Setting up TruffleHog for repo security scans
There are a lot of code repository scanners out there, but I recently used TruffleHog to scan our GitHub repos due to its simplicity in setup and execution.
TruffleHog is an open-source security tool that scans code repositories for hardcoded secrets, such as API keys, passwords, and private encryption keys.
This is particularly important to make sure that your code repositories do not contain any sensitive information.
Some of the benefits of TruffleHog include:
- Scans project history
- Leverages high-entropy checks and regex patterns
- Includes over 700 credential detectors that actively verify against their respective APIs
- Supports scanning GitHub, GitLab, filesystems, S3, GCS, and Circle CI
- Provides instant verification of private keys against millions of GitHub users and billions of TLS certificates using its cutting-edge Driftwood technology
- Scans binaries and other file formats
- Available as both a GitHub Action and a pre-commit hook, seamlessly integrating into your development workflow
Installation (Compile Source)
- Download and install the following prerequisites:
- Compile TruffleHog from source
mkdir c:\git
cd c:\git
git clone https://github.com/trufflesecurity/trufflehog.git
cd trufflehog
go install
The installer on Windows will automatically add C:\Users\<user>\go\bin to your PATH.
Installation (Download Binary)
You can alternatively download the binaries from the same TruffleHog GitHub repo and get started right away instead.
For Microsoft Windows for example, you would download trufflehog_3.88.1_windows_amd64.tar.gz and within it is the trufflehog.exe binary that is immediately ready for use.
Usage (Scan a Local Repo)
There are many approaches to running TruffleHog, and here I simply scan a local repo.
- Clone your GitHub repo locally
cd c:\git
git clone https://github.com/AhmedAboulnaga/SomeProject
- Scan the local repo
trufflehog filesystem SomeProject
Usage (Interactive Mode)
By running the trufflehog
binary, you can enter an interactive mode as shown. Just follow the prompts.
At the end of the wizard, it will provide you the full command to execute the options selected when navigating the wizard.
Output
Here is a sample output for one of my repositories. This outputs actually confirms that there are no exposed secrets, API keys, passwords, or private encryption keys.