Google Drive
The Google Drive scanner is available under "Integrations" in the webapp. To access, click on Integrations > Add integration > Source > Google Drive.
Currently, each integration can only be configured to scan a single google drive account. If you want to scan multiple google drives, you will need to create separate integrations for each account. However, we plan to enhance this capability in the future, allowing multiple drives across an organization to be scanned from a single integration.
During the initial setup of the Google Drive integration, you will need to sign in with the account to be scanned and grant the web app the https://www.googleapis.com/auth/drive.readonly permission.
This scope allows Truffle to:
- search what files are available via Google Drive to the account.
- download the files to perform scanning for secrets (all files are downloaded and scanned in-memory and no content is stored).
- see the names and emails of individuals associated with those files in order to make attributions in the event secrets are found.
Please note: Our current version will only scan files accessible by the account used to create the integration. This means files owned-by the account and files shared-with the account with the “Viewers and commenters can see the option to download, print, and copy” option set (usually ON by default in the file sharing settings).
If your administrator has not whitelisted Truffle’s app, you will most likely come across a screen with the following message “Google hasn’t verified this app”. You will then need to click through Advanced > Go to TruffleHog.org (unsafe) which will lead to the page for accepting permissions.
Note: If you are an admin, we have added instructions below on how to whitelist the Truffle webapp.
Once you have allowed Truffle access, you will be redirected back to the configuration screen. Please name your integration and set the duration between scans - by default they are set at 12 hour intervals.
Go to the Google Admin Panel and search for “API Controls”. It should appear under Security > Access and data control > API controls
Then go to MANAGE THIRD-PARTY APP ACCESS
If you have added the Truffle integration once while unverified, the app should appear on the list with “Access” set to “Not Configured”.
Check the box next to the Truffle App and click “Change access”
Note: If it does not appear on the list, check “View list” under “Accessed Apps”. If you have not run the app once while unverified, that may also be required for it to appear.
Under Scope, click “Include organizational units” and add the origanizational units for whom you would like the app to be allowlist. And click SELECT.
Under “Access to Google Data” select “Trusted” and click NEXT.
Once you’ve reviewed the changes, click CHANGE ACCESS.
You should now be all set, and the app should no longer prompt the “Unverified” screen during integration setup.
Local configuration is not supported for Google Drive scanning.
Feature | Supported |
|---|---|
Scan archive files | ✅ |
Scan attachments | ✅ |
Scan base64 encoded data | ✅ |
Scan binaries | ✅ |
Scan Microsoft Office files | ✅ |
Scan comments | ✅ |
Scan drafts | ❌ |
Scan files in trash | ✅ |
Auto resume | ✅ |
Notes:
- Files over 1GB in size are not scanned
- Only files that the authorizing user has access to are scanned (including shared files)
