Scanning in CI
5 min
trufflehog can scan git based ci tools to prevent secrets from being merged trufflehog oss runs as a standalone cli binary or docker image, so it can be added as a scan step in any ci platform in a typical setup, the scan runs on each push or pull request to detect secrets before they are merged this includes jenkins github actions gitlab azure pipelines bitbucket pipelines circleci drone ci travis ci github actions trufflehog can be run as a github action please follow the instructions in the open source project readme https //github com/trufflesecurity/trufflehog?tab=readme ov file#octocat trufflehog github action circleci adjust the since commit value to match your default branch that people merge into \# see https //circleci com/docs/2 0/configuration reference version 2 1 jobs scan secrets docker \ image trufflesecurity/trufflehog\ latest steps \ checkout \ run name "scan for secrets" \# change since commit to match your default branch command trufflehog git file // since commit main branch "$circle branch" fail only verified workflows scan secrets jobs \ scan secrets general usage you can run trufflehog using the binary directly, or with docker the first expected argument is the base reference, typically the main branch that you merge into, such as main or master the second argument is the head reference if your branch is already checked out, you can simply use head , otherwise give a branch, tag, or commit reference trufflehog will return a non zero exit code if there are findings you can see the all of the available flags for the trufflehog launcher git command below launching directly $ trufflehog launcher git help usage trufflehog git \[\<flags>] \<base> \<head> \[\<workdir>] scans a local git repo flags \ help show context sensitive help (also try help long and help man) v, debug enable debug mode \ trace enable tracing of code line numbers \ json enable json output \ send error telemetry turns error telemetry off \ fail verified only emit failure code for verified findings \ quiet only show results \ config=config path to configuration file you can also specify google secrets manager secrets with 'gsm //\<project id>/\<secret name>' args \<base> start scanning from here (usually main branch) \<head> scan commits until here (usually dev branch) \[\<workdir>] optional path to the repo to scan launching with docker $ docker run v "$(pwd) /workdir" it rm us docker pkg dev/thog artifacts/public/scanner\ latest git fail verified main head /workdir š·šš· trufflehog unearth your secrets š·šš· version dev warn\[0004] found secret commit=unstaged email=unstaged file=aws redacted=akiaxyzdqcenufs46ce4 type=aws verified=true info\[0004] scanned 4 commits warn\[0004] found 1 verified secrets exit status 1 that's all there is to it!
