2022-01-13 20:02:24 +00:00
package main
import (
"fmt"
2022-02-07 18:29:06 +00:00
"net/http"
_ "net/http/pprof"
2022-01-13 20:02:24 +00:00
"os"
"runtime"
"strconv"
2022-03-15 00:27:14 +00:00
"strings"
2022-04-03 18:51:56 +00:00
"syscall"
2022-02-07 18:29:06 +00:00
"time"
2022-04-04 04:13:39 +00:00
"github.com/felixge/fgprof"
2023-02-14 23:00:07 +00:00
"github.com/go-logr/logr"
2022-04-04 04:13:39 +00:00
"github.com/gorilla/mux"
2022-04-03 18:51:56 +00:00
"github.com/jpillora/overseer"
2022-08-10 17:11:13 +00:00
"gopkg.in/alecthomas/kingpin.v2"
2022-02-10 18:54:33 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/common"
2022-12-20 16:14:49 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/config"
2022-08-29 18:45:37 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/context"
2022-02-10 18:54:33 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/decoders"
2023-02-27 22:46:45 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
2022-02-10 18:54:33 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/engine"
2023-02-07 23:25:14 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/handlers"
2022-11-30 19:10:05 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/log"
2022-02-10 18:54:33 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/output"
2023-02-27 22:46:45 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
2022-08-29 18:45:37 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/sources"
2022-02-10 18:54:33 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/sources/git"
2022-08-29 18:45:37 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/updater"
"github.com/trufflesecurity/trufflehog/v3/pkg/version"
2022-01-13 20:02:24 +00:00
)
2022-04-03 18:51:56 +00:00
var (
2023-03-28 16:07:26 +00:00
cli = kingpin . New ( "TruffleHog" , "TruffleHog is a tool for finding credentials." )
cmd string
debug = cli . Flag ( "debug" , "Run in debug mode." ) . Bool ( )
trace = cli . Flag ( "trace" , "Run in trace mode." ) . Bool ( )
profile = cli . Flag ( "profile" , "Enables profiling and sets a pprof and fgprof server on :18066." ) . Bool ( )
jsonOut = cli . Flag ( "json" , "Output in JSON format." ) . Short ( 'j' ) . Bool ( )
jsonLegacy = cli . Flag ( "json-legacy" , "Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources." ) . Bool ( )
gitHubActionsFormat = cli . Flag ( "github-actions" , "Output in GitHub Actions format." ) . Bool ( )
concurrency = cli . Flag ( "concurrency" , "Number of concurrent workers." ) . Default ( strconv . Itoa ( runtime . NumCPU ( ) ) ) . Int ( )
noVerification = cli . Flag ( "no-verification" , "Don't verify the results." ) . Bool ( )
onlyVerified = cli . Flag ( "only-verified" , "Only output verified results." ) . Bool ( )
filterUnverified = cli . Flag ( "filter-unverified" , "Only output first unverified result per chunk per detector if there are more than one results." ) . Bool ( )
configFilename = cli . Flag ( "config" , "Path to configuration file." ) . ExistingFile ( )
2022-04-03 18:51:56 +00:00
// rules = cli.Flag("rules", "Path to file with custom rules.").String()
printAvgDetectorTime = cli . Flag ( "print-avg-detector-time" , "Print the average time spent on each detector." ) . Bool ( )
noUpdate = cli . Flag ( "no-update" , "Don't check for updates." ) . Bool ( )
2022-04-21 17:08:51 +00:00
fail = cli . Flag ( "fail" , "Exit with code 183 if results are found." ) . Bool ( )
2023-02-16 21:56:55 +00:00
archiveMaxSize = cli . Flag ( "archive-max-size" , "Maximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB)" ) . Bytes ( )
2023-02-07 23:25:14 +00:00
archiveMaxDepth = cli . Flag ( "archive-max-depth" , "Maximum depth of archive to scan." ) . Int ( )
archiveTimeout = cli . Flag ( "archive-timeout" , "Maximum time to spend extracting an archive." ) . Duration ( )
2023-02-27 22:46:45 +00:00
includeDetectors = cli . Flag ( "include-detectors" , "Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges." ) . Default ( "all" ) . String ( )
excludeDetectors = cli . Flag ( "exclude-detectors" , "Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list." ) . String ( )
2022-04-03 18:51:56 +00:00
gitScan = cli . Command ( "git" , "Find credentials in git repositories." )
2022-08-24 06:26:09 +00:00
gitScanURI = gitScan . Arg ( "uri" , "Git repository URL. https://, file://, or ssh:// schema expected." ) . Required ( ) . String ( )
2022-04-03 18:51:56 +00:00
gitScanIncludePaths = gitScan . Flag ( "include-paths" , "Path to file with newline separated regexes for files to include in scan." ) . Short ( 'i' ) . String ( )
gitScanExcludePaths = gitScan . Flag ( "exclude-paths" , "Path to file with newline separated regexes for files to exclude in scan." ) . Short ( 'x' ) . String ( )
2023-03-28 15:46:03 +00:00
gitScanExcludeGlobs = gitScan . Flag ( "exclude-globs" , "Comma separated list of globs to exclude in scan. This option filters at the `git log` level, resulting in faster scans." ) . String ( )
2022-04-03 18:51:56 +00:00
gitScanSinceCommit = gitScan . Flag ( "since-commit" , "Commit to start scan from." ) . String ( )
gitScanBranch = gitScan . Flag ( "branch" , "Branch to scan." ) . String ( )
gitScanMaxDepth = gitScan . Flag ( "max-depth" , "Maximum depth of commits to scan." ) . Int ( )
_ = gitScan . Flag ( "allow" , "No-op flag for backwards compat." ) . Bool ( )
_ = gitScan . Flag ( "entropy" , "No-op flag for backwards compat." ) . Bool ( )
_ = gitScan . Flag ( "regex" , "No-op flag for backwards compat." ) . Bool ( )
2023-02-14 16:40:53 +00:00
githubScan = cli . Command ( "github" , "Find credentials in GitHub repositories." )
githubScanEndpoint = githubScan . Flag ( "endpoint" , "GitHub endpoint." ) . Default ( "https://api.github.com" ) . String ( )
githubScanRepos = githubScan . Flag ( "repo" , ` GitHub repository to scan. You can repeat this flag. Example: "https://github.com/dustin-decker/secretsandstuff" ` ) . Strings ( )
githubScanOrgs = githubScan . Flag ( "org" , ` GitHub organization to scan. You can repeat this flag. Example: "trufflesecurity" ` ) . Strings ( )
githubScanToken = githubScan . Flag ( "token" , "GitHub token. Can be provided with environment variable GITHUB_TOKEN." ) . Envar ( "GITHUB_TOKEN" ) . String ( )
githubIncludeForks = githubScan . Flag ( "include-forks" , "Include forks in scan." ) . Bool ( )
githubIncludeMembers = githubScan . Flag ( "include-members" , "Include organization member repositories in scan." ) . Bool ( )
githubIncludeRepos = githubScan . Flag ( "include-repos" , ` Repositories to include in an org scan. This can also be a glob pattern. You can repeat this flag. Must use Github repo full name. Example: "trufflesecurity/trufflehog", "trufflesecurity/t*" ` ) . Strings ( )
githubExcludeRepos = githubScan . Flag ( "exclude-repos" , ` Repositories to exclude in an org scan. This can also be a glob pattern. You can repeat this flag. Must use Github repo full name. Example: "trufflesecurity/driftwood", "trufflesecurity/d*" ` ) . Strings ( )
githubScanIncludePaths = githubScan . Flag ( "include-paths" , "Path to file with newline separated regexes for files to include in scan." ) . Short ( 'i' ) . String ( )
githubScanExcludePaths = githubScan . Flag ( "exclude-paths" , "Path to file with newline separated regexes for files to exclude in scan." ) . Short ( 'x' ) . String ( )
2022-04-03 18:51:56 +00:00
gitlabScan = cli . Command ( "gitlab" , "Find credentials in GitLab repositories." )
// TODO: Add more GitLab options
2022-11-15 21:02:37 +00:00
gitlabScanEndpoint = gitlabScan . Flag ( "endpoint" , "GitLab endpoint." ) . Default ( "https://gitlab.com" ) . String ( )
gitlabScanRepos = gitlabScan . Flag ( "repo" , "GitLab repo url. You can repeat this flag. Leave empty to scan all repos accessible with provided credential. Example: https://gitlab.com/org/repo.git" ) . Strings ( )
gitlabScanToken = gitlabScan . Flag ( "token" , "GitLab token. Can be provided with environment variable GITLAB_TOKEN." ) . Envar ( "GITLAB_TOKEN" ) . Required ( ) . String ( )
gitlabScanIncludePaths = gitlabScan . Flag ( "include-paths" , "Path to file with newline separated regexes for files to include in scan." ) . Short ( 'i' ) . String ( )
gitlabScanExcludePaths = gitlabScan . Flag ( "exclude-paths" , "Path to file with newline separated regexes for files to exclude in scan." ) . Short ( 'x' ) . String ( )
2022-04-03 18:51:56 +00:00
2023-02-27 18:15:05 +00:00
filesystemScan = cli . Command ( "filesystem" , "Find credentials in a filesystem." )
filesystemPaths = filesystemScan . Arg ( "path" , "Path to file or directory to scan." ) . Strings ( )
// DEPRECATED: --directory is deprecated in favor of arguments.
filesystemDirectories = filesystemScan . Flag ( "directory" , "Path to directory to scan. You can repeat this flag." ) . Strings ( )
2022-04-03 18:51:56 +00:00
// TODO: Add more filesystem scan options. Currently only supports scanning a list of directories.
// filesystemScanRecursive = filesystemScan.Flag("recursive", "Scan recursively.").Short('r').Bool()
2023-01-26 17:33:45 +00:00
filesystemScanIncludePaths = filesystemScan . Flag ( "include-paths" , "Path to file with newline separated regexes for files to include in scan." ) . Short ( 'i' ) . String ( )
filesystemScanExcludePaths = filesystemScan . Flag ( "exclude-paths" , "Path to file with newline separated regexes for files to exclude in scan." ) . Short ( 'x' ) . String ( )
2022-04-03 18:51:56 +00:00
s3Scan = cli . Command ( "s3" , "Find credentials in S3 buckets." )
2022-08-26 16:37:16 +00:00
s3ScanKey = s3Scan . Flag ( "key" , "S3 key used to authenticate. Can be provided with environment variable AWS_ACCESS_KEY_ID." ) . Envar ( "AWS_ACCESS_KEY_ID" ) . String ( )
s3ScanSecret = s3Scan . Flag ( "secret" , "S3 secret used to authenticate. Can be provided with environment variable AWS_SECRET_ACCESS_KEY." ) . Envar ( "AWS_SECRET_ACCESS_KEY" ) . String ( )
2022-04-03 18:51:56 +00:00
s3ScanCloudEnv = s3Scan . Flag ( "cloud-environment" , "Use IAM credentials in cloud environment." ) . Bool ( )
s3ScanBuckets = s3Scan . Flag ( "bucket" , "Name of S3 bucket to scan. You can repeat this flag." ) . Strings ( )
2022-05-04 22:08:11 +00:00
2023-03-08 01:32:04 +00:00
gcsScan = cli . Command ( "gcs" , "Find credentials in GCS buckets." )
2023-03-17 00:53:42 +00:00
gcsProjectID = gcsScan . Flag ( "project-id" , "GCS project ID used to authenticate. Can NOT be used with unauth scan. Can be provided with environment variable GOOGLE_CLOUD_PROJECT." ) . Envar ( "GOOGLE_CLOUD_PROJECT" ) . String ( )
2023-03-08 01:32:04 +00:00
gcsCloudEnv = gcsScan . Flag ( "cloud-environment" , "Use Application Default Credentials, IAM credentials to authenticate." ) . Bool ( )
gcsServiceAccount = gcsScan . Flag ( "service-account" , "Path to GCS service account JSON file." ) . ExistingFile ( )
gcsWithoutAuth = gcsScan . Flag ( "without-auth" , "Scan GCS buckets without authentication. This will only work for public buckets" ) . Bool ( )
gcsAPIKey = gcsScan . Flag ( "api-key" , "GCS API key used to authenticate. Can be provided with environment variable GOOGLE_API_KEY." ) . Envar ( "GOOGLE_API_KEY" ) . String ( )
2023-03-17 00:53:42 +00:00
gcsIncludeBuckets = gcsScan . Flag ( "include-buckets" , "Buckets to scan. Comma seperated list of buckets. You can repeat this flag. Globs are supported" ) . Short ( 'I' ) . Strings ( )
gcsExcludeBuckets = gcsScan . Flag ( "exclude-buckets" , "Buckets to exclude from scan. Comma separated list of buckets. Globs are supported" ) . Short ( 'X' ) . Strings ( )
gcsIncludeObjects = gcsScan . Flag ( "include-objects" , "Objects to scan. Comma separated list of objects. you can repeat this flag. Globs are supported" ) . Short ( 'i' ) . Strings ( )
gcsExcludeObjects = gcsScan . Flag ( "exclude-objects" , "Objects to exclude from scan. Comma separated list of objects. You can repeat this flag. Globs are supported" ) . Short ( 'x' ) . Strings ( )
gcsMaxObjectSize = gcsScan . Flag ( "max-object-size" , "Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)" ) . Default ( "10MB" ) . Bytes ( )
2023-03-08 01:32:04 +00:00
2022-05-04 22:08:11 +00:00
syslogScan = cli . Command ( "syslog" , "Scan syslog" )
syslogAddress = syslogScan . Flag ( "address" , "Address and port to listen on for syslog. Example: 127.0.0.1:514" ) . String ( )
syslogProtocol = syslogScan . Flag ( "protocol" , "Protocol to listen on. udp or tcp" ) . String ( )
syslogTLSCert = syslogScan . Flag ( "cert" , "Path to TLS cert." ) . String ( )
syslogTLSKey = syslogScan . Flag ( "key" , "Path to TLS key." ) . String ( )
syslogFormat = syslogScan . Flag ( "format" , "Log format. Can be rfc3164 or rfc5424" ) . String ( )
2023-01-06 05:44:37 +00:00
circleCiScan = cli . Command ( "circleci" , "Scan CircleCI" )
circleCiScanToken = circleCiScan . Flag ( "token" , "CircleCI token. Can also be provided with environment variable" ) . Envar ( "CIRCLECI_TOKEN" ) . Required ( ) . String ( )
2022-04-03 18:51:56 +00:00
)
func init ( ) {
for i , arg := range os . Args {
if strings . HasPrefix ( arg , "--" ) {
2022-04-04 07:04:24 +00:00
split := strings . SplitN ( arg , "=" , 2 )
split [ 0 ] = strings . ReplaceAll ( split [ 0 ] , "_" , "-" )
os . Args [ i ] = strings . Join ( split , "=" )
2022-04-03 18:51:56 +00:00
}
}
2022-04-11 16:47:03 +00:00
cli . Version ( "trufflehog " + version . BuildVersion )
2022-04-03 18:51:56 +00:00
cmd = kingpin . MustParse ( cli . Parse ( os . Args [ 1 : ] ) )
2022-04-04 04:13:39 +00:00
2022-04-11 23:38:08 +00:00
switch {
case * trace :
2022-12-14 00:46:09 +00:00
log . SetLevel ( 5 )
2022-04-11 23:38:08 +00:00
case * debug :
2022-12-14 00:46:09 +00:00
log . SetLevel ( 2 )
2022-04-04 04:13:39 +00:00
}
2022-04-03 18:51:56 +00:00
}
2022-01-13 20:02:24 +00:00
func main ( ) {
2023-02-14 23:00:07 +00:00
// setup logger
logFormat := log . WithConsoleSink
if * jsonOut {
logFormat = log . WithJSONSink
}
logger , sync := log . New ( "trufflehog" , logFormat ( os . Stderr ) )
// make it the default logger for contexts
context . SetDefaultLogger ( logger )
defer func ( ) { _ = sync ( ) } ( )
logFatal := logFatalFunc ( logger )
2022-04-03 18:51:56 +00:00
updateCfg := overseer . Config {
Program : run ,
Debug : * debug ,
RestartSignal : syscall . SIGTERM ,
// TODO: Eventually add a PreUpgrade func for signature check w/ x509 PKCS1v15
// PreUpgrade: checkUpdateSignature(binaryPath string),
}
if ! * noUpdate {
updateCfg . Fetcher = updater . Fetcher ( version . BuildVersion )
}
2022-04-08 06:55:01 +00:00
if version . BuildVersion == "dev" {
updateCfg . Fetcher = nil
}
2022-04-03 18:51:56 +00:00
err := overseer . RunErr ( updateCfg )
if err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "error occured with trufflehog updater 🐷" )
2022-04-03 18:51:56 +00:00
}
}
func run ( state overseer . State ) {
2023-02-14 23:00:07 +00:00
ctx := context . Background ( )
logger := ctx . Logger ( )
logFatal := logFatalFunc ( logger )
logger . V ( 2 ) . Info ( fmt . Sprintf ( "trufflehog %s" , version . BuildVersion ) )
2022-04-03 18:51:56 +00:00
2022-06-01 01:45:28 +00:00
if * githubScanToken != "" {
// NOTE: this kludge is here to do an authenticated shallow commit
// TODO: refactor to better pass credentials
os . Setenv ( "GITHUB_TOKEN" , * githubScanToken )
}
2022-02-23 15:40:18 +00:00
// When setting a base commit, chunks must be scanned in order.
if * gitScanSinceCommit != "" {
* concurrency = 1
}
2023-02-28 20:49:54 +00:00
if * profile {
2022-02-04 03:07:39 +00:00
go func ( ) {
2022-02-07 18:29:06 +00:00
router := mux . NewRouter ( )
router . PathPrefix ( "/debug/pprof" ) . Handler ( http . DefaultServeMux )
router . PathPrefix ( "/debug/fgprof" ) . Handler ( fgprof . Handler ( ) )
2023-02-14 23:00:07 +00:00
logger . Info ( "starting pprof and fgprof server on :18066 /debug/pprof and /debug/fgprof" )
2022-02-07 18:29:06 +00:00
if err := http . ListenAndServe ( ":18066" , router ) ; err != nil {
2023-02-14 23:00:07 +00:00
logger . Error ( err , "error serving pprof and fgprof" )
2022-02-07 18:29:06 +00:00
}
2022-02-04 03:07:39 +00:00
} ( )
}
2022-12-20 16:14:49 +00:00
conf := & config . Config { }
if * configFilename != "" {
var err error
conf , err = config . Read ( * configFilename )
if err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "error parsing the provided configuration file" )
2022-12-20 16:14:49 +00:00
}
}
2023-02-07 23:25:14 +00:00
if * archiveMaxSize != 0 {
handlers . SetArchiveMaxSize ( int ( * archiveMaxSize ) )
}
if * archiveMaxDepth != 0 {
handlers . SetArchiveMaxDepth ( * archiveMaxDepth )
}
if * archiveTimeout != 0 {
handlers . SetArchiveMaxTimeout ( * archiveTimeout )
}
2023-02-27 22:46:45 +00:00
// Build include and exclude detector filter sets.
2023-03-02 22:33:56 +00:00
var includeDetectorTypes , excludeDetectorTypes map [ detectorspb . DetectorType ] config . DetectorID
2023-02-27 22:46:45 +00:00
{
includeList , err := config . ParseDetectors ( * includeDetectors )
if err != nil {
// Exit if there was an error to inform the user of the misconfiguration.
2023-03-02 22:33:56 +00:00
logFatal ( err , "invalid include list detector configuration" )
2023-02-27 22:46:45 +00:00
}
excludeList , err := config . ParseDetectors ( * excludeDetectors )
if err != nil {
// Exit if there was an error to inform the user of the misconfiguration.
2023-03-02 22:33:56 +00:00
logFatal ( err , "invalid exclude list detector configuration" )
2023-02-27 22:46:45 +00:00
}
2023-03-02 22:33:56 +00:00
includeDetectorTypes = detectorTypeToMap ( includeList )
excludeDetectorTypes = detectorTypeToMap ( excludeList )
2023-02-27 22:46:45 +00:00
}
includeFilter := func ( d detectors . Detector ) bool {
2023-03-02 22:33:56 +00:00
id , ok := includeDetectorTypes [ d . Type ( ) ]
if id . Version == 0 {
return ok
}
versionD , ok := d . ( detectors . Versioner )
if ! ok {
// Error: version provided but not a detectors.Versioner
logFatal (
fmt . Errorf ( "version provided but detector does not have a version" ) ,
"invalid include list detector configuration" ,
"detector" , id ,
)
}
return versionD . Version ( ) == id . Version
2023-02-27 22:46:45 +00:00
}
excludeFilter := func ( d detectors . Detector ) bool {
2023-03-02 22:33:56 +00:00
id , ok := excludeDetectorTypes [ d . Type ( ) ]
if id . Version == 0 {
return ! ok
}
versionD , ok := d . ( detectors . Versioner )
if ! ok {
// Error: version provided but not a detectors.Versioner
logFatal (
fmt . Errorf ( "version provided but detector does not have a version" ) ,
"invalid exclude list detector configuration" ,
"detector" , id ,
)
}
return versionD . Version ( ) != id . Version
2023-02-27 22:46:45 +00:00
}
2022-01-13 20:02:24 +00:00
e := engine . Start ( ctx ,
engine . WithConcurrency ( * concurrency ) ,
engine . WithDecoders ( decoders . DefaultDecoders ( ) ... ) ,
2023-02-11 16:12:13 +00:00
engine . WithDetectors ( ! * noVerification , engine . DefaultDetectors ( ) ... ) ,
2022-12-20 16:14:49 +00:00
engine . WithDetectors ( ! * noVerification , conf . Detectors ... ) ,
2023-02-27 22:46:45 +00:00
engine . WithFilterDetectors ( includeFilter ) ,
engine . WithFilterDetectors ( excludeFilter ) ,
2022-10-31 16:36:10 +00:00
engine . WithFilterUnverified ( * filterUnverified ) ,
2022-01-13 20:02:24 +00:00
)
2022-01-20 00:48:37 +00:00
var repoPath string
2022-04-30 00:28:04 +00:00
var remote bool
2022-01-13 20:02:24 +00:00
switch cmd {
case gitScan . FullCommand ( ) :
2023-01-26 17:33:45 +00:00
filter , err := common . FilterFromFiles ( * gitScanIncludePaths , * gitScanExcludePaths )
if err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "could not create filter" )
2023-01-26 17:33:45 +00:00
}
2022-11-03 23:36:52 +00:00
repoPath , remote , err = git . PrepareRepoSinceCommit ( ctx , * gitScanURI , * gitScanSinceCommit )
2022-01-15 00:07:45 +00:00
if err != nil || repoPath == "" {
2023-02-14 23:00:07 +00:00
logFatal ( err , "error preparing git repo for scanning" )
2022-01-15 00:07:45 +00:00
}
if remote {
defer os . RemoveAll ( repoPath )
}
2023-03-28 15:46:03 +00:00
excludedGlobs := [ ] string { }
if * gitScanExcludeGlobs != "" {
excludedGlobs = strings . Split ( * gitScanExcludeGlobs , "," )
}
2022-08-10 17:11:13 +00:00
2023-02-10 20:43:00 +00:00
cfg := sources . GitConfig {
2023-03-28 15:46:03 +00:00
RepoPath : repoPath ,
HeadRef : * gitScanBranch ,
BaseRef : * gitScanSinceCommit ,
MaxDepth : * gitScanMaxDepth ,
Filter : filter ,
ExcludeGlobs : excludedGlobs ,
2022-08-10 17:11:13 +00:00
}
2023-02-10 20:43:00 +00:00
if err = e . ScanGit ( ctx , cfg ) ; err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "Failed to scan Git." )
2022-01-13 20:02:24 +00:00
}
case githubScan . FullCommand ( ) :
2023-02-14 16:40:53 +00:00
filter , err := common . FilterFromFiles ( * githubScanIncludePaths , * githubScanExcludePaths )
if err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "could not create filter" )
2023-02-14 16:40:53 +00:00
}
2022-01-20 00:13:59 +00:00
if len ( * githubScanOrgs ) == 0 && len ( * githubScanRepos ) == 0 {
2023-02-14 23:00:07 +00:00
logFatal ( fmt . Errorf ( "invalid config" ) , "You must specify at least one organization or repository." )
2022-01-20 00:13:59 +00:00
}
2022-08-10 17:11:13 +00:00
2023-02-10 20:43:00 +00:00
cfg := sources . GithubConfig {
Endpoint : * githubScanEndpoint ,
Token : * githubScanToken ,
IncludeForks : * githubIncludeForks ,
IncludeMembers : * githubIncludeMembers ,
Concurrency : * concurrency ,
ExcludeRepos : * githubExcludeRepos ,
IncludeRepos : * githubIncludeRepos ,
Repos : * githubScanRepos ,
Orgs : * githubScanOrgs ,
2023-02-14 16:40:53 +00:00
Filter : filter ,
2022-08-10 17:11:13 +00:00
}
2023-02-10 20:43:00 +00:00
if err := e . ScanGitHub ( ctx , cfg ) ; err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "Failed to scan Github." )
2022-01-20 00:13:59 +00:00
}
2022-01-13 20:02:24 +00:00
case gitlabScan . FullCommand ( ) :
2022-11-15 21:02:37 +00:00
filter , err := common . FilterFromFiles ( * gitlabScanIncludePaths , * gitlabScanExcludePaths )
if err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "could not create filter" )
2022-11-15 21:02:37 +00:00
}
2023-02-10 20:43:00 +00:00
cfg := sources . GitlabConfig {
Endpoint : * gitlabScanEndpoint ,
Token : * gitlabScanToken ,
Repos : * gitlabScanRepos ,
Filter : filter ,
2022-08-10 17:11:13 +00:00
}
2023-02-10 20:43:00 +00:00
if err := e . ScanGitLab ( ctx , cfg ) ; err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "Failed to scan GitLab." )
2022-03-15 00:05:15 +00:00
}
2022-01-20 00:13:59 +00:00
case filesystemScan . FullCommand ( ) :
2023-01-26 17:33:45 +00:00
filter , err := common . FilterFromFiles ( * filesystemScanIncludePaths , * filesystemScanExcludePaths )
if err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "could not create filter" )
2023-01-26 17:33:45 +00:00
}
2023-02-27 18:15:05 +00:00
if len ( * filesystemDirectories ) > 0 {
ctx . Logger ( ) . Info ( "--directory flag is deprecated, please pass directories as arguments" )
}
paths := make ( [ ] string , 0 , len ( * filesystemPaths ) + len ( * filesystemDirectories ) )
paths = append ( paths , * filesystemPaths ... )
paths = append ( paths , * filesystemDirectories ... )
2023-02-10 20:43:00 +00:00
cfg := sources . FilesystemConfig {
2023-02-27 18:15:05 +00:00
Paths : paths ,
Filter : filter ,
2022-08-10 17:11:13 +00:00
}
2023-02-10 20:43:00 +00:00
if err = e . ScanFileSystem ( ctx , cfg ) ; err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "Failed to scan filesystem" )
2022-03-15 00:04:19 +00:00
}
2022-01-20 00:13:59 +00:00
case s3Scan . FullCommand ( ) :
2023-02-10 20:43:00 +00:00
cfg := sources . S3Config {
Key : * s3ScanKey ,
Secret : * s3ScanSecret ,
Buckets : * s3ScanBuckets ,
CloudCred : * s3ScanCloudEnv ,
2022-08-10 17:11:13 +00:00
}
2023-02-10 20:43:00 +00:00
if err := e . ScanS3 ( ctx , cfg ) ; err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "Failed to scan S3." )
2022-03-15 00:07:07 +00:00
}
2022-05-04 22:08:11 +00:00
case syslogScan . FullCommand ( ) :
2023-02-10 20:43:00 +00:00
cfg := sources . SyslogConfig {
Address : * syslogAddress ,
Format : * syslogFormat ,
Protocol : * syslogProtocol ,
CertPath : * syslogTLSCert ,
KeyPath : * syslogTLSKey ,
Concurrency : * concurrency ,
2022-08-10 17:11:13 +00:00
}
2023-02-10 20:43:00 +00:00
if err := e . ScanSyslog ( ctx , cfg ) ; err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "Failed to scan syslog." )
2022-05-04 22:08:11 +00:00
}
2023-01-06 05:44:37 +00:00
case circleCiScan . FullCommand ( ) :
2023-01-26 17:33:45 +00:00
if err := e . ScanCircleCI ( ctx , * circleCiScanToken ) ; err != nil {
2023-02-14 23:00:07 +00:00
logFatal ( err , "Failed to scan CircleCI." )
2023-01-06 05:44:37 +00:00
}
2023-03-08 01:32:04 +00:00
case gcsScan . FullCommand ( ) :
cfg := sources . GCSConfig {
ProjectID : * gcsProjectID ,
CloudCred : * gcsCloudEnv ,
ServiceAccount : * gcsServiceAccount ,
WithoutAuth : * gcsWithoutAuth ,
ApiKey : * gcsAPIKey ,
2023-03-17 00:53:42 +00:00
IncludeBuckets : commaSeperatedToSlice ( * gcsIncludeBuckets ) ,
ExcludeBuckets : commaSeperatedToSlice ( * gcsExcludeBuckets ) ,
IncludeObjects : commaSeperatedToSlice ( * gcsIncludeObjects ) ,
ExcludeObjects : commaSeperatedToSlice ( * gcsExcludeObjects ) ,
2023-03-08 01:32:04 +00:00
Concurrency : * concurrency ,
2023-03-17 00:53:42 +00:00
MaxObjectSize : int64 ( * gcsMaxObjectSize ) ,
2023-03-08 01:32:04 +00:00
}
if err := e . ScanGCS ( ctx , cfg ) ; err != nil {
logFatal ( err , "Failed to scan GCS." )
}
2022-01-13 20:02:24 +00:00
}
2022-05-25 16:35:44 +00:00
// asynchronously wait for scanning to finish and cleanup
2022-08-29 18:45:37 +00:00
go e . Finish ( ctx )
2022-01-13 20:02:24 +00:00
2022-01-20 00:48:37 +00:00
if ! * jsonLegacy && ! * jsonOut {
2022-02-08 17:12:41 +00:00
fmt . Fprintf ( os . Stderr , "🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷\n\n" )
2022-01-20 00:48:37 +00:00
}
2022-01-20 17:43:37 +00:00
2022-05-25 16:35:44 +00:00
// NOTE: this loop will terminate when the results channel is closed in
// e.Finish()
2022-03-01 04:38:13 +00:00
foundResults := false
2022-01-13 20:02:24 +00:00
for r := range e . ResultsChan ( ) {
2022-01-27 04:38:31 +00:00
if * onlyVerified && ! r . Verified {
continue
}
2022-03-01 04:38:13 +00:00
foundResults = true
2022-01-20 17:43:37 +00:00
2023-02-14 23:00:07 +00:00
var err error
2022-01-20 00:48:37 +00:00
switch {
case * jsonLegacy :
2023-02-14 23:00:07 +00:00
err = output . PrintLegacyJSON ( ctx , & r )
2022-01-20 00:48:37 +00:00
case * jsonOut :
2023-02-14 23:00:07 +00:00
err = output . PrintJSON ( & r )
2023-03-28 16:07:26 +00:00
case * gitHubActionsFormat :
err = output . PrintGitHubActionsOutput ( & r )
2022-01-20 00:48:37 +00:00
default :
2023-02-14 23:00:07 +00:00
err = output . PrintPlainOutput ( & r )
}
if err != nil {
logFatal ( err , "error printing results" )
2022-01-13 20:02:24 +00:00
}
}
2023-02-14 23:00:07 +00:00
logger . V ( 2 ) . Info ( "finished scanning" ,
"chunks" , e . ChunksScanned ( ) ,
"bytes" , e . BytesScanned ( ) ,
)
2022-02-07 18:29:06 +00:00
if * printAvgDetectorTime {
printAverageDetectorTime ( e )
}
2022-03-01 04:38:13 +00:00
2022-04-21 17:08:51 +00:00
if foundResults && * fail {
2023-02-14 23:00:07 +00:00
logger . V ( 2 ) . Info ( "exiting with code 183 because results were found" )
2022-04-21 17:08:51 +00:00
os . Exit ( 183 )
2022-03-01 04:38:13 +00:00
}
2022-02-07 18:29:06 +00:00
}
2023-03-17 00:53:42 +00:00
func commaSeperatedToSlice ( s [ ] string ) [ ] string {
var result [ ] string
for _ , items := range s {
for _ , item := range strings . Split ( items , "," ) {
item = strings . TrimSpace ( item )
if item == "" {
continue
}
result = append ( result , item )
}
}
return result
}
2022-02-07 18:29:06 +00:00
func printAverageDetectorTime ( e * engine . Engine ) {
fmt . Fprintln ( os . Stderr , "Average detector time is the measurement of average time spent on each detector when results are returned." )
for detectorName , durations := range e . DetectorAvgTime ( ) {
var total time . Duration
for _ , d := range durations {
total += d
}
avgDuration := total / time . Duration ( len ( durations ) )
fmt . Fprintf ( os . Stderr , "%s: %s\n" , detectorName , avgDuration )
}
2022-01-20 00:48:37 +00:00
}
2023-02-14 23:00:07 +00:00
// logFatalFunc returns a log.Fatal style function. Calling the returned
// function will terminate the program without cleanup.
func logFatalFunc ( logger logr . Logger ) func ( error , string , ... any ) {
return func ( err error , message string , keyAndVals ... any ) {
logger . Error ( err , message , keyAndVals ... )
if err != nil {
os . Exit ( 1 )
return
}
os . Exit ( 0 )
}
}
2023-02-27 22:46:45 +00:00
2023-03-02 22:33:56 +00:00
func detectorTypeToMap ( detectors [ ] config . DetectorID ) map [ detectorspb . DetectorType ] config . DetectorID {
output := make ( map [ detectorspb . DetectorType ] config . DetectorID , len ( detectors ) )
2023-02-27 22:46:45 +00:00
for _ , d := range detectors {
2023-03-02 22:33:56 +00:00
output [ d . ID ] = d
2023-02-27 22:46:45 +00:00
}
return output
}