GitHub Real-time

8 min

github real time edition enterprise only the github real time integration scans github push events as they occur, detecting credentials and other sensitive data the moment code is pushed for non real time scanning of repositories, gists, issues, and pull requests, see the github docid\ laattwrhgroszrxw3ump source instead configuration the github real time integration is configured via a local configuration file web configuration in trufflehog is not available for this source github real time requires setup in two places a local configuration file (covered in local configuration below) a webhook in github that sends push events to trufflehog (covered in configure github to send push events below) local configuration github real time supports the same authentication methods as the github docid\ laattwrhgroszrxw3ump source — token based and github app for details on creating tokens or github apps, see the github source documentation; the rest of this section covers what's specific to real time both modes require a webhooksecret — a high entropy value shared between trufflehog and github that's used to validate incoming push event deliveries access token use this with a github personal access token sources \ connection "@type" type googleapis com/sources githubrealtime token xxxxxxxxxxxxxxxxxxxxxxxxxx webhooksecret xxxxx name github real time type source type github realtime verify true github app use this with a github app sources \ connection "@type" type googleapis com/sources githubrealtime githubapp appid xxxxx installationid xxxxx privatekey | \ begin rsa private key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \ end rsa private key webhooksecret xxxxx name github real time type source type github realtime verify true configure github to send push events in addition to configuring trufflehog to receive push events, you must configure a github webhook https //docs github com/en/webhooks/using webhooks/creating webhooks to send them webhooks can be configured at the repository https //docs github com/en/webhooks/using webhooks/creating webhooks#creating a repository webhook , organization https //docs github com/en/webhooks/using webhooks/creating webhooks#creating an organization webhook , or github app https //docs github com/en/webhooks/using webhooks/creating webhooks#creating webhooks for a github app level any webhook type works with either authentication method configure the webhook with the following values field value payload url https //\<your trufflehog domain>/sources/github/webhook content type application/json which events push events only secret a high entropy value you generate copy this into webhooksecret in your trufflehog configuration a single github real time integration can accept events from multiple webhooks of different types — for example, two repository webhooks and one organization webhook all webhooks feeding the same integration must share the same secret, and the integration's configured credentials must have access to every repository that sends push events to it multiple integrations if you run multiple github real time integrations, give them the same name so scanning work is distributed across them different names cause each integration to scan every event, duplicating work configuration options field type required description webhooksecret string yes secret shared with github, used to validate push event deliveries treat as a sensitive value for all other fields, see the github docid\ laattwrhgroszrxw3ump source documentation capabilities feature supported real time scanning ✅ scan archive files ✅ scan base64 encoded data ✅ scan binaries ✅ scan gists ✅ scan forks ✅ scan history ✅ notes the integration's interface and behavior may change as it matures only the first 2,048 commits in each push event are scanned additional commits are skipped comments and include/exclude filters are not supported the integration scans every push event delivered by configured webhooks github does not send push events in certain uncommon circumstances see the github webhook https //docs github com/en/webhooks/webhook events and payloads#push documentation for details if a scanner is stopped and resumed within seven days, it scans every push event that arrived while it was stopped if the scanner stays stopped for more than seven days, the interim events are ignored