Skip to content

Commit

Permalink
Added how to scan a local git repo (trufflesecurity#3593)
Browse files Browse the repository at this point in the history 
Issue trufflesecurity#1864
because it's not written in README yet.
  • Loading branch information
@za
za authored Dec 2, 2024
1 parent 2a01091 commit c033f22
Showing 1 changed file with 20 additions and 8 deletions.
28 changes: 20 additions & 8 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,43 +257,55 @@ docker run --rm -v "$HOME/.ssh:/root/.ssh:ro" trufflesecurity/trufflehog:latest
trufflehog filesystem path/to/file1.txt path/to/file2.txt path/to/dir
```

## 9: Scan GCS buckets for verified secrets
## 9: Scan a local git repo

Clone the git repo. For example [test keys]([email protected]:trufflesecurity/test_keys.git) repo.
```bash
$ git clone [email protected]:trufflesecurity/test_keys.git
```

Run trufflehog from the parent directory (outside the git repo).
```bash
$ trufflehog git file://test_keys --only-verified
```

## 10: Scan GCS buckets for verified secrets

```bash
trufflehog gcs --project-id=<project-ID> --cloud-environment --only-verified
```

## 10: Scan a Docker image for verified secrets
## 11: Scan a Docker image for verified secrets

Use the `--image` flag multiple times to scan multiple images.

```bash
trufflehog docker --image trufflesecurity/secrets --only-verified
```

## 11: Scan in CI
## 12: Scan in CI

Set the `--since-commit` flag to your default branch that people merge into (ex: "main"). Set the `--branch` flag to your PR's branch name (ex: "feature-1"). Depending on the CI/CD platform you use, this value can be pulled in dynamically (ex: [CIRCLE_BRANCH in Circle CI](https://circleci.com/docs/variables/) and [TRAVIS_PULL_REQUEST_BRANCH in Travis CI](https://docs.travis-ci.com/user/environment-variables/)). If the repo is cloned and the target branch is already checked out during the CI/CD workflow, then `--branch HEAD` should be sufficient. The `--fail` flag will return an 183 error code if valid credentials are found.

```bash
trufflehog git file://. --since-commit main --branch feature-1 --only-verified --fail
```

## 12: Scan a Postman workspace
## 13: Scan a Postman workspace

Use the `--workspace-id`, `--collection-id`, `--environment` flags multiple times to scan multiple targets.

```bash
trufflehog postman --token=<postman api token> --workspace-id=<workspace id>
```

## 13: Scan a Jenkins server
## 14: Scan a Jenkins server

```bash
trufflehog jenkins --url https://jenkins.example.com --username admin --password admin
```

## 14: Scan an Elasticsearch server
## 15: Scan an Elasticsearch server

### Scan a Local Cluster

Expand Down Expand Up @@ -321,7 +333,7 @@ trufflehog elasticsearch \
--api-key 'MlVtVjBZ...ZSYlduYnF1djh3NG5FQQ=='
```

## 15. Scan a GitHub Repository for Cross Fork Object References and Deleted Commits
## 16. Scan a GitHub Repository for Cross Fork Object References and Deleted Commits

The following command will enumerate deleted and hidden commits on a GitHub repository and then scan them for secrets. This is an alpha release feature.

Expand All @@ -335,7 +347,7 @@ In addition to the normal TruffleHog output, the `--object-discovery` flag creat

For more information on Cross Fork Object References, please [read our blog post](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).

## 16. Scan Hugging Face
## 17. Scan Hugging Face

### Scan a Hugging Face Model, Dataset or Space

Expand Down

0 comments on commit c033f22

Please sign in to comment.