps/creating github apps/writing code for a github app/quickstart#step 5 install your app your new github app from developer settings navigate to github apps and select your app on the left hand panel, under general click on install app click on install make sure the all repositories option is selected double check the permissions and click on install if you navigate to settings , under integrations , click on applications , you should see the new app under the installed github apps list from the developer settings page click on the app from the list of your github apps , under general , click on install app click on ⚙️ on the right hand side of the account for which you installed the app, check the url https //github com/settings/installations/\<id> the number at the end is your app’s installationid a new installation id is generated for each account the app is installed on example installationid once you run your local scan with a configuration yaml file similar to the one shown below, trufflehog will pick up and scan the configured github source automatically! if you need to run the app for multiple accounts you need to add a new source using the same appid with each account's installationid and a different name github app authentication sources \ connection '@type' type googleapis com/sources github repositories \ https //github com/sandbox/test secrets git \ https //github com/sandbox/test repo git githubapp privatekey | \ begin rsa private key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \ end rsa private key installationid "54544692" appid "989473" ignorerepos \ trufflesecurity/trufflehog includeforks false includegistcomments true includeissuecomments true includepullrequestcomments true scanusers false skipbinaries true name github test 1 scanperiod 12h type source type github verify true if you wish, you can later delete the github app https //docs github com/en/apps/maintaining github apps/deleting a github app#deleting a github app , and create/register a new github app and update the configuration file and use the new app to run trufflehog key description required endpoint endpoint for accessing github omitting it will use github cloud no repositories list of repositories to be included in the scan omitting this will enumerate instead (recommended) no organizations list of organizations to be included in the scan omitting this will enumerate instead (recommended) no scanusers enumerate organization members and scan their public repositories no includeforks whether to include forked repositories in the scan if omitted or set to false, all forked repositories will be skipped no head the name of the branch to be used as the head no base the name of the branch to be used as the base no ignorerepos list of repositories to be excluded from the scan no includerepos list of repositories to be specifically included in the scan no includepullrequestcomments whether to include pull request comments in the scan no includeissuecomments whether to include issue comments in the scan no includegistcomments whether to include gist comments in the scan no skipbinaries whether to exclude binary files from the scan no skiparchives whether to exclude archive files from the scan no includewikis whether to include wikis in the scan no capabilities feature supported scan archive files ✅ scan archived repositories ✅ scan base64 encoded data ✅ scan binaries ✅ comments ✅ gists ✅ include/exclude filter ✅ forks ✅ history ✅ pre commit ✅ pre receive ✅ real time scanning ❌ auto resume ✅ version history ✅ scan in continuous integration (ci) ✅ notes trufflehog does not scan diffs greater than 1 gb scanning in github actions is supported but requires additional setup when creating a personal access token, make sure you create a "classic" token fine grained tokens are not supported there is presently an known issue where, when you attempt to clone multiple refs that cannot coexist on disk at the same time, an error is thrown here is an anonymized example of this error "could not clone repo https //git xxxxx com/xxxxx/thog git, error executing git clone exit status 128, fatal cannot process 'refs/remotes/origin/release/21 22/test' and 'refs/remotes/origin/release/21 22' at the same time\n" this happens with some particular ref configurations that are not common in repositories, but occasionally exist when it is thrown, we will skip over the repo causing this error and begin scanning the next one there are workarounds that can be implemented that can attempt to scan the repos that throw this error but they have 2 potential limitations first, they may not be able to scan the entire repo second, they may require a manual step to run the scan if you would like assistance establishing a workaround, please open a bug report here report a bug