Detecting & Preventing Leaked Secrets
Preventing Secrets Leaks Using TruffleHog
The main goal of this section is to create a pre-commit hook that uses TruffleHog to scan for secrets in the repository before a commit is made. TruffleHog is one of several tools that can scan for secrets in Git repositories and other storage locations. It uses advanced methods to detect secrets in files, using detectors for various types of secrets like AWS keys, Azure keys, Docker credentials, Atlassian tokens, and more.
Before proceeding, we need to install TruffleHog.
curl -sSfL \
https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | \
sh -s -- -b /usr/local/bin v3.88.12
Before using TruffleHog as a pre-commit hook, let's see a basic example of how it works:
# Run TruffleHog on the local repository
trufflehog git file://$HOME/RestQR
To filter the results and display only the verified and unknown secrets, use the --results flag:
trufflehog git file://$HOME/RestQR \
--results=verified,unknown
ℹ️ Unverified secrets may sometimes contain false positives but are still worth investigating.
Let's integrate TruffleHog as a pre-commit hook in our repository. First, create a .pre-commit-config.yaml file in the root of your Git repository:
cat <$HOME/RestQR/.pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c "trufflehog git file://. --results=verified,unknown --fail"
language: system
stages: ["pre-commit", "pre-push"]
EOF
This configuration tells pre-commit to run TruffleHog on every commit and block it if secrets are detected. The --fail flag tells TruffleHog to exit with code 183 if results are found.
To activate the pre-commit hook, run:
# Install the pre-commit hooks
cd $HOME/RestQR && pre-commit install
# Commit the configuration file
git add .pre-commit-config.yaml
This will configure the repository to automatically run TruffleHog before every commit. To verify this, try committing a file containing a test secret:
# AWS Keys generated from canarytokens.org
cd $HOME/RestQR && cat <test_secret.txt
[default]
aws_access_key_id = AKIAQYLPMN5HHHFPZAM2
aws_secret_access_key = 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
output = json
region = us-east-2
EOF
git add test_secret.txt
git commit -m "Adding test secret"
You should see the following output:
TruffleHog...............................................................Failed
- hook id: trufflehog
- exit code: 183
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
[....]
✅ Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
Raw resultDevSecOps in Practice
A Hands-On Guide to Operationalizing DevSecOps at ScaleEnroll now to unlock current content and receive all future updates for free. Your purchase supports the author and fuels the creation of more exciting content. Act fast, as the price will rise as the course nears completion!