Skip to main content

TRG 8.03 - TruffleHog

StatusCreatedPost-History
Update27-Jun-2024Switching to TruffleHog due to GitGuardian licence expiration
Active26-Mar-2024Initial release
Draft04-Mar-2024Draft release

Why

TruffleHog is an open source tool designed to identify sensitive information, such as API keys, passwords, and other credentials, that may have been inadvertently committed to your code repository. This tool is expected to be used in parallel to the native GitHub Secret Scanning tool.

Description

Detecting and removing these secrets is crucial for maintaining the security of your application and infrastructure. TruffleHog performs a thorough search by checking the entire repository history, not just the latest commits. This means it can find secrets that were committed in the past and might still pose a security risk.

Configure your GitHub Actions to include:

  • workflow dispatch: Manual workflow execution.
  • schedule: Schedule the workflow to run at least once a week with 0 0 * * 0.
  • push and pull_request: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the main branch. This is the branch from which new releases will be made.

Note: extra_args: --filter-entropy=4 --results=verified,unknown --only-verified

Including extra_args: --filter-entropy=4 --results=verified,unknown --only-verified in the GitHub Actions workflow ensures that TruffleHog focuses on detecting high-entropy strings, which are more likely to be sensitive information such as passwords or API keys. This setup also instructs TruffleHog to report both verified secrets and potential but unverified secrets, providing a comprehensive security scan that helps identify and address all possible vulnerabilities in the code. The --only-verified flag reduces the appearance of false positives, because only the verified secrets will appear.

Including run: exit 1 in a step of a GitHub Actions workflow, as demonstrated below, commands the workflow to halt execution. This ensures that should TruffleHog uncover any secrets during its scan, the workflow promptly terminates in failure.

GitHub Actions allows you to define workflows to automatically run TruffleHog scans on your code. You'll see the output that triggered the failure directly in the logs.

To comply with this TRG, simply create a file under the path: .github/workflows/trufflehog.yaml with the following content:

###############################################################
# Copyright (c) 2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
###############################################################

name: "TruffleHog"

on:
  push:
    branches: ["main"]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ["main"]
  schedule:
    - cron: "0 0 * * *" # Once a day
  workflow_dispatch:

permissions:
  actions: read
  contents: read
  security-events: write
  id-token: write
  issues: write

jobs:
  ScanSecrets:
    name: Scan secrets
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Ensure full clone for pull request workflows

      - name: TruffleHog OSS
        id: trufflehog
        uses: trufflesecurity/trufflehog@7e78ca385fb82c19568c7a4b341c97d57d9aa5e1
        continue-on-error: true
        with:
          path: ./  # Scan the entire repository
          base: "${{ github.event.repository.default_branch }}"  # Set base branch for comparison (pull requests)
          extra_args: --filter-entropy=4 --results=verified,unknown --debug --only-verified

      - name: Scan Results Status
        if: steps.trufflehog.outcome == 'failure'
        run: exit 1  # Set workflow run to failure if TruffleHog finds secrets