diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index 6f9c90780035..bd564fccd5b5 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -24,4 +24,4 @@ jobs: uses: ./ id: dogfood with: - extra_args: --only-verified \ No newline at end of file + extra_args: --results=verified,unknown diff --git a/README.md b/README.md index 2228aa3e5583..0322999dc7ae 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ This required Cosign binary to be installed prior to running installation script Command: ```bash -trufflehog git https://github.com/trufflesecurity/test_keys --results=verified +trufflehog git https://github.com/trufflesecurity/test_keys --only-verified ``` Expected output: @@ -141,7 +141,7 @@ Timestamp: 2022-06-16 10:17:40 -0700 PDT ## 2: Scan a GitHub Org for only verified secrets ```bash -trufflehog github --org=trufflesecurity --results=verified +trufflehog github --org=trufflesecurity --only-verified ``` ## 3: Scan a GitHub Repo for only verified keys and get JSON output @@ -149,7 +149,7 @@ trufflehog github --org=trufflesecurity --results=verified Command: ```bash -trufflehog git https://github.com/trufflesecurity/test_keys --results=verified --json +trufflehog git https://github.com/trufflesecurity/test_keys --only-verified --json ``` Expected output: @@ -168,7 +168,7 @@ trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-co ## 5: Scan an S3 bucket for verified keys ```bash -trufflehog s3 --bucket= --results=verified +trufflehog s3 --bucket= --only-verified ``` ## 6: Scan S3 buckets using IAM Roles @@ -192,7 +192,7 @@ trufflehog filesystem path/to/file1.txt path/to/file2.txt path/to/dir ## 9: Scan GCS buckets for verified secrets. ```bash -trufflehog gcs --project-id= --cloud-environment --results=verified +trufflehog gcs --project-id= --cloud-environment --only-verified ``` ## 10: Scan a Docker image for verified secrets. @@ -200,7 +200,7 @@ trufflehog gcs --project-id= --cloud-environment --results=verified Use the `--image` flag multiple times to scan multiple images. ```bash -trufflehog docker --image trufflesecurity/secrets --results=verified +trufflehog docker --image trufflesecurity/secrets --only-verified ``` ## 11: Scan in CI @@ -208,7 +208,7 @@ trufflehog docker --image trufflesecurity/secrets --results=verified Set the `--since-commit` flag to your default branch that people merge into (ex: "main"). Set the `--branch` flag to your PR's branch name (ex: "feature-1"). Depending on the CI/CD platform you use, this value can be pulled in dynamically (ex: [CIRCLE_BRANCH in Circle CI](https://circleci.com/docs/variables/) and [TRAVIS_PULL_REQUEST_BRANCH in Travis CI](https://docs.travis-ci.com/user/environment-variables/)). If the repo is cloned and the target branch is already checked out during the CI/CD workflow, then `--branch HEAD` should be sufficient. The `--fail` flag will return an 183 error code if valid credentials are found. ```bash -trufflehog git file://. --since-commit main --branch feature-1 --results=verified --fail +trufflehog git file://. --since-commit main --branch feature-1 --only-verified --fail ``` # :question: FAQ @@ -267,9 +267,11 @@ Flags: -j, --json Output in JSON format. --json-legacy Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources. --github-actions Output in GitHub Actions format. - --concurrency=8 Number of concurrent workers. + --concurrency=20 Number of concurrent workers. --no-verification Don't verify the results. - --results=verified... ... Specifies which type(s) of results to output: verified, unknown, and unverified. This flag can be repeated. + --only-verified Only output verified results. + --allow-verification-overlap + Allow verification of similar credentials across detectors --filter-unverified Only output first unverified result per chunk per detector if there are more than one results. --filter-entropy=FILTER-ENTROPY Filter unverified results with Shannon entropy. Start with 3.0. @@ -279,6 +281,7 @@ Flags: --no-update Don't check for updates. --fail Exit with code 183 if results are found. --verifier=VERIFIER ... Set custom verification endpoints. + --custom-verifiers-only Only use custom verification endpoints. --archive-max-size=ARCHIVE-MAX-SIZE Maximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB) --archive-max-depth=ARCHIVE-MAX-DEPTH @@ -363,7 +366,7 @@ jobs: - name: Secret Scanning uses: trufflesecurity/trufflehog@main with: - extra_args: --results=verified + extra_args: --only-verified ``` In the example config above, we're scanning for live secrets in all PRs and Pushes to `main`. Only code changes in the referenced commits are scanned. If you'd like to scan an entire branch, please see the "Advanced Usage" section below. @@ -391,7 +394,7 @@ If you're incorporating TruffleHog into a standalone workflow and aren't running fetch-depth: ${{env.depth}} - uses: trufflesecurity/trufflehog@main with: - extra_args: --results=verified + extra_args: --only-verified ... ``` @@ -415,7 +418,7 @@ TruffleHog statically detects [https://canarytokens.org/](https://canarytokens.o # Scan commits until here (usually dev branch). head: # optional # Extra args to be passed to the trufflehog cli. - extra_args: --debug --results=verified + extra_args: --debug --only-verified ``` If you'd like to specify specific `base` and `head` refs, you can use the `base` argument (`--since-commit` flag in TruffleHog CLI) and the `head` argument (`--branch` flag in the TruffleHog CLI). We only recommend using these arguments for very specific use cases, where the default behavior does not work. @@ -427,7 +430,7 @@ If you'd like to specify specific `base` and `head` refs, you can use the `base` with: base: "" head: ${{ github.ref_name }} - extra_args: --results=verified + extra_args: --only-verified ``` ## Pre-commit Hook @@ -448,9 +451,9 @@ repos: - id: trufflehog name: TruffleHog description: Detect secrets in your data. - entry: bash -c 'trufflehog git file://. --since-commit HEAD --results=verified --fail' + entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail' # For running trufflehog in docker, use the following entry instead: - # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --results=verified --fail' + # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail' language: system stages: ["commit", "push"] ``` @@ -490,7 +493,7 @@ detectors: ``` -$ trufflehog filesystem /tmp --config config.yaml --results=verified +$ trufflehog filesystem /tmp --config config.yaml --only-verified 🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷 Found verified result 🐷🔑 diff --git a/main.go b/main.go index 2c9cb1b9e9a6..feed874e5d4d 100644 --- a/main.go +++ b/main.go @@ -49,8 +49,8 @@ var ( gitHubActionsFormat = cli.Flag("github-actions", "Output in GitHub Actions format.").Bool() concurrency = cli.Flag("concurrency", "Number of concurrent workers.").Default(strconv.Itoa(runtime.NumCPU())).Int() noVerification = cli.Flag("no-verification", "Don't verify the results.").Bool() - onlyVerified = cli.Flag("only-verified", "Only output verified results.").Hidden().Bool() - results = cli.Flag("results", "Specifies which type(s) of results to output: verified, unknown, unverified. This flag can be repeated. Defaults to all types.").Default("verified,unknown").String() + onlyVerified = cli.Flag("only-verified", "Only output verified results.").Bool() + results = cli.Flag("results", "Specifies which type(s) of results to output: verified, unknown, unverified. This flag can be repeated. Defaults to all types.").Default("verified,unknown").Hidden().String() allowVerificationOverlap = cli.Flag("allow-verification-overlap", "Allow verification of similar credentials across detectors").Bool() filterUnverified = cli.Flag("filter-unverified", "Only output first unverified result per chunk per detector if there are more than one results.").Bool()