Block secrets from leaking
Pre-commit hooks
22min
using pre commit hooks pre commit hooks are a useful way to prevent secrets in code from being pushed from a git repository preventing them from being leaked in the first place is always the best approach if you run your own git server, consider the pre receive hooks docid 84n9z itulb2670bkutss option which can block commits with secrets from being accepted this guide covers how to set up trufflehog as a pre commit hook using two popular frameworks git's hookspath feature a built in git feature for managing hooks globally using pre commit framework a language agnostic framework for managing pre commit hooks using husky a git hooks manager for javascript/node js projects prerequisites all of the methods require trufflehog to be installed install trufflehog \# using homebrew (macos) brew install trufflehog \# using installation script for linux, macos, and windows (and wsl) curl ssfl https //raw\ githubusercontent com/trufflesecurity/trufflehog/main/scripts/install sh | sh s b /usr/local/bin global setup using git's hookspath feature this approach uses git's core hookspath to apply hooks to all repositories without requiring any per repository setup create a global hooks directory mkdir p / git hooks create a pre commit hook file touch / git hooks/pre commit chmod +x / git hooks/pre commit add the following content to / git hooks/pre commit using local binary #!/bin/sh trufflehog git file // since commit head results=verified,unknown fail using docker #!/bin/sh docker run rm v "$(pwd) /workdir" i rm trufflesecurity/trufflehog\ latest git file ///workdir since commit head results=verified,unknown fail configure git to use this hooks directory globally git config global core hookspath / git hooks now all your repositories will automatically use this pre commit hook without any additional setup using the pre commit framework the pre commit framework https //pre commit com is a powerful, language agnostic tool for managing git hooks installation of pre commit install the pre commit framework \# using pip (python) pip install pre commit \# using homebrew (macos) brew install pre commit \# using conda conda install c conda forge pre commit repository specific setup to set up trufflehog as a pre commit hook for a specific repository create a pre commit config yaml file in the root of your repository using local binary repos \ repo local hooks \ id trufflehog name trufflehog description detect secrets in your data entry bash c 'trufflehog git file // since commit head results=verified,unknown fail' language system stages \["commit", "push"] using docker repos \ repo local hooks \ id trufflehog name trufflehog description detect secrets in your data entry bash c 'docker run rm v "$(pwd) /workdir" i rm trufflesecurity/trufflehog\ latest git file ///workdir since commit head results=verified,unknown fail' language system stages \["commit", "push"] install the pre commit hook pre commit install using husky husky https //typicode github io/husky/ is a popular tool for managing git hooks in javascript/node js projects installation of husky install husky in your project \# npm npm install husky save dev \# yarn yarn add husky dev enable git hooks \# npm npx husky init setting up trufflehog with husky add the following content to husky/pre commit using local binary echo "trufflehog git file // since commit head results=verified,unknown fail" > husky/pre commit using docker echo 'docker run rm v "$(pwd) /workdir" i rm trufflesecurity/trufflehog\ latest git file ///workdir since commit head results=verified,unknown fail' > husky/pre commit best practices commit process for optimal hook efficacy execute git add followed by git commit separately this ensures trufflehog analyzes all intended changes avoid using git commit am , as it might bypass pre commit hook execution for unstaged modifications skipping hooks in rare cases, you may need to bypass pre commit hooks git commit no verify m "your commit message" troubleshooting hook not running if your pre commit hook isn't running ensure the hook is executable chmod +x git/hooks/pre commit check if hooks are enabled git config get core hookspath false positives if you're getting false positives use the results=verified flag to only show verified secrets add trufflehog\ ignore comments on lines with known false positives or risk accepted findings conclusion by integrating trufflehog into your pre commit workflow, you can prevent credential leaks before they happen choose the setup method that best fits your project's needs and development workflow for more information on trufflehog's capabilities, refer to the main documentation