![[TruffleHog] Check Secrets and Credentials](/assets/images/category/code_quality/trufflehog/background.avif)
Outline
When you develop locally, you use Secrets or Credentials for servers, GitHub, AWS, etc. If you commit these Secrets or Credentials by mistake, your security will be very vulnerable.
In this blog post, I will introduce how to use TruffleHog in GitHub Actions or GitLab CI to check whether Secrets or Credentials are included in the commit.
TruffleHog
TruffleHog is a tool that checks whether Secrets / Credentials are included in the code through Secrets / Credentials checkers more than 700.
Install TruffleHog
You can install TruffleHog in various ways as follows.
# 1. MacOS users
brew install trufflesecurity/trufflehog/trufflehog
# 2. Docker
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
# 3. Docker for M1 and M2 Mac
docker run --platform linux/arm64 --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
# 4. Binary releases
Download and unpack from https://github.com/trufflesecurity/trufflehog/releases
# 5. Compile from source
git clone https://github.com/trufflesecurity/trufflehog.git
cd trufflehog; go install
Run TruffleHog
You can run TruffleHog in various ways as follows.
# 1. Scan a repo for only verified secrets
trufflehog git https://github.com/trufflesecurity/test_keys --only-verified
# 2. Scan a GitHub Org for only verified secrets
trufflehog github --org=trufflesecurity --only-verified
# 3. Scan a GitHub Repo for only verified keys and get JSON output
trufflehog git https://github.com/trufflesecurity/test_keys --only-verified --json
# 4. Scan an S3 bucket for verified keys
trufflehog s3 --bucket=<bucket name> --only-verified
# 5. Scan a Github Repo using SSH authentication in docker
docker run --rm -v "$HOME/.ssh:/root/.ssh:ro" trufflesecurity/trufflehog:latest git ssh://github.com/trufflesecurity/test_keys
# 6. Scan individual files or directories
trufflehog filesystem path/to/file1.txt path/to/file2.txt path/to/dir
# 7. Scan GCS buckets for verified secrets.
trufflehog gcs --project-id=<project-ID> --cloud-environment --only-verified
GitHub Acionts
You can run TruffleHog in GitHub Actions to check whether Secrets or Credentials are included in the commit. Create a .github/workflows/scan_secrets.yml file and modify it as follows.
name: Scan secrets
on:
pull_request:
branches:
- main
jobs:
ScanSecrets:
name: Scan secrets
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
extra_args: --only-verified
When you create GitHub Actions like this, you can run TruffleHog to check whether Secrets or Credentials are included in the commit every time you create a Pull Request.
GitLab CI
You can run TruffleHog in GitLab CI to check whether Secrets or Credentials are included in the commit. Create a .gitlab-ci.yml file and modify it as follows.
...
scan_secrets:
stage: scan
tags:
- docker
image: golang:latest
script:
- git clone https://github.com/trufflesecurity/trufflehog.git
- cd trufflehog; go install
- cd ..
- trufflehog git file://. --only-verified --fail --no-update --since-commit=main
only:
refs:
- merge_requests
...
When you create GitLab CI like this, you can run TruffleHog to check whether Secrets or Credentials are included in the commit every time you create a Pull Request.
Completed
Done! We’ve seen how to use TruffleHog to check whether Secrets or Credentials are included in the commit. We also looked at how to run TruffleHog in GitHub Actions or GitLab CI.
If you manage the code in GitHub or GitLab, try to configure TruffleHog in GitHub Actions or GitLab CI to check whether Secrets or Credentials are included in the commit.
Was my blog helpful? Please leave a comment at the bottom. it will be a great help to me!
App promotion
Deku.Deku created the applications with Flutter.If you have interested, please try to download them for free.
