trufflesecurity / trufflehog Goto Github PK

View Code? Open in Web Editor NEW

13.9K 167.0 1.5K 36.03 MB

Find and verify secrets

Home Page: https://trufflesecurity.com

License: GNU Affero General Public License v3.0

Dockerfile 0.01% Makefile 0.04% Go 99.66% Shell 0.29% Gnuplot 0.01%

secret trufflehog credentials security devsecops dynamic-analysis security-tools secrets verification hacktoberfest

trufflehog's Introduction

TruffleHog

Find leaked credentials.

🔎 Now Scanning

...and more

📢 Join Our Community

Have questions? Feedback? Jump in slack or discord and hang out with us

Join our Slack Community

Join the Secret Scanning Discord

📺 Demo

docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity

💾 Installation

Several options available for you:

MacOS users

brew install trufflehog

Docker:

_{Ensure Docker engine is running before executing the following commands:}

Unix

docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys

Windows Command Prompt

docker run --rm -it -v "%cd:/=\%:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys

Windows PowerShell

docker run --rm -it -v "${PWD}:/pwd" trufflesecurity/trufflehog github --repo https://github.com/trufflesecurity/test_keys

M1 and M2 Mac

docker run --platform linux/arm64 --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys

Binary releases

Download and unpack from https://github.com/trufflesecurity/trufflehog/releases

Compile from source

git clone https://github.com/trufflesecurity/trufflehog.git
cd trufflehog; go install

Using installation script

curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin

Using installation script, verify checksum signature (requires cosign to be installed)

curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -v -b /usr/local/bin

Using installation script to install a specific version

curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin <ReleaseTag like v3.56.0>

🔐 Verifying the artifacts

Checksums are applied to all artifacts, and the resulting checksum file is signed using cosign.

You need the following tool to verify signature:

Cosign

Verification steps are as follow:

Download the artifact files you want, and the following files from the releases page.
- trufflehog_{version}_checksums.txt
- trufflehog_{version}_checksums.txt.pem
- trufflehog_{version}_checksums.txt.sig

Verify the signature:

cosign verify-blob <path to trufflehog_{version}_checksums.txt> \
--certificate <path to trufflehog_{version}_checksums.txt.pem> \
--signature <path to trufflehog_{version}_checksums.txt.sig> \
--certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"

Once the signature is confirmed as valid, you can proceed to validate that the SHA256 sums align with the downloaded artifact:
```
sha256sum --ignore-missing -c trufflehog_{version}_checksums.txt
```

Replace {version} with the downloaded files version

Alternatively, if you are using installation script, pass -v option to perform signature verification. This required Cosign binary to be installed prior to running installation script.

🚀 Quick Start

1: Scan a repo for only verified secrets

Command:

trufflehog git https://github.com/trufflesecurity/test_keys --only-verified

Expected output:

🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
Raw result: AKIAYVP4CIPPERUVIFXG
Line: 4
Commit: fbc14303ffbf8fb1c2c1914e8dda7d0121633aca
File: keys
Email: counter <[email protected]>
Repository: https://github.com/trufflesecurity/test_keys
Timestamp: 2022-06-16 10:17:40 -0700 PDT
...

2: Scan a GitHub Org for only verified secrets

trufflehog github --org=trufflesecurity --only-verified

3: Scan a GitHub Repo for only verified keys and get JSON output

Command:

trufflehog git https://github.com/trufflesecurity/test_keys --only-verified --json

Expected output:

{"SourceMetadata":{"Data":{"Git":{"commit":"fbc14303ffbf8fb1c2c1914e8dda7d0121633aca","file":"keys","email":"counter \[email protected]\u003e","repository":"https://github.com/trufflesecurity/test_keys","timestamp":"2022-06-16 10:17:40 -0700 PDT","line":4}}},"SourceID":0,"SourceType":16,"SourceName":"trufflehog - git","DetectorType":2,"DetectorName":"AWS","DecoderName":"PLAIN","Verified":true,"Raw":"AKIAYVP4CIPPERUVIFXG","Redacted":"AKIAYVP4CIPPERUVIFXG","ExtraData":{"account":"595918472158","arn":"arn:aws:iam::595918472158:user/canarytokens.com@@mirux23ppyky6hx3l6vclmhnj","user_id":"AIDAYVP4CIPPJ5M54LRCY"},"StructuredData":null}
...

4: Scan a GitHub Repo + its Issues and Pull Requests

trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments

5: Scan an S3 bucket for verified keys

trufflehog s3 --bucket=<bucket name> --only-verified

6: Scan S3 buckets using IAM Roles

trufflehog s3 --role-arn=<iam role arn>

7: Scan a Github Repo using SSH authentication in docker

docker run --rm -v "$HOME/.ssh:/root/.ssh:ro" trufflesecurity/trufflehog:latest git ssh://github.com/trufflesecurity/test_keys

8: Scan individual files or directories

trufflehog filesystem path/to/file1.txt path/to/file2.txt path/to/dir

9: Scan GCS buckets for verified secrets

trufflehog gcs --project-id=<project-ID> --cloud-environment --only-verified

10: Scan a Docker image for verified secrets

Use the --image flag multiple times to scan multiple images.

trufflehog docker --image trufflesecurity/secrets --only-verified

11: Scan in CI

Set the --since-commit flag to your default branch that people merge into (ex: "main"). Set the --branch flag to your PR's branch name (ex: "feature-1"). Depending on the CI/CD platform you use, this value can be pulled in dynamically (ex: CIRCLE_BRANCH in Circle CI and TRAVIS_PULL_REQUEST_BRANCH in Travis CI). If the repo is cloned and the target branch is already checked out during the CI/CD workflow, then --branch HEAD should be sufficient. The --fail flag will return an 183 error code if valid credentials are found.

trufflehog git file://. --since-commit main --branch feature-1 --only-verified --fail

12: Scan a Postman workspace

Use the --workspace, --collection, --environment flags multiple times to scan multiple targets.

trufflehog postman --token=<postman api token> --workspace=<workspace id>

❓ FAQ

All I see is 🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷 and the program exits, what gives?
- That means no secrets were detected
Why is the scan taking a long time when I scan a GitHub org
- Unauthenticated GitHub scans have rate limits. To improve your rate limits, include the --token flag with a personal access token
It says a private key was verified, what does that mean?
- Check out our Driftwood blog post to learn how to do this, in short we've confirmed the key can be used live for SSH or SSL Blog post
Is there an easy way to ignore specific secrets?
- If the scanned source supports line numbers, then you can add a trufflehog:ignore comment on the line containing the secret to ignore that secrets.

📰 What's new in v3?

TruffleHog v3 is a complete rewrite in Go with many new powerful features.

We've added over 700 credential detectors that support active verification against their respective APIs.
We've also added native support for scanning GitHub, GitLab, Docker, filesystems, S3, GCS, Circle CI and Travis CI.
Instantly verify private keys against millions of github users and billions of TLS certificates using our Driftwood technology.
Scan binaries, documents, and other file formats
Available as a GitHub Action and a pre-commit hook

What is credential verification?

For every potential credential that is detected, we've painstakingly implemented programmatic verification against the API that we think it belongs to. Verification eliminates false positives. For example, the AWS credential detector performs a GetCallerIdentity API call against the AWS API to verify if an AWS credential is active.

📝 Usage

TruffleHog has a sub-command for each source of data that you may want to scan:

git
github
gitlab
docker
S3
filesystem (files and directories)
syslog
circleci
travisci
GCS (Google Cloud Storage)

Each subcommand can have options that you can see with the --help flag provided to the sub command:

$ trufflehog git --help
usage: TruffleHog git [<flags>] <uri>

Find credentials in git repositories.

Flags:
  -h, --help                Show context-sensitive help (also try --help-long and --help-man).
      --debug               Run in debug mode.
      --trace               Run in trace mode.
      --profile             Enables profiling and sets a pprof and fgprof server on :18066.
  -j, --json                Output in JSON format.
      --json-legacy         Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.
      --github-actions      Output in GitHub Actions format.
      --concurrency=20           Number of concurrent workers.
      --no-verification     Don't verify the results.
      --only-verified       Only output verified results.
      --allow-verification-overlap
                                 Allow verification of similar credentials across detectors
      --filter-unverified   Only output first unverified result per chunk per detector if there are more than one results.
      --filter-entropy=FILTER-ENTROPY
                                 Filter unverified results with Shannon entropy. Start with 3.0.
      --config=CONFIG            Path to configuration file.
      --print-avg-detector-time
                                 Print the average time spent on each detector.
      --no-update           Don't check for updates.
      --fail                Exit with code 183 if results are found.
      --verifier=VERIFIER ...    Set custom verification endpoints.
      --custom-verifiers-only   Only use custom verification endpoints.
      --archive-max-size=ARCHIVE-MAX-SIZE
                                 Maximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB)
      --archive-max-depth=ARCHIVE-MAX-DEPTH
                                 Maximum depth of archive to scan.
      --archive-timeout=ARCHIVE-TIMEOUT
                                 Maximum time to spend extracting an archive.
      --include-detectors="all"  Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.
      --exclude-detectors=EXCLUDE-DETECTORS
                                 Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.
      --version             Show application version.
  -i, --include-paths=INCLUDE-PATHS
                                 Path to file with newline separated regexes for files to include in scan.
  -x, --exclude-paths=EXCLUDE-PATHS
                                 Path to file with newline separated regexes for files to exclude in scan.
      --exclude-globs=EXCLUDE-GLOBS
                                 Comma separated list of globs to exclude in scan. This option filters at the `git log` level, resulting in faster scans.
      --since-commit=SINCE-COMMIT
                                 Commit to start scan from.
      --branch=BRANCH            Branch to scan.
      --max-depth=MAX-DEPTH      Maximum depth of commits to scan.
      --bare                Scan bare repository (e.g. useful while using in pre-receive hooks)

Args:
  <uri>  Git repository URL. https://, file://, or ssh:// schema expected.

For example, to scan a git repository, start with

trufflehog git https://github.com/trufflesecurity/trufflehog.git

S3

The S3 source supports assuming IAM roles for scanning in addition to IAM users. This makes it easier for users to scan multiple AWS accounts without needing to rely on hardcoded credentials for each account.

The IAM identity that TruffleHog uses initially will need to have AssumeRole privileges as a principal in the trust policy of each IAM role to assume.

To scan a specific bucket using locally set credentials or instance metadata if on an EC2 instance:

trufflehog s3 --bucket=<bucket-name>

To scan a specific bucket using an assumed role:

trufflehog s3 --bucket=<bucket-name> --role-arn=<iam-role-arn>

Multiple roles can be passed as separate arguments. The following command will attempt to scan every bucket each role has permissions to list in the S3 API:

trufflehog s3 --role-arn=<iam-role-arn-1> --role-arn=<iam-role-arn-2>

Exit Codes:

0: No errors and no results were found.
1: An error was encountered. Sources may not have completed scans.
183: No errors were encountered, but results were found. Will only be returned if --fail flag is used.

TruffleHog Github Action

General Usage

on:
  push:
    branches:
      - main
  pull_request:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: Secret Scanning
      uses: trufflesecurity/trufflehog@main
      with:
        extra_args: --only-verified

In the example config above, we're scanning for live secrets in all PRs and Pushes to main. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below.

Shallow Cloning

If you're incorporating TruffleHog into a standalone workflow and aren't running any other CI/CD tooling alongside TruffleHog, then we recommend using Shallow Cloning to speed up your workflow. Here's an example for how to do it:

...
      - shell: bash
        run: |
          if [ "${{ github.event_name }}" == "push" ]; then
            echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
            echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
          fi
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
            echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
          fi
      - uses: actions/checkout@v3
        with:
          ref: ${{env.branch}}
          fetch-depth: ${{env.depth}}
      - uses: trufflesecurity/trufflehog@main
        with:
          extra_args: --only-verified
...

Depending on the event type (push or PR), we calculate the number of commits present. Then we add 2, so that we can reference a base commit before our code changes. We pass that integer value to the fetch-depth flag in the checkout action in addition to the relevant branch. Now our checkout process should be much shorter.

Canary detection

TruffleHog statically detects https://canarytokens.org/ and lets you know when they're present without setting them off. You can learn more here: https://trufflesecurity.com/canaries

Advanced Usage

- name: TruffleHog
  uses: trufflesecurity/trufflehog@main
  with:
    # Repository path
    path:
    # Start scanning from here (usually main branch).
    base:
    # Scan commits until here (usually dev branch).
    head: # optional
    # Extra args to be passed to the trufflehog cli.
    extra_args: --debug --only-verified

If you'd like to specify specific base and head refs, you can use the base argument (--since-commit flag in TruffleHog CLI) and the head argument (--branch flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work.

Advanced Usage: Scan entire branch

- name: scan-push
        uses: trufflesecurity/trufflehog@main
        with:
          base: ""
          head: ${{ github.ref_name }}
          extra_args: --only-verified

TruffleHog GitLab CI

Example Usage

stages:
  - security
  
security-secrets:
  stage: security
  allow_failure: false
  image: alpine:latest
  variables:
    SCAN_PATH: "." # Set the relative path in the repo to scan
  before_script:
    - apk add --no-cache git curl jq
    - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
  script:
    - trufflehog filesystem "$SCAN_PATH" --only-verified --fail --json | jq
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'

In the example pipeline above, we're scanning for live secrets in all repository directories and files. This job runs only when the pipeline source is a merge request event, meaning it's triggered when a new merge request is created.

Pre-commit Hook

TruffleHog can be used in a pre-commit hook to prevent credentials from leaking before they ever leave your computer.

Key Usage Note:

For optimal hook efficacy, execute git add followed by git commit separately. This ensures TruffleHog analyzes all intended changes.
Avoid using git commit -am, as it might bypass pre-commit hook execution for unstaged modifications.

An example .pre-commit-config.yaml is provided (see pre-commit.com for installation).

repos:
  - repo: local
    hooks:
      - id: trufflehog
        name: TruffleHog
        description: Detect secrets in your data.
        entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail'
        # For running trufflehog in docker, use the following entry instead:
        # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
        language: system
        stages: ["commit", "push"]

Regex Detector (alpha)

TruffleHog supports detection and verification of custom regular expressions. For detection, at least one regular expression and keyword is required. A keyword is a fixed literal string identifier that appears in or around the regex to be detected. To allow maximum flexibility for verification, a webhook is used containing the regular expression matches.

TruffleHog will send a JSON POST request containing the regex matches to a configured webhook endpoint. If the endpoint responds with a 200 OK response status code, the secret is considered verified.

NB: This feature is alpha and subject to change.

Regex Detector Example

# config.yaml
detectors:
  - name: HogTokenDetector
    keywords:
      - hog
    regex:
      hogID: '\b(HOG[0-9A-Z]{17})\b'
      hogToken: '[^A-Za-z0-9+\/]{0,1}([A-Za-z0-9+\/]{40})[^A-Za-z0-9+\/]{0,1}'
    verify:
      - endpoint: http://localhost:8000/
        # unsafe must be set if the endpoint is HTTP
        unsafe: true
        headers:
          - "Authorization: super secret authorization header"

$ trufflehog filesystem /tmp --config config.yaml --only-verified
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

Found verified result 🐷🔑
Detector Type: CustomRegex
Decoder Type: PLAIN
Raw result: HOGAAIUNNWHAHJJWUQYR
File: /tmp/hog-facts.txt

Data structure sent to the custom verification server:

{
    "HogTokenDetector": {
        "HogID": ["HOGAAIUNNWHAHJJWUQYR"],
        "HogSecret": ["sD9vzqdSsAOxntjAJ/qZ9sw+8PvEYg0r7D1Hhh0C"],
    }
}

Verification Server Example (Python)

Unless you run a verification server, secrets found by the custom regex detector will be unverified. Here is an example Python implementation of a verification server for the above config.yaml file.

import json
from http.server import BaseHTTPRequestHandler, HTTPServer

AUTH_HEADER = 'super secret authorization header'


class Verifier(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(405)
        self.end_headers()

    def do_POST(self):
        try:
            if self.headers['Authorization'] != AUTH_HEADER:
                self.send_response(401)
                self.end_headers()
                return

            # read the body
            length = int(self.headers['Content-Length'])
            request = json.loads(self.rfile.read(length))
            self.log_message("%s", request)

            # check the match, you'll need to implement validateToken, which takes an array of ID's and Secrets
            if not validateTokens(request['HogTokenDetector']['hogID'], request['HogTokenDetector']['hogSecret']): 
                self.send_response(200)
                self.end_headers()
            else:
                # any other response besides 200
                self.send_response(406)
                self.end_headers()
        except Exception:
            self.send_response(400)
            self.end_headers()


with HTTPServer(('', 8000), Verifier) as server:
    try:
        server.serve_forever()
    except KeyboardInterrupt:
        pass

❤️ Contributors

This project exists thanks to all the people who contribute. [Contribute].

💻 Contributing

Contributions are very welcome! Please see our contribution guidelines first.

We no longer accept contributions to TruffleHog v2, but that code is available in the v2 branch.

Adding new secret detectors

We have published some documentation and tooling to get started on adding new secret detectors. Let's improve detection together!

Use as a library

Currently, trufflehog is in heavy development and no guarantees can be made on the stability of the public APIs at this time.

License Change

Since v3.0, TruffleHog is released under a AGPL 3 license, included in LICENSE. TruffleHog v3.0 uses none of the previous codebase, but care was taken to preserve backwards compatibility on the command line interface. The work previous to this release is still available licensed under GPL 2.0 in the history of this repository and the previous package releases and tags. A completed CLA is required for us to accept contributions going forward.

💸 Enterprise product

Are you interested in continuously monitoring your Git, Jira, Slack, Confluence, etc.. for credentials? We have an enterprise product that can help. Reach out here to learn more https://trufflesecurity.com/contact/

We take the revenue from the enterprise product to fund more awesome open source projects that the whole community can benefit from.

trufflehog's People

Contributors

Stargazers

Watchers

Forkers

icco res0nat0r christarazi atimorin toast707 mpw ryanohoro airbr idkwim johnjohnsp1 ryanbaxendale jbarcia llpj stuart4 songofhack paran0ids0ul goreilly bandrel rossmairm shpedoikal jaguasch sulfo techscientist tmcmil lucabongiorni coldsmoke627 vishnudxb phwd initiate6 antony-s n074v41l4bl34u olivierh59500 avineshwar nasnaq weasel0x00 shekkbuilder s2e-museum miholeus brianvansteen yeyingtomorrow newdominic fireswood marcusk1 elchappo kaicastledine pynon todun adenzil zemmali master3395 cephurs optionalg will-nolan tobey123 dekryptor marxwang wmollenkopf mrsinguyen adhikar bill666500 icysun jeremydenoun sombochea omkarkirpan flyaogogo wrinkl3 newaynewlife secof thoughtfuldev v0re phpplay ernandedante daedalus raver1975 msjmeyer awesome-python awesome-security kurtzilla wmswu jackbro ca1e 3xp10it xiju2003 vysecurity backupmanager cheaphunter ellipsys fchiao bluebear171 matkuscz hraharahra kurtdegreeff ryantzj hakusama1024 temikus aliweiya ptoonen rlgnszzz asksandipd theleestarr

trufflehog's Issues

Enterprise Github API Address

Hey,

Thanks for all of the great work that you are doing.

I am currently trying to use TruffleHog for our business, but we have a private github server that does not point to the base api.github.com.

Two questions:

Does the SearchOrg Script actually implemented? I am seeing it, but not sure if that is the base script that all trufflehog calls go through, or if it is a WIP.
Since we have a different api domain to hit, what is the best way for us to point to the correct domain? I am thinking the SearchOrg Script, but I want to make sure.

Thanks,

~Zach

Feature Request: Ability to specify a list of files (with wildcard match) to ignore

Many of our projects have a few files that always contain high entropy strings like SHA1 hashes or Base64 encoded values. It would be nice to provide a list of files to be be ignored, sort of like a .gitignore file.

Run truffleHog on directories recusively and not just in git repos

I would assume it's easy to setup a dummy git repo and scan it, but would be nice to use the tool to scan any file or directory even outside git.

One example is to scan database dumps of project trackers (jira)

Feature request: Only show the repo name, file name, line number and matched key

Only show the repo name, file name, the line number of matched key and matched key, instead of showing everything in the committed file. This will increase the visibility.
If we send the output to a file, it is impossible to figure out the matched secret key.

Feature Request: String borders for sensetive data in output

Hello. Now, if i run truffleHog in cli, i see commits content and sensetive data highlighted by color. But if content is big, i move it into outfile ( > out.log). In file i can`t see colors and it hard to find sensetive strings.
Please, add a parameter for left and right borders of sensetive strings. It help to grep it from big output content.

problem with Regex switch

Anyone else have an error message with using the regex switch?

UnboundLocalError: local variable 'regexes' referenced before assignment. I just called
trufflehog --regex my_code_dir/

UnicodeEncodeError: 'charmap' codec can't encode characters ... character maps to <undefined>

I saw for the previous issue #7 that you implemented a fix. When I tried ran truffleHog on the same repo, I got a very similar error. Unfortunately, my repo belongs to my employer so I cannot share it with you. Just figured it was worth posting in case anyone else has a similar problem.

Traceback (most recent call last):
  File "C:\Python\Python27\Scripts\trufflehog-script.py", line 9, in <module>
    load_entry_point('truffleHog==1.0.2', 'console_scripts', 'trufflehog')()
  File "c:\python\python27\lib\site-packages\truffleHog\truffleHog.py", line 20, in main
    output = find_strings(args.git_url, args.output_json)
  File "c:\python\python27\lib\site-packages\truffleHog\truffleHog.py", line 136, in find_strings
    print(printableDiff)
  File "c:\python\python27\lib\encodings\cp437.py", line 12, in encode
    return codecs.charmap_encode(input,errors,encoding_map)
UnicodeEncodeError: 'charmap' codec can't encode character u'\u2018' in position 1670: character maps to <undefined>

ImportError: No module named git

Full error:

Traceback (most recent call last):
File "truffleHog.py", line 3, in
from git import Repo
ImportError: No module named git

Steps to reproduce:

virtualenv venv
. venv/bin/activate
pip install -r requirements.txt
python2 truffleHog.py [email protected]:example/fox.git

Feature Request: Run locally only

Howdy!

I was wondering how you would consider adding the possibility to run this to an already-cloned repo.

The feature would include making some change to the code, adding a condition to the following line: https://github.com/dxa4481/truffleHog/blob/7d8009ff0b278229a119ea6cb69025dfeed9ab49/truffleHog.py#L67 to clone the repo or not, and not remove the repo afterwards (of course).

Also this could add a new argument local_path for example to specify which folder to use.

If no path/argument is specified, it could be great to just scan the current folder for strings.

I'd be happy to make the change and PR it, just wanted to know if that could be of some interest before starting anything.

Any feedback?

Feature Request

Hi, is there any plans to add an exclusion flag to ignore certain strings? (i.e. ignore password=password)

Feature Request

Would it be possible to add a feature to scan private repos with API keys?

Not working

while using with git url , the code it self reflected only

here is the screenshot : http://prntscr.com/fhp39p

Feature Request: only show trigger lines

It would be nice to have an option to only display trigger strings instead of the entire commit

WindowsError: [Error 5] Access is denied

Traceback (most recent call last): File "trufflehog.py", line 106, in <module> find_strings(args.git_url) File "trufflehog.py", line 98, in find_strings shutil.rmtree(project_path) File "C:\Python27\lib\shutil.py", line 247, in rmtree rmtree(fullname, ignore_errors, onerror) File "C:\Python27\lib\shutil.py", line 247, in rmtree rmtree(fullname, ignore_errors, onerror) File "C:\Python27\lib\shutil.py", line 247, in rmtree rmtree(fullname, ignore_errors, onerror) File "C:\Python27\lib\shutil.py", line 252, in rmtree onerror(os.remove, fullname, sys.exc_info()) File "C:\Python27\lib\shutil.py", line 250, in rmtree os.remove(fullname) WindowsError: [Error 5] Access is denied: 'temp\\[uuid]\\.git\\objects\\pack\\pack-[uuid].idx'

When scanning some repos. (This one crashes half way through, This one crashes at startup)

Custom regex are not working

Added custom regexes in truffleHog/truffleHog/regexChecks.py location and the file looks like below:

import re

regexes = {
"AWS API Key": re.compile('AKIA[0-9A-Z]{16}'),
"AWS Secret Key": re.compile('(?=.*[A-Z])(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])'),
}

Tried scanning with --regex and without --regex, but still it is not showing the secret keys in code.

Am I missing something?

Regex matching functionality is still broken in the new patch

The new patch actually is not finding any secrets. Can you try running truffleHog on this repo - https://github.com/secretuser1/secretrepo.git. It is not finding the Slack tokens along with the AWS secrets here - https://github.com/secretuser1/secretrepo/blob/master/secretfile.txt#L2

Am I missing something?

Also, if I wanted to have my own regex file, am I supposed to just overwrite it and start trufflehog or am I supposed to run some setup script? I am very confused.

The command I ran after git cloning the repo was - python truffleHog/truffleHog.py --regex --entropy=False https://github.com/secretuser1/secretrepo.git. And, there was no output.

@milo-minderbinder @dxa4481 @carnal0wnage

Feature Request: exit code if secrets found

Hi !

In order to batch truffleHog, it would be great to have different exit code when truffleHog find suspicious string and when it does not.

I would suggest to return 0 when the code is clean, and 1 otherwise.

ImportError: cannot import name 'find_strings'

$ truffleHog
Traceback (most recent call last):
  File "/usr/local/Cellar/python3/3.6.1/Frameworks/Python.framework/Versions/3.6/bin/truffleHog", line 7, in <module>
    from truffleHog.truffleHog import main
  File "/usr/local/lib/python3.6/site-packages/truffleHog/__init__.py", line 1, in <module>
    from truffleHog import find_strings
ImportError: cannot import name 'find_strings'
$ uname -a
Darwin helium.local 16.4.0 Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64 x86_64
$ python3 --version
Python 3.6.1

The regex functionality is not working as expected

I git cloned the truffleHog repository. Changed my regexChecks.py file to look like below:

import re

regexes = {
    "Slack Token XOXP": re.compile('xoxp.*'),
    "Slack Token XOXB": re.compile('xoxb.*'),
    "Slack Token XOXO": re.compile('xoxo.*'),
    "Slack Token XOXA": re.compile('xoxa.*'),
    "AWS API Key": re.compile('AKIA.*'),
    "Private key": re.compile('-----BEGIN PRIVATE KEY-----.*')
}

I then installed the libraries required to run the tool by typing pip install -r requirements.txt. My requirements.txt file looked like below:

GitPython==2.1.5
gitdb2==2.0.2
smmap2==2.0.2

Finally, I ran the tool by typing - python truffleHog.py --regex --entropy=False https://github.com/secretuser1/secretrepo.git

It printed out the Private Key, Slack Token XOXP and Slack Token XOXB. It should have also printed out the AWS key here - https://github.com/secretuser1/secretrepo/blob/master/secretfile.txt#L2 but it did not, even though the regex is present.

Any idea why?

Files added in the first commit of a git repository don't appear to be searched

To run trufflehog on a set of files that aren't in a git repository, I decided to just add them to a new repository to make things work. In the process I noticed that files added in the very first commit don't seem to be searched / reported on by trufflehog.

Reproduction steps

Here I create a new git repo in an empty directory, copy my SSH public key in to it, add and commit the file. Despite the high-entropy nature of my public key, trufflehog's output is blank:

tom@bash:~/tmp/truffletest▶ mkdir one 
tom@bash:~/tmp/truffletest▶ cd one
tom@bash:~/tmp/truffletest/one▶ git init
Initialized empty Git repository in /home/tom/tmp/truffletest/one/.git/
tom@bash:~/tmp/truffletest/one (master)▶ cp ~/.ssh/id_rsa.pub ./
tom@bash:~/tmp/truffletest/one (master)▶ git add id_rsa.pub 
tom@bash:~/tmp/truffletest/one (master)▶ git ci -m "Adds public key"
[master (root-commit) b6ea149] Adds public key
 1 file changed, 1 insertion(+)
 create mode 100644 id_rsa.pub
tom@bash:~/tmp/truffletest/one (master)▶ trufflehog .

In contrast, if I first add and commit an empty file to a fresh repository, and add my public key in a second commit, trufflehog finds and reports on it with no issue:

tom@bash:~/tmp/truffletest▶ mkdir two 
tom@bash:~/tmp/truffletest▶ cd two
tom@bash:~/tmp/truffletest/two▶ git init
Initialized empty Git repository in /home/tom/tmp/truffletest/two/.git/
tom@bash:~/tmp/truffletest/two (master)▶ touch empty
tom@bash:~/tmp/truffletest/two (master)▶ git add empty
tom@bash:~/tmp/truffletest/two (master)▶ git ci -m "Adds empty"
[master (root-commit) 9aa062a] Adds empty
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 empty
tom@bash:~/tmp/truffletest/two (master)▶ cp ~/.ssh/id_rsa.pub ./
tom@bash:~/tmp/truffletest/two (master)▶ git add id_rsa.pub 
tom@bash:~/tmp/truffletest/two (master)▶ git ci -m "Adds public key"
[master 700191d] Adds public key
 1 file changed, 1 insertion(+)
 create mode 100644 id_rsa.pub
tom@bash:~/tmp/truffletest/two (master)▶ trufflehog .
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Date: 2018-02-08 14:00:52
Hash: 9aa062ab0c22e0d2788f2b0a1d03b635d71cfabc
Filepath: id_rsa.pub
Branch: master
Commit: Adds public key

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQ...[omitted to keep the screen width down :)]

~~~~~~~~~~~~~~~~~~~~~

Installation problem.

I'm trying to install truffleHog in my RHEL 7.4 installation.
But everytime I try to install I get the problem below, python and pip version at the end.
Any idea wht's causing this?

-bash-4.2$ pip install truffleHog
Collecting truffleHog
Collecting GitPython==2.1.1 (from truffleHog)
Using cached GitPython-2.1.1-py2.py3-none-any.whl
Collecting gitdb2>=2.0.0 (from GitPython==2.1.1->truffleHog)
Using cached gitdb2-2.0.2-py2.py3-none-any.whl
Collecting smmap2>=2.0.0 (from gitdb2>=2.0.0->GitPython==2.1.1->truffleHog)
Using cached smmap2-2.0.3-py2.py3-none-any.whl
Installing collected packages: smmap2, gitdb2, GitPython, truffleHog
Exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/usr/lib/python2.7/site-packages/pip/commands/install.py", line 342, in run
prefix=options.prefix_path,
File "/usr/lib/python2.7/site-packages/pip/req/req_set.py", line 784, in install
**kwargs
File "/usr/lib/python2.7/site-packages/pip/req/req_install.py", line 851, in install
self.move_wheel_files(self.source_dir, root=root, prefix=prefix)
File "/usr/lib/python2.7/site-packages/pip/req/req_install.py", line 1064, in move_wheel_files
isolated=self.isolated,
File "/usr/lib/python2.7/site-packages/pip/wheel.py", line 345, in move_wheel_files
clobber(source, lib_dir, True)
File "/usr/lib/python2.7/site-packages/pip/wheel.py", line 316, in clobber
ensure_dir(destdir)
File "/usr/lib/python2.7/site-packages/pip/utils/init.py", line 83, in ensure_dir
os.makedirs(path)
File "/usr/lib64/python2.7/os.py", line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/usr/lib/python2.7/site-packages/smmap'

-bash-4.2$ python --version
Python 2.7.5
-bash-4.2$ pip --version
pip 9.0.1 from /usr/lib/python2.7/site-packages (python 2.7)
-bash-4.2$

readme shows file:/// but doesnt seem to respect that option

readme shows file:/// but TH doesnt seem to respect that option

Can't decode 0xa9, which is the copyright symbol

This is actually more of a problem with Python's UTF8 code, I think. But if you run the trufflehog script against this repo, you'll get the following error:

Traceback (most recent call last):
  File "/home/lehmer/Sandbox/trufflehog.py", line 130, in <module>
    project_path = find_strings(args.git_url)
  File "/home/lehmer/Sandbox/trufflehog.py", line 95, in find_strings
    printableDiff = blob.diff.decode()
  File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
    return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0xa9 in position 96: invalid start byte

This is because an older version of the license file had a copyright symbol (0xa9, which is the rendered value of the HTML entity ©, for example). I figured it out by putting a print(blob.diff) right before line 95.

dangerously high memory usage potential

It might be worth adding a warning to the README regarding the potential for this script to consume an extremely large amount of system memory. I ran this on an admittedly large, bloated repo (50k+ commits and a 1.2 gb .git directory), and it nearly took down my 2015 MBP. According to top, it was using some 60+ gb of memory, though I'm not sure how that's possible unless my laptop created a bunch of swap space automatically. Whatever the actual number was, it was at least several gb and caused me to have to force quit iterm. My fault for trying to run this on a repo that size, but a warning might help others from making the same mistake.

Allow for checking local branches as well as remotes

Tool currently only checks remote branches. Would be great to check local branches as well before something gets pushed off that shouldn't be.

Output not unicode encoded.

File "truffleHog/truffleHog.py", line 136, in find_strings
print(printableDiff)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xa9' in position 123: ordinal not in range(128)

Python 3 support

Please!

Different results

I've noticed calling the python program direct seems to yield different results than if I import the app into my own code and run using the following:

truffleHog.find_strings(item["html_url"], do_regex=True, do_entropy=True)

As an example: https://github.com/huntsman-li/go-cache throws back some entropy stuff, the python script didn't, am I missing something?

I just get the following with no other output:

Project Name: viewimages 
Created at: 2018-02-16T08:48:57Z                   
Updated at: 2018-02-23T04:17:28Z                   
searching https://github.com/weienlee/viewimages   

Project Name: gestalt    
Created at: 2018-02-16T22:17:51Z                   
Updated at: 2018-02-23T18:24:01Z                   
searching https://github.com/pinterest/gestalt     

Project Name: aslur      
Created at: 2018-02-16T06:29:50Z                   
Updated at: 2018-02-23T02:57:56Z                   
searching https://github.com/blackzert/aslur

Thanks

Prints UnicodeEncodeError in some repos

For some repos, trufflehog prints this message:

Traceback (most recent call last):
  File "/home/mlenz/src/truffleHog/venv-trufflehog/bin/trufflehog", line 9, in <module>
    load_entry_point('truffleHog==1.0.2', 'console_scripts', 'trufflehog')()
  File "build/bdist.linux-x86_64/egg/truffleHog/truffleHog.py", line 20, in main
  File "build/bdist.linux-x86_64/egg/truffleHog/truffleHog.py", line 135, in find_strings
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf6' in position 72: ordinal not in range(128)

I can't make the repos available publicly, sorry. This is with python 2.7.9.

JSON output format

The current JSON output format has no commas between each identified password/secret object and the objects are not organized into an array of objects. This is not parsed well by native json parsing libraries such as Python's json library. Would it be reasonable to format the JSON output as an array of comma separated password/secret instance objects?

UnicodeEncodeError: 'charmap' codec can't encode characters ... character maps to <undefined>

Testing using a private Github repo (soon to be public) caused an error. It identified a few SHA1 hash strings in two different commits, then throws the following error:

Date: 2016-12-16 13:10:27
Branch: master
Commit: Nameserver overhaul (#17)

* go changes to support nameservers_from
... omitted ...

Traceback (most recent call last):
  File "truffleHog.py", line 108, in <module>
    find_strings(args.git_url)
  File "truffleHog.py", line 97, in find_strings
    print(printableDiff)
  File "c:\tools\python2\lib\encodings\cp437.py", line 12, in encode
    return codecs.charmap_encode(input,errors,encoding_map)
UnicodeEncodeError: 'charmap' codec can't encode characters in position 1292428-1292443: character maps to <undefined>

Environment is Python 2.7 running on Windows 10 x64 bit. There are 50 changed files in the commit and it doesn't say which file caused the error, but my guess is it doesn't like one of the static.go files that has base64+GZip encoded JS/CSS files. See attached git patch for commit details.

0001-Nameserver-overhaul-17.zip

special characters issue

it seems there is some problem reading files with special characters in them, such as emoji codes like \U0001f60a and the truffleHog crashes

Traceback (most recent call last):                                                                                      
  File "c:\programs\python3\lib\runpy.py", line 184, in _run_module_as_main                                             
    "__main__", mod_spec)                                                                                               
  File "c:\programs\python3\lib\runpy.py", line 85, in _run_code                                                        
    exec(code, run_globals)                                                                                             
  File "C:\programs\python3\Scripts\trufflehog.exe\__main__.py", line 9, in <module>                                    
  File "c:\programs\python3\lib\site-packages\truffleHog\truffleHog.py", line 20, in main                               
    output = find_strings(args.git_url, args.output_json)                                                               
  File "c:\programs\python3\lib\site-packages\truffleHog\truffleHog.py", line 156, in find_strings                      
    print_results(printJson, commit_time, branch_name, prev_commit, printableDiff)                                      
  File "c:\programs\python3\lib\site-packages\truffleHog\truffleHog.py", line 89, in print_results                      
    print(printableDiff)                                                                                                
  File "c:\programs\python3\lib\encodings\cp437.py", line 19, in encode                                                 
    return codecs.charmap_encode(input,self.errors,encoding_map)[0]                                                     
UnicodeEncodeError: 'charmap' codec can't encode character '\U0001f60a' in position 4615: character maps to <undefined>

Feature Request: Include the commit hash in the header section

Right now the header lists the Date, Branch, and Commit message, but this can be ambiguous and difficult to look up in the history. PR #16 adds the file name in the commit where the string was found, but it would be nice to also include the commit hash for faster lookup.

Readme mentions legacy trufflehog/regexChecks.py

readme looks incorrect and doesn't refer to external repo containing regex json

Imports do not follow PEP8

PEP8 Imports

Imports should usually be on separate lines, e.g.:

Yes: import os
import sys

No: import sys, os

This can cause conflicts with merging if two PR's add imports at the same time.

Feature: write a wrapper so this can be used as a Git pre-commit filter

Avoid checking in secrets to begin with ... This would obviously also require some way of overriding this behavior.

ImportError: No module named git

Running on OpenSUSE Leap 42.2.

pip install -r requirements.txt

Requirement already satisfied: GitPython==2.1.1 in /usr/lib/python3.4/site-packages (from -r requirements.txt (line 1))
Requirement already satisfied: gitdb2>=2.0.0 in /usr/lib/python3.4/site-packages (from GitPython==2.1.1->-r requirements.txt (line 1))
Requirement already satisfied: smmap2>=2.0.0 in /usr/lib/python3.4/site-packages (from gitdb2>=2.0.0->GitPython==2.1.1->-r requirements.txt (line 1))

python truffleHog.py https://github.com/dxa4481/truffleHog.git

Traceback (most recent call last):
File "truffleHog.py", line 2, in
from git import Repo
ImportError: No module named git

Feature Request: Ignore string filter

I'd like a set of configurable strings to be ignored when tests are executed. I've found that the following strings cut down on false positives for things like hex and base64 chars definitions.

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
123456789

Can truffleHog use personal access tokens?

I've been attempting to use personal auth tokens but truffleHog it's failing out. Is this feature available, if so how should I call the truffleHog script?

Depth limits are needed to prevent long jobs

When leveraging trufflehog for repo scans, it would be helpful to introduce the concept of depth limits, to ensure that when a scan is performed, it only goes to a certain number of commits back. On a test repository that I have, there is a huge number of commits dating back to 2014, and the job is running well more than 24 hours to go deep across all of them.

password protected repos

currently there is no way to pass password over to the git repostory, meaning a password protected repository will crash with this message

fatal: could not read Password for '[somerepo]': Invalid argument

Windows auth?

With an instance of gitlabs running with Windows AD authentication, how can you authenticate with the tool? I am getting prompted for ID/password, but giving either username or domain\username is failing.

Just a question (not actually an issue)

This repo sounds interesting but I'm not sure I fully understand it. What are some example use cases for this?

Feature Request: Suppress output when run as an included module

The app works great when run from command line. However, it would be nice if the findings output could be suppressed when included as a module in other python projects that only need access to portions of the built in functionality or the ability to customize the output format. One possible solution is to:

Remove the calling of print_results() from diff_worker()
Add a command line argument for enabling/disabling output (on by default)
Add logic to main() for running print_results() when required.

Let me know if you would like me to incorporate the change into a PR.

Hardcoded thresholds of 20 in get_strings_of_set()

threshold keyword variable is declared and used on the last if statement Line 39, but not in the first else statement Line 35

def get_strings_of_set(word, char_set, threshold=20):
    count = 0
    letters = ""
    strings = []
    for char in word:
        if char in char_set:
            letters += char
            count += 1
        else:
            if count > 20:
                strings.append(letters)
            letters = ""
            count = 0
    if count > threshold:
        strings.append(letters)

Normalize the name

There are some issues with the capital H in the PyPI package name. Can't it be just trufflehog?

Doesn't prompt for authentication for private GitHub repo

I have a private repo I tried this against and I never was prompted to provide a username/password. Though, I do have SSH setup as well I don't think it checks for that.

C:\Users\MyName\Desktop\GitHub\truffleHog> python truffleHog.py https://github.com/mcmahonjohn/private-repo
Traceback (most recent call last):
  File "truffleHog.py", line 130, in <module>
    project_path = find_strings(args.git_url)
  File "truffleHog.py", line 67, in find_strings
    Repo.clone_from(git_url, project_path)
  File "C:\Python\Python27\lib\site-packages\git\repo\base.py", line 925, in clone_from
    return cls._clone(git, url, to_path, GitCmdObjectDB, progress, **kwargs)
  File "C:\Python\Python27\lib\site-packages\git\repo\base.py", line 880, in _clone
    finalize_process(proc, stderr=stderr)
  File "C:\Python\Python27\lib\site-packages\git\util.py", line 341, in finalize_process
    proc.wait(**kwargs)
  File "C:\Python\Python27\lib\site-packages\git\cmd.py", line 291, in wait
    raise GitCommandError(self.args, status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
  cmdline: git clone -v https://github.com/mcmahonjohn/private c:\users\MyName\appdata\local\temp\tmpmtcgg4
  stderr: 'Cloning into 'c:\users\MyName\appdata\local\temp\tmpmtcgg4'...
bash: /dev/tty: No such device or address
error: failed to execute prompt script (exit code 1)
fatal: could not read Username for 'https://github.com': Invalid argument
'

highlighted diff errors with overlapping and regex findings, regexes with groups broken

truffleHog does not handle overlapping findings for high entropy strings correctly, and will insert duplicate and/or overlapping bash control characters for highlighting if different high entropy strings overlap or are adjacent in the same diff.

Likewise, regex findings are also not correctly highlighted if a single regex pattern matches multiple times in a single diff - only the last match (and none of the surrounding diff content) is output. More significantly, due to the use of re.findall(), regex patterns with multiple groups will cause truffleHog to fail with an exception, since findall() returns a tuple with each matched group, instead of the expected string, and will therefore cause the call to string.replace() function to fail with an exception.

To test, run the following:

trufflehog --regex https://gist.github.com/9d12aa61c93927d14d2a4fa3747d620f.git

Note that the output contains overlapping highlights:

 Some high entropy strings:
-�[93m�[93mvJalrXUtnFEMI/K7MDENG/bPxRfiCYKMDNHKROOI�[0m�[0m, �[93m�[93mvJalrXUtnFEMI/K7MDENG/bPxRfiCYKMDNHKROOI�[0m�[0m
+�[93m�[93mvJalrXUtnFEMI/K7MDENG/bPxRfiCYKMDNHKROOI�[0m�[0m
 �[93mwJalrXUtnFEMI/K7MDENG/bPxRfiCYKMDNHKROOI�[0m
 "NEW_SECRET": '�[93mGUfiHfs3pCXtHEtZzRwnLaYTAidVBxR32dffuwKkYeTDzvEAuxDuLUBm3WF�[0m'

and that only one match is output for regex findings which should have multiple matches:

~~~~~~~~~~~~~~~~~~~~~
�[92mReason: AWS API Key�[0m
�[92mDate: 2017-12-18 14:04:56�[0m
�[92mHash: 60c38fc53e84527cdf4b9e7b721da49c8c1f4249�[0m
�[92mFilepath: secrets-examples.txt�[0m
�[92mBranch: master�[0m
�[92mCommit: �[0m
�[93mAKIAI2SFODNN7OKEMLPE�[0m

To reproduce the issue with broken regex patterns containing multiple groups, edit the regexChecks.py file by changing the line:

"AWS API Key": re.compile('AKIA[0-9A-Z]{16}'),

to:

"AWS API Key": re.compile(r'(AKIA)([0-9A-Z]{16})'),

and re-run the truffleHog command again, and note that an exception is raised at runtime.

Needless checkout

So I haven't even ran this code but was looking at the repo.
It seems there is a needless checkout of the repo here on this line which can be quite expensive.
I don't think there is a need to actually change the files in the working directory just to get the diffs.

I think you can just pass rev= here on this line and the code should behave the same.

You'd also get rid of that ugly except: pass block.

truffleHog: command not found

While using truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git command getting error truffleHog: command not found

Is there any dependency to access the command?