Unveiling Code Repository Secrets: Harnessing TruffleHog for Enhanced Security
What is Trufflehog?
Ans: TruffleHog is important because it helps identify security vulnerabilities in code repositories, which are collections of code that are stored and managed together. These vulnerabilities can occur when sensitive information, such as passwords and encryption keys, are mistakenly included in code.
Secrets scattered across your SDLC — from Git repos to ticket systems — pose serious risks. A single leak can trigger security breaches, legal trouble, and reputation damage.
Millions of secrets, including API keys, passwords, and tokens, are frequently leaking from sources like source code, NPM packages, containers and more, underscoring the need for robust secret leak detection.
How Trufflehog work?
-> Identify
Scan the version history of all platforms for hidden secrets. TruffleHog scans beyond code repositories to identify secrets hidden in comments, Docker images, and more.
-> Prevent
Use pre-commit and pre-receive hooks so that developers can prevent leaked keys in the first place. Automatically run security scans before commits, and prevent accidental inclusion of sensitive data.
-> Revoke
TruffleHog constantly tracks the status of different key types to verify their remediation. You can set up alert reminders on your preferred platform with links to guides on how to rotate and secure keys effectively.
You can read abut more: trufflesecurity/trufflehog: Find and verify secrets (github.com)
- In this blog, we will explore how to scan our GitHub repository, whether it’s public or private, using Trufflehog. We won’t just install Trufflehog; instead, we’ll utilize it via CLI and Docker. So, get ready for the launch of this amazing tool! Simply spin up an EC2 instance or any server with minimal configuration, and update it after deployment.
- After connecting, let’s install the latest version of Trufflehog into our system with the following command:
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin v3.75.1
3. Then, after installation, let’s verify whether Trufflehog is installed or not with the following command:
trufflehog --version
4. Next, there are multiple options with parameters that you can use with Trufflehog. To explore these options, you can utilize the following command and refer to its help accordingly
trufflehog --help
5. But as I mentioned, we are scanning GitHub repositories in this demo. I’ll be using some public and some private repositories. Remember, if you want to use a private repository, you’ll need to create a secret token to access it for scanning. So, first, we’ll explore scanning a public repository, and then we’ll demonstrate how to scan a repository using Docker.
6. You can use your own public or private repository in your account where you may have stored keys or sensitive information. You can follow the command below to scan the repository:
trufflehog git <repo-url>
7. Note the following:
- Found Unverified Result (❓):
This message signifies that TruffleHog detected a pattern that might be a secret, but it’s uncertain about its validity.
- Found Verified Result (❓):
This message indicates that TruffleHog identified a pattern with high confidence that it’s a real secret.
- If you see a message like 🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
That means no secrets were detected.
8. You can see below two images: one with a white text message that indicates a found unverified result, and the other with a green text message that indicates a found verified result. These messages will guide you on the actions you need to take depending on their importance.
Timestamp:
2024-05-09T06:22:42Z
: This indicates the date and time the scan finished (May 9, 2024, 6:22:42 UTC).
Information Level:
info-0
: This suggests this is an informational message from TruffleHog.
Source:
trufflehog
: This clarifies that the message is coming from the TruffleHog tool.
Scan Completion:
finished scanning
: This indicates TruffleHog has completed analyzing the source (likely your Git repository or a directory).
Scan Details (within curly braces):
"chunks": 160
: This refers to the number of chunks or parts TruffleHog divided the source into for efficient scanning."bytes": 381952
: This shows the total size of the scanned data in bytes (approximately 382 KB)."verified_secrets": 1
: This is the most crucial result – it shows that TruffleHog found one secret with high confidence (verified secret) during the scan."unverified_secrets": 7
: Similarly, TruffleHog identified seven potential secrets with lower confidence (unverified secrets)."scan_duration": "718.560165ms"
: This shows the total time taken for the scan, which was approximately 718 milliseconds (less than a second)."trufflehog_version": "3.75.1"
: This reveals the TruffleHog version used for the scan (3.75.1).
9. Now, let’s try using Docker. The only difference between what we did with the CLI and what we’re doing now is that we’re utilizing Docker. There are multiple options you can explore, but for now, let’s focus on Docker. First, install Docker on your machine using the command below:
sudo apt-get install docker.io -y
10. Now, let’s run Docker. If you’re using it for the first time, it will pull the Docker image for you. After that, you can run it multiple times for multiple repositories. Use the command below, and I’ll describe it for you:
docker run --platform linux/amd64 -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest git <repalce your git repo url>
docker run:
- This instructs Docker to run a container from a specified image.
— platform linux/amd64:
- This option tells Docker to use an image built for the Linux AMD64 architecture (most common for Ubuntu and other Linux distributions).
-it:
- These flags:
-i
: Runs the container in interactive mode, allowing you to provide input and see the output.-t
: Allocates a pseudo-TTY (terminal) for the container, which is useful for TruffleHog's text-based output.
-v “$PWD:/pwd”:
- This option mounts your current working directory (
$PWD
) on your host machine to the/pwd
directory inside the container. This allows TruffleHog to access the Git repository you want to scan.
trufflesecurity/trufflehog:latest:
- This specifies the Docker image to use. Here, it’s the official TruffleHog image from trufflesecurity on Docker Hub with the
:latest
tag, which pulls the most recent version.
git <git-repo>:
- This part of the command executes a Git command inside the container. However,
<git-repo>
should be replaced with the actual URL or path to the Git repository you want to scan.
Conclusion:
TruffleHog is a powerful tool for identifying security vulnerabilities in code repositories by detecting sensitive information like passwords and encryption keys. Whether using it through the command line interface (CLI) or Docker, TruffleHog provides valuable insights into potential risks within both public and private repositories. By following the outlined steps and interpreting the results, users can take necessary actions to secure their code and prevent potential breaches.