Trufflehog

What is Trufflehog?

Trufflehog is a security linter designed for developers to scan their code repositories for secrets accidentally committed to version control. Trufflehog can detect credentials like API keys, tokens, and private keys. It combines entropy checks and regex patterns to find secrets deeply embedded in your codebase. Trufflehog is adept at scanning a wide array of file types. It excels in analyzing text-based files, including:

  • Source Code Files: .js, .py, .java, etc.

  • Configuration Files: .yaml, .json, .xml, etc.

  • Dotfiles: Files like .env which often contain sensitive environment variables.

Installing Trufflehog

With Trunk Check, you can automatically install and configure Trufflehog along with any relevant linters in a few straightforward steps. Here's how:

First, if you haven't already installed Trunk CLI, you can do so with the command below:

1curl https://get.trunk.io -fsSL | bash

Next, you can initialize Trunk from the root of your git repository:

1trunk init

This command will scan your repository and create a .trunk/trunk.yaml file that enables all linters, formatters, and security analyzers, recommended by Trunk Check. This includes Trufflehog if applicable to your project.

To see all available linters Trunk Check installed, simply run:

1trunk check list

If you find Trufflehog is not automatically enabled, you can do so by running:

1trunk check enable trufflehog

Alternatively, to disable Trufflehog run the command below. To disable other tooling applied by Trunk Check, simply replace trufflehog with the respective tool you're looking to disable.

1trunk check disable trufflehog

For more details on Trunk Check setup, see here.

Configuring Trufflehog

Most linters provide some mechanism to tweak their configuration, e.g. .eslintrc or Cargo.toml. Trunk is aware of all the ways individual tools are configured and supports them. This means linters you've already configured will continue to work exactly the same, just now supercharged by Trunk Check.

Like many linters with Trunk, Trufflehog works out of the box so there's no need to set up a custom configuration. For more advanced configurations like custom verifiers, we recommend checking out Trufflehog's docs.

If you're interested in other tooling outside of Trufflehog, check out our open-source repository to see how we define and support 90+ linters.

Running Trufflehog

To check your code with Trufflehog, run the command below. This command executes Trufflehog, along with any other linters Trunk Check has enabled on files you've modified. Since Trunk is git-aware, it knows what you've changed, and by adding batched execution and caching, you end up with a much faster and smoother way to run Trufflehog and other tools.

1trunk check

If you prefer to check files you've modified with Trufflehog only, run the following:

1trunk check --filter=trufflehog

Although we'd recommend against it depending on the size of your repository, you can check all files with Trufflehog by running the command below.

1trunk check --all --filter=trufflehog

In most scenarios, you'll want to execute against modified files. Since Trunk is git-aware, it knows what you've changed, and by adding batched execution and caching, you end up with a much faster and smoother way to run Trufflehog and other tools.

Updating Trunk Check & Trufflehog

To upgrade the Trunk CLI along with all plugins and linters in your trunk.yaml simply run:

1trunk upgrade

We highly recommend running on the latest validated versions of tools as updates will frequently include important security fixes and additional valuable checks. Trunk only auto-suggests linter upgrades to versions that we have tested and support, so you may see a slight lag time when a new linter version is released.

Upgrade will also recommend new tools that have become applicable since the last time your repository was scanned. This can be a result of using new technologies in your repository or Trunk itself adding support for more tools. If you don't like a particular recommendation, you can always run trunk check disable <linter> to teach trunk not to recommend it.

Comparing Trufflehog and Gitleaks

Trufflehog and Gitleaks are great tools for secret detection within codebases. However, they serve similar purposes and there's little need to have both enabled in your code repository. At the time of writing, we prioritize Trufflehog install over Gitleaks as it's frequently maintained and is more extensible

Gitleaks uses a dictionary of known regex patterns for secret detection. As a result, Gitleaks only focuses on secrets in code. If you're on Trufflehog's professional version, it scans for secrets across multiple surfaces like Linear, Slack, Jira, and more. Trufflehog also goes beyond simply identifying and assuming secrets. It will also verify potential secrets against known endpoints to see if it's truly a security risk.

You can also run Trufflehog with trufflehog-git to scan not just files but git commits as well. This mode of running will catch a leak even if you commit and revert a secret.

With all of this said, Gitleaks is still a great tool for secret detection. The above are just a few reasons why we prefer Trufflehog over Gitleaks.

Recommended Linters to Pair with Trufflehog

Pairing Trufflehog with linters enhances both code security and quality. Some recommended security linters to integrate alongside Trufflehog are:

  • osv-scanner: Scans vulnerabilities listed in the Open Source Vulnerabilities (OSV) database.

  • Trivy: A vulnerability scanner for container images, file systems, and configuration files.

  • Nancy: Checks against the Sonatype OSS Index, ensuring your Go projects remain secure against known vulnerabilities.