How to Use truffleHog and git-secrets

By: Wendy Segura

Git-secrets is a tool released by AWS Labs that will scan commits and commit messages to find secrets. TruffleHog is a tool that scans the entire commit history for secrets using regex and entropy checks.

Installation

Git-secrets

Two ways to install:

1) Git Clone:

git clone https://github.com/awslabs/git-secrets
cd git-secrets
make install

2) Homebrew:

brew install git-secrets

Using Git-secrets

cd /path/to/my/repo
git secrets --install
git secrets --register-aws

# Scan all files in the repo
git secrets --scan

# Scan history
git secrets --scan-history

# Recursive directory scan
git secrets --scan -r /path/to/directory

# Multiple files
git secrets --scan /path/to/file /path/to/other/file

TruffleHog

Install with pip:

pip install truffleHog

Run against a repository:

truffleHog --regex --entropy=False /path/to/repo
truffleHog --regex /path/to/repo

Helpful arguments:

usage: trufflehog [-h] [--json] [--regex] [--rules RULES] [--entropy DO_ENTROPY] [--since_commit SINCE_COMMIT] [--max_depth MAX_DEPTH]

-h, --help Show help message
--json Output JSON
--regex Enable regex scanning
--rules RULES Ignore default regexes and source from JSON
--entropy DO_ENTROPY Enable entropy checks
--since_commit SINCE_COMMIT Scan from a specific commit hash
--max_depth MAX_DEPTH Max commit depth to search

Conclusion

Never commit keys or tokens to public repositories. Use git-secrets and truffleHog to ensure your repositories are secure. For further learning, consider using Vault by HashiCorp or Blackbox for secret management.