In today's landscape of modern software development and distributed teams, Git has become an essential tool for source control. However, a common and recurring issue I've encountered is the inadvertent pushing of secrets to remote repositories. This often necessitates the tedious process of rebasing branches to remove those commits and safeguard credentials from being exposed or stored in the source code.
What is TruffleHog??
"TruffleHog™ is a secrets scanning tool that digs deep into your
code repositories to find secrets, passwords, and sensitive keys." Read more
TruffleHog is easy to install and use. If you are interested in more features, you can also look at the Enterprise version, but for now, the focus will be on the open-source version to work with git hooks.
Hands on
Initializing a Git Repo (Or use your current repo)
$ mkdir tutorial
$ cd tutorial
$ git init
Adding the code
Here I'm adding a new simple python API that to List Cars from a MySQL database:
import os
import mysql.connector
from fastapi import FastAPI
app = FastAPI()
def _get_db_connection():
return mysql.connector.connect(
host="localhost",
user="root",
database="CarDatabase",
password=os.environ.get("MYSQL_ROOT_PASSWORD"))
@app.get("/")
def read_root():
return { "message": "Hello World!"}
@app.get("/cars")
def read_cars():
conn = _get_db_connection()
cursor = conn.cursor()
cursor.execute("SELECT * FROM Cars")
cars = cursor.fetchall()
cursor.close()
conn.close()
return cars
The code is working, and I'm ready to commit it to my repository.
Install TruffleHog
- Mac
$ brew install trufflehog
- Here for Linux and Windows users
Scanning the main.py file
$ trufflehog filesystem ./src/main.py
The result:
2024-07-25T12:06:02+02:00 info-0 trufflehog running source {"source_manager_worker_id": "f1VKj", "with_units": true}
2024-07-25T12:06:02+02:00 info-0 trufflehog finished scanning {"chunks": 1, "bytes": 531, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "3.183166ms", "trufflehog_version": "3.80.1"}
No secrets were found.
Configuring a Git Hook for pre-commit
I'm using pre-commit, follow the link to get installation instructions.
The pre-commit-config.yaml:
repos:
- repo: local
hooks:
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c 'trufflehog git file://. --since-commit HEAD --no-verification --fail'
language: system
stages: ["commit", "push"]
After creating the pre-commit-config.yaml, let's install the hook:
$ pre-commit install
pre-commit installed at .git/hooks/pre-commit
Now the repo is ready.
Testing the hook
I will add a hard-coded secret to test the hook:
@app.get("/test")
def read_root():
secret = "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"
return { "message": "Hello World!"}
After adding this piece of code, I need to try to commit:
$ git add .
$ git commit -m "Try to add a hard-coded secret"
TruffleHog...............................................................Failed
- hook id: trufflehog
- exit code: 183
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
2024-07-25T15:07:13+02:00 info-0 trufflehog running source {"source_manager_worker_id": "gWFQC", "with_units": true}
2024-07-25T15:07:13+02:00 info-0 trufflehog scanning repo {"source_manager_worker_id": "gWFQC", "unit": ".", "unit_kind": "dir", "repo": "https://github.com/rafaelherik/demo-trufflehog.git", "base": "7e7de59764df7420fc94897219c7dc55bf33a32e"}
Found unverified result 🐷🔑❓
Detector Type: Github
Decoder Type: PLAIN
Raw result: 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
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 2
Commit: Staged
File: src/main.py
Line: 30
Repository: https://github.com/rafaelherik/demo-trufflehog.git
Timestamp: 0001-01-01 00:00:00 +0000
2024-07-25T15:07:13+02:00 info-0 trufflehog finished scanning {"chunks": 2, "bytes": 212, "verified_secrets": 0, "unverified_secrets": 1, "scan_duration": "20.145917ms", "trufflehog_version": "3.80.1"}
Understanding the result:
Found unverified result
Detector Type: Github
Decoder Type: PLAIN
Raw result: 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
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 2
Commit: Staged
File: src/main.py
Line: 30
Repository: https://github.com/rafaelherik/demo-trufflehog.git
It says the Detector Type is GitHub, and it found a plain text secret in line 30 on src/main.py.
Safeguarding sensitive information in code repositories is critical to modern software development. TruffleHog offers a robust solution for detecting and preventing secrets from being inadvertently pushed to remote repositories.
By integrating TruffleHog with git hooks, developers can automate scanning for sensitive information before committing code, thus enhancing the security of their projects.
As demonstrated, setting up TruffleHog is straightforward, and its ability to identify hard-coded secrets can significantly mitigate the risk of credential exposure.
By incorporating such tools into the development workflow, teams can ensure a higher security level and maintain best source control management practices.
Find this code on GitHub.
Thank you for reading this post!
I appreciate your interest and hope you found the information useful. Your support and engagement are greatly valued. If you have any questions or feedback, please feel free to leave a comment. Happy coding!
Top comments (0)