GitHub
Source integration to GitHub, the developer platform.
The GitHub integration supports using the following:
- Bearer token
- GitHub app authentication
Personal Access Tokens (classic) should be created with the following scopes: repo, gist, and read:org. (Fine-grained tokens are not supported.)
You may create/register a GitHub app to utilize TruffleHog. It is possible to use a single Github app to scan repos in multiple accounts/organizations as long as the app is installed on all of those accounts. To run a locally-configured scan using a GitHub app, there are three steps:
- Create/register a new Github app
- Install the GitHub app on the account(s)
- Add a source configuration using the new GitHub app to your local configuration file
You will need to configure a separate TruffleHog source integration for each account/organization you wish to scan with your app.
Below are the steps to create/register a new GitHub app.
- Sign in to GitHub
- In the upper-right corner, click your profile photo
- Navigate to your account settings
- For an app owned by a personal account, click ⚙️Settings
- For an app owned by an organization:
- Click Your organizations
- To the right of the organization, click ⚙️Settings
- In the left sidebar, click <> Developer settings
- Click New GitHub App
- Under "GitHub App name", enter a name for your app. For example, TruffleHog-scanner-app
- Under "Homepage URL", enter your instance URL: https://<myorgnamespace>.c1.prod.trufflehog.org
- Make sure that Active is selected under "Webhook"
- Under "Webhook URL", enter the following webhook proxy URL: https://<myorgnamespace>.c1.prod.trufflehog.org/sources/github/webhook
- Under "Permissions"
- Under "Repository permissions" next to
- "Contents" select Read-only access permission
- "Metadata (mandatory)" select Read-only access permission
- "Webhooks" select Read-and-write access permissions
- Under "Organization permissions" next to
- "Members" select Read-only access permission
- "Webhooks" select Read-and-write access permissions
- Under "Account permissions"
- "Gists" select Read-and-write access permissions
- Under "Where can this GitHub App be installed?", select:
- Only on this account if you want to allow this GitHub App to only be installed on the account that you are using to create the app
- Any account if you are going to allow this GitHub App to be installed on any user or organization
- Click Create GitHub App
- After the GitHub app is created/registered successfully you need to generate a new private key for your app from Settings > Developer settings > GitHub Apps > About > Private keys > "Generate a private key". Keep in mind you can always come back here in the future and generate a new private key for your app. If you are installing the app on multiple accounts you can use a single key for all of them.
- Navigate to Settings / Developer settings / GitHub Apps and select your app
- Under About, find your AppID
Next, you need to install your app. Below are the steps to install your new GitHub app.
- From Developer settings navigate to GitHub Apps and select your app
- On the left hand panel, under General click on Install App
- Click on Install
- Make sure the All repositories option is selected
- Double check the permissions and click on Install
- If you navigate to Settings, under Integrations, click on Applications, you should see the new app under the Installed GitHub Apps list
- From the Developer settings page click on the app from the list of your GitHub Apps, under General, click on Install App
- Click on ⚙️ on the right hand side of the account for which you installed the app, check the URL https://github.com/settings/installations/<ID>.The number at the end is your app’s InstallationID. A new Installation ID is generated for each account the app is installed on.
Once you run your local scan with a configuration YAML file similar to the one shown below, TruffleHog will pick up and scan the configured GitHub source automatically! If you need to run the app for multiple accounts you need to add a new source using the same AppID with each account's InstallationID and a different name.
If you wish, you can later delete the GitHub App, and create/register a new GitHub app and update the configuration file and use the new app to run TruffleHog.
Key | Description | Required |
|---|---|---|
endpoint | Endpoint for accessing GitHub. Omitting it will use GitHub cloud. | No |
repositories | List of repositories to be included in the scan. Omitting this will enumerate instead (recommended). | No |
organizations | List of organizations to be included in the scan. Omitting this will enumerate instead (recommended). | No |
scanUsers | Enumerate organization members and scan their public repositories | No |
includeForks | Whether to include forked repositories in the scan | No |
head | The name of the branch to be used as the head | No |
base | The name of the branch to be used as the base | No |
ignoreRepos | List of repositories to be excluded from the scan | No |
includeRepos | List of repositories to be specifically included in the scan | No |
includePullRequestComments | Whether to include pull request comments in the scan | No |
includeIssueComments | Whether to include issue comments in the scan | No |
includeGistComments | Whether to include gist comments in the scan | No |
skipBinaries | Whether to exclude binary files from the scan | No |
skipArchives | Whether to exclude archive files from the scan | No |
includeWikis | Whether to include wikis in the scan | No |
Feature | Supported |
|---|---|
Scan archive files | ✅ |
Scan archived repositories | ✅ |
Scan base64 encoded data | ✅ |
Scan binaries | ✅ |
Comments | ✅ |
Gists | ✅ |
Include/Exclude Filter | ✅ |
Forks | ✅ |
History | ✅ |
Pre-commit | ✅ |
Pre-receive | ✅ |
Real time scanning | ❌ |
Auto resume | ✅ |
Version history | ✅ |
Scan in Continuous Integration (CI) | ✅ |
Notes:
- TruffleHog does not scan diffs greater than 1 GB.
- Scanning in GitHub Actions is supported but requires additional setup.
- When creating a personal access token, make sure you create a "classic" token. Fine-grained tokens are not supported.
