diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index f87d57c42b13..1a19e6e7a155 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -1,6 +1,6 @@ - id: trufflehog name: TruffleHog description: Detect secrets in your data with TruffleHog. - entry: trufflehog git file://. --since-commit HEAD --only-verified --fail + entry: trufflehog git file://. --since-commit HEAD --results=verified --fail language: golang - pass_filenames: false \ No newline at end of file + pass_filenames: false diff --git a/README.md b/README.md index 42cf868ff249..f161f2d79f4c 100644 --- a/README.md +++ b/README.md @@ -185,7 +185,7 @@ This required Cosign binary to be installed prior to running installation script Command: ```bash -trufflehog git https://github.com/trufflesecurity/test_keys --only-verified +trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown ``` Expected output: @@ -209,7 +209,7 @@ Timestamp: 2022-06-16 10:17:40 -0700 PDT ## 2: Scan a GitHub Org for only verified secrets ```bash -trufflehog github --org=trufflesecurity --only-verified +trufflehog github --org=trufflesecurity --results=verified,unknown ``` ## 3: Scan a GitHub Repo for only verified keys and get JSON output @@ -217,7 +217,7 @@ trufflehog github --org=trufflesecurity --only-verified Command: ```bash -trufflehog git https://github.com/trufflesecurity/test_keys --only-verified --json +trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown --json ``` Expected output: @@ -236,7 +236,7 @@ trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-co ## 5: Scan an S3 bucket for verified keys ```bash -trufflehog s3 --bucket= --only-verified +trufflehog s3 --bucket= --results=verified,unknown ``` ## 6: Scan S3 buckets using IAM Roles @@ -272,7 +272,7 @@ $ trufflehog git file://test_keys --only-verified ## 10: Scan GCS buckets for verified secrets ```bash -trufflehog gcs --project-id= --cloud-environment --only-verified +trufflehog gcs --project-id= --cloud-environment --results=verified,unknown ``` ## 11: Scan a Docker image for verified secrets @@ -280,7 +280,7 @@ trufflehog gcs --project-id= --cloud-environment --only-verified Use the `--image` flag multiple times to scan multiple images. ```bash -trufflehog docker --image trufflesecurity/secrets --only-verified +trufflehog docker --image trufflesecurity/secrets --results=verified,unknown ``` ## 12: Scan in CI @@ -288,7 +288,7 @@ trufflehog docker --image trufflesecurity/secrets --only-verified Set the `--since-commit` flag to your default branch that people merge into (ex: "main"). Set the `--branch` flag to your PR's branch name (ex: "feature-1"). Depending on the CI/CD platform you use, this value can be pulled in dynamically (ex: [CIRCLE_BRANCH in Circle CI](https://circleci.com/docs/variables/) and [TRAVIS_PULL_REQUEST_BRANCH in Travis CI](https://docs.travis-ci.com/user/environment-variables/)). If the repo is cloned and the target branch is already checked out during the CI/CD workflow, then `--branch HEAD` should be sufficient. The `--fail` flag will return an 183 error code if valid credentials are found. ```bash -trufflehog git file://. --since-commit main --branch feature-1 --only-verified --fail +trufflehog git file://. --since-commit main --branch feature-1 --results=verified,unknown --fail ``` ## 13: Scan a Postman workspace @@ -429,7 +429,7 @@ Flags: --github-actions Output in GitHub Actions format. --concurrency=20 Number of concurrent workers. --no-verification Don't verify the results. - --only-verified Only output verified results. + --results=RESULTS Specifies which type(s) of results to output: verified, unknown, unverified, filtered_unverified. Defaults to all types. --allow-verification-overlap Allow verification of similar credentials across detectors --filter-unverified Only output first unverified result per chunk per detector if there are more than one results. @@ -526,7 +526,7 @@ jobs: - name: Secret Scanning uses: trufflesecurity/trufflehog@main with: - extra_args: --only-verified + extra_args: --results=verified,unknown ``` In the example config above, we're scanning for live secrets in all PRs and Pushes to `main`. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below. @@ -553,7 +553,7 @@ If you're incorporating TruffleHog into a standalone workflow and aren't running fetch-depth: ${{env.depth}} - uses: trufflesecurity/trufflehog@main with: - extra_args: --only-verified + extra_args: --results=verified,unknown ... ``` @@ -578,7 +578,7 @@ TruffleHog statically detects [https://canarytokens.org/](https://canarytokens.o # Scan commits until here (usually dev branch). head: # optional # Extra args to be passed to the trufflehog cli. - extra_args: --log-level=2 --only-verified + extra_args: --log-level=2 --results=verified,unknown ``` If you'd like to specify specific `base` and `head` refs, you can use the `base` argument (`--since-commit` flag in TruffleHog CLI) and the `head` argument (`--branch` flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work. @@ -591,7 +591,7 @@ If you'd like to specify specific `base` and `head` refs, you can use the `base` with: base: "" head: ${{ github.ref_name }} - extra_args: --only-verified + extra_args: --results=verified,unknown ``` ## TruffleHog GitLab CI @@ -612,7 +612,7 @@ security-secrets: - apk add --no-cache git curl jq - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin script: - - trufflehog filesystem "$SCAN_PATH" --only-verified --fail --json | jq + - trufflehog filesystem "$SCAN_PATH" --results=verified,unknown --fail --json | jq rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' ``` @@ -637,9 +637,9 @@ repos: - id: trufflehog name: TruffleHog description: Detect secrets in your data. - entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail' + entry: bash -c 'trufflehog git file://. --since-commit HEAD --results=verified,unknown --fail' # For running trufflehog in docker, use the following entry instead: - # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail' + # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --results=verified,unknown --fail' language: system stages: ["commit", "push"] ``` @@ -678,7 +678,7 @@ detectors: ``` ``` -$ trufflehog filesystem /tmp --config config.yaml --only-verified +$ trufflehog filesystem /tmp --config config.yaml --results=verified,unknown 🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷 Found verified result 🐷🔑 diff --git a/main.go b/main.go index 7e8a92153dc8..2fca7aed6733 100644 --- a/main.go +++ b/main.go @@ -53,8 +53,8 @@ var ( gitHubActionsFormat = cli.Flag("github-actions", "Output in GitHub Actions format.").Bool() concurrency = cli.Flag("concurrency", "Number of concurrent workers.").Default(strconv.Itoa(runtime.NumCPU())).Int() noVerification = cli.Flag("no-verification", "Don't verify the results.").Bool() - onlyVerified = cli.Flag("only-verified", "Only output verified results.").Bool() - results = cli.Flag("results", "Specifies which type(s) of results to output: verified, unknown, unverified. Defaults to all types.").Hidden().String() + onlyVerified = cli.Flag("only-verified", "Only output verified results.").Hidden().Bool() + results = cli.Flag("results", "Specifies which type(s) of results to output: verified, unknown, unverified, filtered_unverified. Defaults to all types.").String() allowVerificationOverlap = cli.Flag("allow-verification-overlap", "Allow verification of similar credentials across detectors").Bool() filterUnverified = cli.Flag("filter-unverified", "Only output first unverified result per chunk per detector if there are more than one results.").Bool()