Google Cloud Storage (GCS)

open source feature this feature is available in both trufflehog open source and trufflehog enterprise! source integration to gcs , the managed cloud storage service configuration buckets that the given credentials can list and access will be scanned web configuration you can configure this integration via the web ui through the integrations tab or you can use a local configuration file as outlined below local configuration projectid is required if you omit providing buckets then all buckets that the credential can list and access will be scanned when using the include/exclude filters for buckets or objects, the include filters take precedence if both are specified it is recommended to only use one of the two filters for each gcs with iam credentials (recommended) configuration sources \ connection '@type' type googleapis com/sources gcs adc {} excludebuckets \ bucket3 excludeobjects \ object3 includebuckets \ bucket1 \ bucket2 includeobjects \ object1 \ object2 projectid my project name gcs scanperiod 12h type source type gcs verify true example iam policy { "version" "1", "bindings" \[ { "role" "roles/storage objectviewer", "members" \[ "user \<user email>" ] }, { "role" "roles/storage bucketviewer", "members" \[ "user \<user email>" ] } ] } gcs with service account file (json) configuration sources \ connection '@type' type googleapis com/sources gcs excludebuckets \ bucket3 excludeobjects \ object3 includebuckets \ bucket1 \ bucket2 includeobjects \ object1 \ object2 projectid my project serviceaccountfile /path/to/service account json name gcs scanperiod 12h type source type gcs verify true example iam policy { "version" "1", "bindings" \[ { "role" "roles/storage objectviewer", "members" \[ "user \<user email>" ] }, { "role" "roles/storage bucketviewer", "members" \[ "user \<user email>" ] } ] } gcs without authentication can only be used for public buckets since these scans are unauthenticated, you must specify which buckets are to be scanned unauthenticated sources \ connection '@type' type googleapis com/sources gcs excludeobjects \ object3 includebuckets \ bucket1 \ bucket2 includeobjects \ object1 \ object2 unauthenticated {} name gcs scanperiod 12h type source type gcs verify true options key description required projectid gcp project id yes includebuckets buckets to be included omit to enumerate instead no excludebuckets buckets to be excluded no includeobjects objects to be included; supports globbing no excludeobjects objects to be excluded; supports globbing no maxobjectsize the maximum size of the object no capabilities feature supported scan archive files ✅ scan base64 encoded data ✅ scan binaries ✅ scan microsoft office documents ✅ exclude filter ✅ include filter ✅ auto resume ✅