DEV Community

Rafael Herik de Carvalho
Rafael Herik de Carvalho

Posted on

Using TruffleHog and pre-commit hook to prevent secret exposure

In today's landscape of modern software development and distributed teams, Git has become an essential tool for source control. However, a common and recurring issue I've encountered is the inadvertent pushing of secrets to remote repositories. This often necessitates the tedious process of rebasing branches to remove those commits and safeguard credentials from being exposed or stored in the source code.

What is TruffleHog??

"TruffleHogβ„’ is a secrets scanning tool that digs deep into your
code repositories to find secrets, passwords, and sensitive keys." Read more

TruffleHog is easy to install and use. If you are interested in more features, you can also look at the Enterprise version, but for now, the focus will be on the open-source version to work with git hooks.

Hands on

Initializing a Git Repo (Or use your current repo)



$ mkdir tutorial
$ cd tutorial
$ git init


Enter fullscreen mode Exit fullscreen mode

Creation of the new git repository

Adding the code

Here I'm adding a new simple python API that to List Cars from a MySQL database:



import os
import mysql.connector
from fastapi import FastAPI

app = FastAPI()

def _get_db_connection():
    return mysql.connector.connect(
        host="localhost",
        user="root",
        database="CarDatabase",
        password=os.environ.get("MYSQL_ROOT_PASSWORD"))


@app.get("/")
def read_root():
    return { "message": "Hello World!"}


@app.get("/cars")
def read_cars():
    conn = _get_db_connection()
    cursor = conn.cursor()
    cursor.execute("SELECT * FROM Cars")
    cars = cursor.fetchall()
    cursor.close()
    conn.close()
    return cars



Enter fullscreen mode Exit fullscreen mode

The code is working, and I'm ready to commit it to my repository.

Install TruffleHog

  • Mac


$ brew install trufflehog


Enter fullscreen mode Exit fullscreen mode
  • Here for Linux and Windows users

Scanning the main.py file



$ trufflehog filesystem ./src/main.py


Enter fullscreen mode Exit fullscreen mode

The result:



2024-07-25T12:06:02+02:00       info-0  trufflehog      running source  {"source_manager_worker_id": "f1VKj", "with_units": true}
2024-07-25T12:06:02+02:00       info-0  trufflehog      finished scanning       {"chunks": 1, "bytes": 531, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "3.183166ms", "trufflehog_version": "3.80.1"}


Enter fullscreen mode Exit fullscreen mode

No secrets were found.

Configuring a Git Hook for pre-commit

I'm using pre-commit, follow the link to get installation instructions.

The pre-commit-config.yaml:




repos:
  - repo: local
    hooks:
      - id: trufflehog
        name: TruffleHog
        description: Detect secrets in your data.
        entry: bash -c 'trufflehog git file://. --since-commit HEAD --no-verification --fail'
        language: system
        stages: ["commit", "push"]


Enter fullscreen mode Exit fullscreen mode

After creating the pre-commit-config.yaml, let's install the hook:



$ pre-commit install
pre-commit installed at .git/hooks/pre-commit


Enter fullscreen mode Exit fullscreen mode

Now the repo is ready.

Testing the hook

I will add a hard-coded secret to test the hook:



@app.get("/test")
def read_root():
    secret = "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"
    return { "message": "Hello World!"}


Enter fullscreen mode Exit fullscreen mode

After adding this piece of code, I need to try to commit:



$ git add .
$ git commit -m "Try to add a hard-coded secret"

TruffleHog...............................................................Failed
- hook id: trufflehog
- exit code: 183

πŸ·πŸ”‘πŸ·  TruffleHog. Unearth your secrets. πŸ·πŸ”‘πŸ·

2024-07-25T15:07:13+02:00       info-0  trufflehog      running source  {"source_manager_worker_id": "gWFQC", "with_units": true}
2024-07-25T15:07:13+02:00       info-0  trufflehog      scanning repo   {"source_manager_worker_id": "gWFQC", "unit": ".", "unit_kind": "dir", "repo": "https://github.com/rafaelherik/demo-trufflehog.git", "base": "7e7de59764df7420fc94897219c7dc55bf33a32e"}
Found unverified result πŸ·πŸ”‘β“
Detector Type: Github
Decoder Type: PLAIN
Raw result: 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
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 2
Commit: Staged
File: src/main.py
Line: 30
Repository: https://github.com/rafaelherik/demo-trufflehog.git
Timestamp: 0001-01-01 00:00:00 +0000

2024-07-25T15:07:13+02:00       info-0  trufflehog      finished scanning       {"chunks": 2, "bytes": 212, "verified_secrets": 0, "unverified_secrets": 1, "scan_duration": "20.145917ms", "trufflehog_version": "3.80.1"}


Enter fullscreen mode Exit fullscreen mode

Understanding the result:



Found unverified result
Detector Type: Github
Decoder Type: PLAIN
Raw result: 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
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 2
Commit: Staged
File: src/main.py
Line: 30
Repository: https://github.com/rafaelherik/demo-trufflehog.git


Enter fullscreen mode Exit fullscreen mode

It says the Detector Type is GitHub, and it found a plain text secret in line 30 on src/main.py.

Safeguarding sensitive information in code repositories is critical to modern software development. TruffleHog offers a robust solution for detecting and preventing secrets from being inadvertently pushed to remote repositories.

By integrating TruffleHog with git hooks, developers can automate scanning for sensitive information before committing code, thus enhancing the security of their projects.

As demonstrated, setting up TruffleHog is straightforward, and its ability to identify hard-coded secrets can significantly mitigate the risk of credential exposure.

By incorporating such tools into the development workflow, teams can ensure a higher security level and maintain best source control management practices.

Find this code on GitHub.

Thank you for reading this post!

I appreciate your interest and hope you found the information useful. Your support and engagement are greatly valued. If you have any questions or feedback, please feel free to leave a comment. Happy coding!

Top comments (0)