Google Cloud Storage (GCS)

google cloud storage (gcs) edition enterprise + open source the google cloud storage integration scans objects in gcs https //cloud google com/storage buckets for credentials and other sensitive data configuration the gcs integration can be configured in trufflehog under integrations , or via a local configuration file (below) web configuration configure this integration from the integrations page in trufflehog you'll need credentials for an identity with read access to the gcp project and buckets you want to scan local configuration local configuration supports three authentication modes iam credentials (recommended) — uses application default credentials (adc) from the standard gcp credential chain service account file — uses a service account json key file on disk unauthenticated — for public buckets that don't require authentication the projectid field is required for all authenticated modes buckets the credentials can list and access are scanned automatically to restrict the scan, use includebuckets to specify a list, or excludebuckets to skip specific ones the same applies to objects via includeobjects and excludeobjects if both include and exclude filters are specified for the same scope, the include filter takes precedence — it's recommended to use only one or the other iam credentials use this when gcp credentials are available via application default credentials (environment variables, gcloud auth, or workload identity) sources \ connection "@type" type googleapis com/sources gcs adc {} projectid my project includebuckets \ bucket1 \ bucket2 excludebuckets \ bucket3 includeobjects \ object1 \ object2 excludeobjects \ object3 name gcs scanperiod 12h type source type gcs verify true service account file use this when authenticating with a service account json key stored on the scanner host sources \ connection "@type" type googleapis com/sources gcs serviceaccountfile /path/to/service account json projectid my project includebuckets \ bucket1 \ bucket2 excludebuckets \ bucket3 includeobjects \ object1 \ object2 excludeobjects \ object3 name gcs scanperiod 12h type source type gcs verify true unauthenticated use this for public buckets only since enumeration requires authentication, includebuckets is required in this mode sources \ connection "@type" type googleapis com/sources gcs unauthenticated {} includebuckets \ bucket1 \ bucket2 includeobjects \ object1 \ object2 excludeobjects \ object3 name gcs scanperiod 12h type source type gcs verify true example iam policy the identity used to access gcs needs the following roles, attached either directly (for iam credentials) or to the service account being used { "version" "1", "bindings" \[ { "role" "roles/storage objectviewer", "members" \[ "user \<user email>" ] }, { "role" "roles/storage bucketviewer", "members" \[ "user \<user email>" ] } ] } the storage bucketviewer role allows listing buckets in the project the storage objectviewer role allows reading object contents within those buckets configuration options field type required description projectid string conditional the gcp project id required for iam credentials and service account modes adc object conditional empty object indicating credentials should be sourced from application default credentials required for iam credentials mode serviceaccountfile string conditional path to a service account json key file required for service account mode unauthenticated object conditional empty object indicating no authentication required for unauthenticated mode includebuckets list no explicit list of buckets to scan omit to scan all buckets the credentials can list required in unauthenticated mode excludebuckets list no buckets to skip during scanning includeobjects list no objects to include supports glob patterns ( ) excludeobjects list no objects to skip during scanning supports glob patterns ( ) maxobjectsize integer no maximum object size in bytes objects larger than this are skipped capabilities feature supported scan gcs objects ✅ scan archive files ✅ scan base64 encoded data ✅ scan binaries ✅ scan microsoft office documents ✅ include / exclude filters ✅ auto resume ✅