If you work with Git as frequently as I do, you will inevitably commit a secret to a git repository when you did not intend to. Learn from my experience, spending a day deleting git blobs, redacting secrets, rebasing repos, and breaking your Git history isn’t fun for anyone. Rather than spend hours fixing old mistakes, there are tools that you can use to prevent yourself from unintentionally uploading secrets in the first place.
Enter the TruffleHog
TruffleHog is an open source secret scanning tool, developed by TruffleSecurity. It’s compatible with Linux, Windows, and Mac as a command line tool, or can run in a Docker Container. It supports secret detection at the filesystem level, and against popular tools such as GitHub, GitLab, S3, Postman, Elasticsearch, Jenkins, Hugging Face, and more through remote API calls.
It also has a neat trick up its sleeve. Pre-Commit git secret detection.
Pre-Commit Hooks
You will want to setup these tools on whichever machine is going to be your main development device for making changes to git repositories.
Git as a tool supports running hooks from the ~/.git-hooks folder on your local system, and this is how we are going to get it to run TruffleHog secret scanning before every Git Commit.
Running this tool pre-commit will cause a commit to fail if it discovers any secrets. This is helpful friction to prevent you from uploading the secrets into a git server, and then needing to spend time redacting or rotating them after the fact.
Installing TruffleHog
The TruffleHog command line tool can be installed from Homebrew, or by running their installer script:
# Homebrew install
brew install trufflehog
# Using the official install script for Windows, WSL, Linux, and MacOS
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/binYou can confirm that the command line tool is functioning by running these commands:
which trufflehog
trufflehog -hIf TruffleHog has been installed correctly, we can move on to creating the .git-hooks directory and scripts.
Run the following commands on the same computer where you installed TruffleHog:
mkdir -p ~/.git-hooks
touch ~/.git-hooks/pre-commit
chmod +x ~/.git-hooks/pre-commit
vim ~/.git-hooks/pre-commitWith pre-commit open for editing, paste in the following contents, then save and close the file:
#!/bin/sh
export TRUFFLEHOG_PRE_COMMIT=1
trufflehog git file://.Lastly, configure git to run pre-commit hooks from the .git-hooks directory globally.
git config --global core.hooksPath ~/.git-hooksThis is what enables git to run secrets detection across all local repositories without any further configuration.
TruffleHog Caveats
By default, trufflehog will fail a commit only if there are verified secrets detected.
This means that you could have a real, valid password in a markdown file, and trufflehog will not detect it. Even if you know that the text is a valid password, trufflehog does not, unless the text matches a known secret detection pattern.
You may be asking, “Then what is the point of installing this dang tool!?”
Because it can detect verified secrets. Such as complete SSH commands with embedded username:password@localhost, or private RSA keys that you did not intend to commit, or complete LDAP binding credentials hardcoded in a config file, etc.
This is for the best, as trufflehog is aggressive about detecting anything that remotely looks like a password. For instance, I had file name references such as Ubuntu-Server-Example that it detected as an unverified secret. If it failed due to an unverified secret, I would need to change my file names before I could commit anything into Git.