Skip to main content

TRG 8.03 - TruffleHog

StatusCreatedPost-History
Update27-Jun-2024Switching to TruffleHog due to GitGuardian licence expiration
Active26-Mar-2024Initial release
Draft04-Mar-2024Draft release

Why

TruffleHog is an open source tool designed to identify sensitive information, such as API keys, passwords, and other credentials, that may have been inadvertently committed to your code repository. This tool is expected to be used in parallel to the native GitHub Secret Scanning tool.

Description

Detecting and removing these secrets is crucial for maintaining the security of your application and infrastructure. TruffleHog performs a thorough search by checking the entire repository history, not just the latest commits. This means it can find secrets that were committed in the past and might still pose a security risk.

Configure your GitHub Actions to include:

  • workflow dispatch: Manual workflow execution.
  • schedule: Schedule the workflow to run at least once a week with 0 0 * * 0.
  • push and pull_request: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the main branch. This is the branch from which new releases will be made.

Note: extra_args: --filter-entropy=4 --results=verified,unknown

Including extra_args: --filter-entropy=4 --results=verified,unknown in the GitHub Actions workflow ensures that TruffleHog focuses on detecting high-entropy strings, which are more likely to be sensitive information such as passwords or API keys. This setup also instructs TruffleHog to report both verified secrets and potential but unverified secrets, providing a comprehensive security scan that helps identify and address all possible vulnerabilities in the code.

Including run: exit 1 in a step of a GitHub Actions workflow, as demonstrated below, commands the workflow to halt execution. This ensures that should TruffleHog uncover any secrets during its scan, the workflow promptly terminates in failure.

GitHub Actions allows you to define workflows to automatically run TruffleHog scans on your code. You'll see the output that triggered the failure directly in the logs.

Here’s how you can set it up:

name: "TruffleHog"

on:
  push:
    branches: ["main"]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ["main"]
  schedule:
    - cron: "0 0 * * *" # Once a day
  workflow_dispatch:

permissions:
  actions: read
  contents: read
  security-events: write
  id-token: write
  issues: write

jobs:
  ScanSecrets:
    name: Scan secrets
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Ensure full clone for pull request workflows

      - name: TruffleHog OSS
        id: trufflehog
        uses: trufflesecurity/trufflehog@main
        continue-on-error: true
        with:
          path: ./  # Scan the entire repository
          base: "${{ github.event.repository.default_branch }}"  # Set base branch for comparison (pull requests)
          extra_args: --filter-entropy=4 --results=verified,unknown --debug
      
      - name: Scan Results Status
        if: steps.trufflehog.outcome == 'failure'
        run: exit 1  # Set workflow run to failure if TruffleHog finds secrets