Skip to content

Commit

Permalink
Merge tag 'v3.86.0' of https://github.com/trufflesecurity/trufflehog
Browse files Browse the repository at this point in the history
  • Loading branch information
@Phoenix591
Phoenix591 committed Dec 10, 2024
2 parents 5654c2a + f726d02 commit 3dcb316
Show file tree
Hide file tree
Showing 1,655 changed files with 126,397 additions and 62,495 deletions.
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/bug_report.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Please review the [Community Note](https://github.com/trufflesecurity/trufflehog
<!---
Please provide a link to a GitHub Gist containing the complete debug output. Please do NOT paste the debug output in the issue; just paste a link to the Gist.
To obtain the trace output, run trufflehog with the --trace flag.
To obtain the trace output, run trufflehog with the --log-level=5 flag.
--->

### Expected Behavior
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/detector-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
- uses: actions/setup-go@v5
- uses: actions/checkout@v4
- name: Install gotestsum
uses: jaxxstorm/action-install-gh-release@v1.12.0
uses: jaxxstorm/action-install-gh-release@v1.14.0
with:
repo: gotestyourself/gotestsum
- uses: rwx-research/setup-captain@v1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
# working-directory: somedir

# Optional: golangci-lint command line arguments.
args: --enable bodyclose --enable exportloopref --timeout 10m
args: --enable bodyclose --enable copyloopvar --enable misspell --timeout 10m

# Optional: if set to true then the action don't cache or restore ~/go/pkg.
# skip-pkg-cache: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
secret: ${{ secrets.BUILDPULSE_SECRET_ACCESS_KEY }}
tags: integration
- name: Annotate test results
uses: mikepenz/action-junit-report@v4
uses: mikepenz/action-junit-report@v5
if: success() || failure() # always run even if the previous step fails
with:
report_paths: "tmp/test-results/*.xml"
Expand Down
4 changes: 2 additions & 2 deletions .pre-commit-hooks.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data with TruffleHog.
entry: trufflehog git file://. --since-commit HEAD --only-verified --fail
entry: trufflehog git file://. --since-commit HEAD --results=verified --fail
language: golang
pass_filenames: false
pass_filenames: false
26 changes: 17 additions & 9 deletions CODEOWNERS
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,24 @@
* @trufflesecurity/product-eng

# Scanning
pkg/decoders/ @trufflesecurity/Scanning
pkg/engine/ @trufflesecurity/Scanning
pkg/gitparse/ @trufflesecurity/Scanning
pkg/giturl/ @trufflesecurity/Scanning
pkg/handlers/ @trufflesecurity/Scanning
pkg/iobuf/ @trufflesecurity/Scanning
pkg/sanitizer/ @trufflesecurity/Scanning
pkg/sources/ @trufflesecurity/Scanning
pkg/writers/ @trufflesecurity/Scanning
proto/ @trufflesecurity/Scanning

# Shared
pkg/decoders/ @trufflesecurity/Scanning @trufflesecurity/OSS
pkg/engine/ @trufflesecurity/Scanning @trufflesecurity/OSS
pkg/gitparse/ @trufflesecurity/Scanning @trufflesecurity/OSS
pkg/giturl/ @trufflesecurity/Scanning @trufflesecurity/OSS
pkg/handlers/ @trufflesecurity/Scanning @trufflesecurity/OSS
pkg/iobuf/ @trufflesecurity/Scanning @trufflesecurity/OSS
pkg/sanitizer/ @trufflesecurity/Scanning @trufflesecurity/OSS
pkg/sources/ @trufflesecurity/Scanning @trufflesecurity/OSS
proto/ @trufflesecurity/Scanning @trufflesecurity/OSS

# OSS
pkg/detectors/ @trufflesecurity/OSS
pkg/common/ @trufflesecurity/OSS
pkg/custom_detectors/ @trufflesecurity/OSS
pkg/analzyers/ @trufflesecurity/OSS

# critical detectors
pkg/detectors/aws/ @trufflesecurity/backend
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o trufflehog .

FROM alpine:3.20
FROM alpine:3.21
RUN apk add --no-cache bash git openssh-client ca-certificates rpm2cpio binutils cpio \
&& rm -rf /var/cache/apk/* && update-ca-certificates
COPY --from=builder /build/trufflehog /usr/bin/trufflehog
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.goreleaser
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM alpine:3.20
FROM alpine:3.21

RUN apk add --no-cache bash git openssh-client ca-certificates \
&& rm -rf /var/cache/apk/* && update-ca-certificates
Expand Down
6 changes: 3 additions & 3 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ PROTOS_IMAGE ?= trufflesecurity/protos:1.22
.PHONY: dogfood

dogfood:
CGO_ENABLED=0 go run . git file://. --json --debug
CGO_ENABLED=0 go run . git file://. --json --log-level=2

install:
CGO_ENABLED=0 go install .
Expand All @@ -22,7 +22,7 @@ check:
go vet $(shell go list ./... | grep -v /vendor/)

lint:
golangci-lint run --enable bodyclose --enable exportloopref --out-format=colored-line-number --timeout 10m
golangci-lint run --enable bodyclose --enable copyloopvar --enable misspell --out-format=colored-line-number --timeout 10m

test-failing:
CGO_ENABLED=0 go test -timeout=5m $(shell go list ./... | grep -v /vendor/) | grep FAIL
Expand All @@ -49,7 +49,7 @@ run:
CGO_ENABLED=0 go run . git file://. --json

run-debug:
CGO_ENABLED=0 go run . git file://. --json --debug
CGO_ENABLED=0 go run . git file://. --json --log-level=2

protos:
docker run --rm -u "$(shell id -u)" -v "$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))":/pwd "${PROTOS_IMAGE}" bash -c "cd /pwd; /pwd/scripts/gen_proto.sh"
Expand Down
63 changes: 37 additions & 26 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ This required Cosign binary to be installed prior to running installation script
Command:

```bash
trufflehog git https://github.com/trufflesecurity/test_keys --only-verified
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown
```

Expected output:
Expand All @@ -209,15 +209,15 @@ Timestamp: 2022-06-16 10:17:40 -0700 PDT
## 2: Scan a GitHub Org for only verified secrets

```bash
trufflehog github --org=trufflesecurity --only-verified
trufflehog github --org=trufflesecurity --results=verified,unknown
```

## 3: Scan a GitHub Repo for only verified keys and get JSON output

Command:

```bash
trufflehog git https://github.com/trufflesecurity/test_keys --only-verified --json
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown --json
```

Expected output:
Expand All @@ -236,7 +236,7 @@ trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-co
## 5: Scan an S3 bucket for verified keys

```bash
trufflehog s3 --bucket=<bucket name> --only-verified
trufflehog s3 --bucket=<bucket name> --results=verified,unknown
```

## 6: Scan S3 buckets using IAM Roles
Expand All @@ -257,43 +257,55 @@ docker run --rm -v "$HOME/.ssh:/root/.ssh:ro" trufflesecurity/trufflehog:latest
trufflehog filesystem path/to/file1.txt path/to/file2.txt path/to/dir
```

## 9: Scan GCS buckets for verified secrets
## 9: Scan a local git repo

Clone the git repo. For example [test keys]([email protected]:trufflesecurity/test_keys.git) repo.
```bash
trufflehog gcs --project-id=<project-ID> --cloud-environment --only-verified
$ git clone [email protected]:trufflesecurity/test_keys.git
```

## 10: Scan a Docker image for verified secrets
Run trufflehog from the parent directory (outside the git repo).
```bash
$ trufflehog git file://test_keys --only-verified
```

## 10: Scan GCS buckets for verified secrets

```bash
trufflehog gcs --project-id=<project-ID> --cloud-environment --results=verified,unknown
```

## 11: Scan a Docker image for verified secrets

Use the `--image` flag multiple times to scan multiple images.

```bash
trufflehog docker --image trufflesecurity/secrets --only-verified
trufflehog docker --image trufflesecurity/secrets --results=verified,unknown
```

## 11: Scan in CI
## 12: Scan in CI

Set the `--since-commit` flag to your default branch that people merge into (ex: "main"). Set the `--branch` flag to your PR's branch name (ex: "feature-1"). Depending on the CI/CD platform you use, this value can be pulled in dynamically (ex: [CIRCLE_BRANCH in Circle CI](https://circleci.com/docs/variables/) and [TRAVIS_PULL_REQUEST_BRANCH in Travis CI](https://docs.travis-ci.com/user/environment-variables/)). If the repo is cloned and the target branch is already checked out during the CI/CD workflow, then `--branch HEAD` should be sufficient. The `--fail` flag will return an 183 error code if valid credentials are found.

```bash
trufflehog git file://. --since-commit main --branch feature-1 --only-verified --fail
trufflehog git file://. --since-commit main --branch feature-1 --results=verified,unknown --fail
```

## 12: Scan a Postman workspace
## 13: Scan a Postman workspace

Use the `--workspace-id`, `--collection-id`, `--environment` flags multiple times to scan multiple targets.

```bash
trufflehog postman --token=<postman api token> --workspace-id=<workspace id>
```

## 13: Scan a Jenkins server
## 14: Scan a Jenkins server

```bash
trufflehog jenkins --url https://jenkins.example.com --username admin --password admin
```

## 14: Scan an Elasticsearch server
## 15: Scan an Elasticsearch server

### Scan a Local Cluster

Expand Down Expand Up @@ -321,7 +333,7 @@ trufflehog elasticsearch \
--api-key 'MlVtVjBZ...ZSYlduYnF1djh3NG5FQQ=='
```

## 15. Scan a GitHub Repository for Cross Fork Object References and Deleted Commits
## 16. Scan a GitHub Repository for Cross Fork Object References and Deleted Commits

The following command will enumerate deleted and hidden commits on a GitHub repository and then scan them for secrets. This is an alpha release feature.

Expand All @@ -335,7 +347,7 @@ In addition to the normal TruffleHog output, the `--object-discovery` flag creat

For more information on Cross Fork Object References, please [read our blog post](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).

## 16. Scan Hugging Face
## 17. Scan Hugging Face

### Scan a Hugging Face Model, Dataset or Space

Expand Down Expand Up @@ -410,15 +422,14 @@ Find credentials in git repositories.
Flags:
-h, --help Show context-sensitive help (also try --help-long and --help-man).
--debug Run in debug mode.
--trace Run in trace mode.
--log-level=0 Logging verbosity on a scale of 0 (info) to 5 (trace). Can be disabled with "-1".
--profile Enables profiling and sets a pprof and fgprof server on :18066.
-j, --json Output in JSON format.
--json-legacy Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.
--github-actions Output in GitHub Actions format.
--concurrency=20 Number of concurrent workers.
--no-verification Don't verify the results.
--only-verified Only output verified results.
--results=RESULTS Specifies which type(s) of results to output: verified, unknown, unverified, filtered_unverified. Defaults to all types.
--allow-verification-overlap
Allow verification of similar credentials across detectors
--filter-unverified Only output first unverified result per chunk per detector if there are more than one results.
Expand Down Expand Up @@ -515,7 +526,7 @@ jobs:
- name: Secret Scanning
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
extra_args: --results=verified,unknown
```

In the example config above, we're scanning for live secrets in all PRs and Pushes to `main`. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below.
Expand All @@ -542,7 +553,7 @@ If you're incorporating TruffleHog into a standalone workflow and aren't running
fetch-depth: ${{env.depth}}
- uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
extra_args: --results=verified,unknown
...
```

Expand All @@ -567,7 +578,7 @@ TruffleHog statically detects [https://canarytokens.org/](https://canarytokens.o
# Scan commits until here (usually dev branch).
head: # optional
# Extra args to be passed to the trufflehog cli.
extra_args: --debug --only-verified
extra_args: --log-level=2 --results=verified,unknown
```
If you'd like to specify specific `base` and `head` refs, you can use the `base` argument (`--since-commit` flag in TruffleHog CLI) and the `head` argument (`--branch` flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work.
Expand All @@ -580,7 +591,7 @@ If you'd like to specify specific `base` and `head` refs, you can use the `base`
with:
base: ""
head: ${{ github.ref_name }}
extra_args: --only-verified
extra_args: --results=verified,unknown
```
## TruffleHog GitLab CI
Expand All @@ -601,7 +612,7 @@ security-secrets:
- apk add --no-cache git curl jq
- curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
script:
- trufflehog filesystem "$SCAN_PATH" --only-verified --fail --json | jq
- trufflehog filesystem "$SCAN_PATH" --results=verified,unknown --fail --json | jq
rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
```
Expand All @@ -626,9 +637,9 @@ repos:
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail'
entry: bash -c 'trufflehog git file://. --since-commit HEAD --results=verified,unknown --fail'
# For running trufflehog in docker, use the following entry instead:
# entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
# entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --results=verified,unknown --fail'
language: system
stages: ["commit", "push"]
```
Expand Down Expand Up @@ -667,7 +678,7 @@ detectors:
```

```
$ trufflehog filesystem /tmp --config config.yaml --only-verified
$ trufflehog filesystem /tmp --config config.yaml --results=verified,unknown
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷

Found verified result 🐷🔑
Expand Down
Loading

0 comments on commit 3dcb316

Please sign in to comment.