Skip to content

Commit

Permalink
Merge pull request #3 from travisdonnell/AddTruffleHog
Browse files Browse the repository at this point in the history
Add truffle hog
  • Loading branch information
travisdonnell authored Oct 8, 2019
2 parents 82082ee + a0708c7 commit 3cf5799
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 3 deletions.
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Once events are received indicating that new code has been pushed, this script e

- [`detect-secrets`](https://github.com/Yelp/detect-secrets)
- [`git-secrets`](https://github.com/awslabs/git-secrets)
- [`trufflehog`](https://github.com/dxa4481/truffleHog)

A more general listing of tools which can be used to detect secrets in Git repositories can be found in [TOOLS.md](TOOLS.md)

Expand Down Expand Up @@ -71,6 +72,7 @@ Detectors are configured via the `detectors` configuration value. Right now, the

- `detect-secrets`
- `git-secrets`
- `trufflehog`

> Note: It's expected that the detector you use is installed and available on your `$PATH`. If you are running this via the Docker image, all the required tools are pre-installed.
Expand Down Expand Up @@ -110,6 +112,4 @@ Running Via Docker

```
docker run -ti --rm -e GITHUB_WATCHER_TOKEN=your_access_token duolabs/secret-bridge poll
```

testpassword="test"
```
79 changes: 79 additions & 0 deletions detectors/trufflehog.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
import subprocess
import tempfile
import json
import logging

from models.finding import Finding
from detectors.detector import Detector

class TruffleHog(Detector):
def __init__(self, path=None):
"""Initialize the `trufflehog` wrapper with an optional
path to the `trufflehog` binary
"""
if path is not None:
self._binary_path = path
else:
self._binary_path = "trufflehog"
self.logger = logging.getLogger("TruffleHog")

@property
def name(self):
return "truffleHog"

def run(self, repo_dir, file_obj, commit_link=None):
"""Run `trufflehog` on a repository.
Arguments:
repo_dir -- str: the temp directory where this commit is checked out
file_obj -- a GitHub "file" object from a commit
see: https://developer.github.com/v3/repos/commits/#get-a-single-commit
"""
self.logger.info("instantiating trufflehog")
#dummy_repo_url value needed by trufflehog as filler field, since no remote repo is being used
sp = subprocess.run([self._binary_path, "--repo_path", ".", "dummy_repo_url"], cwd=repo_dir, capture_output=True)

if sp.returncode not in [0, 1]:
self.logger.error(sp.stderr.encode())
raise Exception("Unknown error while running truffleHog.")

return self._output_to_findings(sp.stdout, commit_link)

def _output_to_findings(self, output, commit_link):
if isinstance(output, bytes):
output = output.decode()

Reason = ''
Hash = ''
Filepath = ''
Branch = ''
Commit = ''

findings = []

for line in output.splitlines():
# trufflehog output is split across lines with
# *nix specific characters. cleaning cleaning
# and multi-line parsing needed to get clean fields
# across all result sets that are introduced as a
# single blob

parts = line.split(':')
if "Reason" in parts[0]:
Reason = parts[1].replace('\x1b[92m','').replace('\x1b[0m','')
if "Hash" in parts[0]:
Hash = parts[1].replace('\x1b[92m','').replace('\x1b[0m','')
if "Filepath" in parts[0]:
Filepath = parts[1].replace('\x1b[92m','').replace('\x1b[0m','')
if "Branch" in parts[0]:
Branch = parts[1].replace('\x1b[92m','').replace('\x1b[0m','')
if "Commit" in parts[0]:
Commit = parts[1].replace('\x1b[92m','').replace('\x1b[0m','')
if Commit is not '':
findings.append(Finding(Filepath, Reason, "unknown",None,commit_link+"/commit/"+Hash.strip()))
Reason = ''
Hash = ''
Filepath = ''
Branch = ''
Commit = ''
return findings

0 comments on commit 3cf5799

Please sign in to comment.