TruffleHog
TruffleHog is a is an open-source secret scanning engine that detects and helps resolve exposed secrets across your entire tech stack.
🚀 Usage​
Add the following command to your CI configuration file:
fluentci run --wasm trufflehog github --repo=https://github.com/dustin-decker/secretsandstuff --fail
Commands​
| Name | Description |
|---|---|
| setup | Install TruffleHog |
| git | Find credentials in a git repositories |
| github | Find credentials in Github repositories |
| gitlab | Find credentials in Gitlab repositories |
| filesystem | Find credentials in the filesystem |
| s3 | Find credentials in AWS S3 buckets |
| gcs | Find credentials in Google Cloud Storage buckets |
| syslog | Scan syslog |
| circleci | Scan CircleCI |
| docker | Scan Docker Image |
| travisci | Scan TravisCI |
| postman | Scan Postman |
| jenkins | Scan Jenkins |
| elasticsearch | Scan Elasticsearch |
| huggingface | Scan Huggingface |
Code examples​
Add fluentci-pdk crate to your Cargo.toml:
[dependencies]
fluentci-pdk = "0.2.1"
Use the following code to call a module function:
use fluentci_pdk::dag;
// ...
dag().call(
"https://pkg.fluentci.io/[email protected]?wasm=1",
"github",
vec!["--repo=https://github.com/dustin-decker/secretsandstuff", "--fail"],
);
CI/CD integrations​
The following examples show how to integrate FluentCI with popular CI providers to scan for exposed secrets using TruffleHog:
- Github Actions
- GitLab CI
- Circle CI
- Azure Pipelines
- AWS CodePipeline
ci.yml
name: ci
on:
push:
branches:
- main
jobs:
tasks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup Fluent CI
uses: fluentci-io/setup-fluentci@v5
with:
wasm: true
plugin: trufflehog
args: |
github --repo=https://github.com/dustin-decker/secretsandstuff --fail
.gitlab-ci.yml
.docker:
image: denoland/deno:debian-1.42.4
services:
- docker:${DOCKER_VERSION}-dind
variables:
DOCKER_HOST: tcp://docker:2376
DOCKER_TLS_VERIFY: "1"
DOCKER_TLS_CERTDIR: /certs
DOCKER_CERT_PATH: /certs/client
DOCKER_DRIVER: overlay2
DOCKER_VERSION: 20.10.16
GITLAB_ACCESS_TOKEN: $GITLAB_ACCESS_TOKEN
.fluentci:
extends: .docker
before_script:
- apt-get update
- apt-get install -y curl tar gzip ca-certificates openssl git unzip libncursesw6
- deno install -A -r https://cli.fluentci.io -n fluentci
- fluentci --version
- curl -L https://dl.dagger.io/dagger/install.sh | DAGGER_VERSION=0.12.3 sh
- mv bin/dagger /usr/local/bin
- dagger version
scan:
extends: .fluentci
script:
- fluentci run --wasm trufflehog github --repo=https://github.com/dustin-decker/secretsandstuff --fail
.circleci/config.yml
version: 2.1
jobs:
job:
steps:
- checkout
- run: |
sudo apt-get update && sudo apt-get install -y curl unzip
curl -fsSL https://cli.fluentci.io | bash
fluentci --version
name: Setup FluentCI
- run: fluentci run --wasm trufflehog github --repo=https://github.com/dustin-decker/secretsandstuff --fail
name: generate sbom
machine:
image: ubuntu-2004:2023.07.1
workflows:
fluentci:
jobs:
- job
azure-pipelines.yml
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- script: |
curl -fsSL https://cli.fluentci.io | bash
fluentci --version
echo "##vso[task.prependpath]${HOME}/.deno/bin
displayName: Setup FluentCI
- script: |
fluentci run --wasm trufflehog github --repo=https://github.com/dustin-decker/secretsandstuff --fail
displayName: generate sbom
buildspec.yml
version: 0.2
phases:
install:
commands:
- curl -fsSL https://cli.fluentci.io | bash
- fluentci --version
build:
commands:
- fluentci run --wasm trufflehog github --repo=https://github.com/dustin-decker/secretsandstuff --fail
post_build:
commands:
- echo Build completed on `date`