Using TruffleHog with Git hooks
Using TruffleHog with Git hooks is a good way to ensure that you don’t push or receive secrets to git. Catching the secrets before they end up in history is always the preferable time to do so.
Using pre-commit hooks
An easy way to get started is to use the pre-commit framework.
Install it via pip:
pip install pre-commit
Then, you will need a .pre-commit-config.yaml
file in your repository.
You can place the launcher in your path to use directly, or use Docker.
Pre-commit config for TruffleHog in Docker
repos:
- repo: local
hooks:
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c 'docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git main HEAD /workdir'
language: system
stages: ["commit", "push"]
Pre-commit config for TruffleHog in your PATH
repos:
- repo: local
hooks:
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c 'trufflehog-launcher git main HEAD'
language: system
stages: ["commit", "push"]
Once your config is in place, you just need to install the hook and you should be good to go!
$ pre-commit install --allow-missing-config
pre-commit installed at .git/hooks/pre-commit
Using pre-receive hooks
Pre-receive hooks are custom scripts executed by Git on the server-side every time new commits are pushed to a repository. They inspect incoming changes before they are accepted into the repository, allowing for enforcement of standards and rules without requiring users to install pre-commit hooks.
NOTE: Not all Git distributions are created equal; providers often require users to either self-host their Git instance or purchase an Enterprise plan. Generally, hooks are run as executable scripts, but specific implementation details of pre-receive hooks depend on the provider. Please consult your provider’s relevant documentation for setting up pre-receive hooks.
To run as a pre-receive hook, the scanner will need to be run via bash script, using the git
scanner. The --bare
option is needed as the full repository is not available in the context of a pre-receive hook.
The trufflehog
binary will need to be set as executable and in the $PATH
variable for the Git instance. The below example should work for most providers. Consult your provider documentation for appropriate file naming; some providers will accept arbitrary script names, e.g. trufflehog_hook.sh
, while providers like GitLab require that the script name reflect the hook type, e.g. pre_receive
.
NOTE: trufflehog
in the script below refers to the open-source scanner.
Pre-receive config for TruffleHog
#!/bin/bash
/trufflehog --no-update git --bare file://. --only-verified --fail