2022-01-13 20:02:24 +00:00
package main
import (
"context"
"encoding/json"
"fmt"
"log"
2022-02-07 18:29:06 +00:00
"net/http"
_ "net/http/pprof"
2022-01-13 20:02:24 +00:00
"os"
"runtime"
"strconv"
2022-03-15 00:27:14 +00:00
"strings"
2022-04-03 18:51:56 +00:00
"syscall"
2022-02-07 18:29:06 +00:00
"time"
2022-04-04 04:13:39 +00:00
"github.com/felixge/fgprof"
"github.com/gorilla/mux"
2022-04-03 18:51:56 +00:00
"github.com/jpillora/overseer"
2022-04-04 04:13:39 +00:00
"github.com/sirupsen/logrus"
2022-04-03 18:51:56 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/updater"
"github.com/trufflesecurity/trufflehog/v3/pkg/version"
"gopkg.in/alecthomas/kingpin.v2"
2022-02-10 18:54:33 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"github.com/trufflesecurity/trufflehog/v3/pkg/decoders"
"github.com/trufflesecurity/trufflehog/v3/pkg/engine"
"github.com/trufflesecurity/trufflehog/v3/pkg/output"
2022-05-13 16:02:33 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/source_metadatapb"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb"
2022-02-10 18:54:33 +00:00
"github.com/trufflesecurity/trufflehog/v3/pkg/sources/git"
2022-01-13 20:02:24 +00:00
)
2022-04-03 18:51:56 +00:00
var (
cli = kingpin . New ( "TruffleHog" , "TruffleHog is a tool for finding credentials." )
cmd string
2022-04-11 16:47:03 +00:00
debug = cli . Flag ( "debug" , "Run in debug mode." ) . Bool ( )
2022-04-11 23:38:08 +00:00
trace = cli . Flag ( "trace" , "Run in trace mode." ) . Bool ( )
2022-04-03 18:51:56 +00:00
jsonOut = cli . Flag ( "json" , "Output in JSON format." ) . Short ( 'j' ) . Bool ( )
jsonLegacy = cli . Flag ( "json-legacy" , "Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources." ) . Bool ( )
concurrency = cli . Flag ( "concurrency" , "Number of concurrent workers." ) . Default ( strconv . Itoa ( runtime . NumCPU ( ) ) ) . Int ( )
noVerification = cli . Flag ( "no-verification" , "Don't verify the results." ) . Bool ( )
onlyVerified = cli . Flag ( "only-verified" , "Only output verified results." ) . Bool ( )
// rules = cli.Flag("rules", "Path to file with custom rules.").String()
printAvgDetectorTime = cli . Flag ( "print-avg-detector-time" , "Print the average time spent on each detector." ) . Bool ( )
noUpdate = cli . Flag ( "no-update" , "Don't check for updates." ) . Bool ( )
2022-04-21 17:08:51 +00:00
fail = cli . Flag ( "fail" , "Exit with code 183 if results are found." ) . Bool ( )
2022-04-03 18:51:56 +00:00
gitScan = cli . Command ( "git" , "Find credentials in git repositories." )
gitScanURI = gitScan . Arg ( "uri" , "Git repository URL. https:// or file:// schema expected." ) . Required ( ) . String ( )
gitScanIncludePaths = gitScan . Flag ( "include-paths" , "Path to file with newline separated regexes for files to include in scan." ) . Short ( 'i' ) . String ( )
gitScanExcludePaths = gitScan . Flag ( "exclude-paths" , "Path to file with newline separated regexes for files to exclude in scan." ) . Short ( 'x' ) . String ( )
gitScanSinceCommit = gitScan . Flag ( "since-commit" , "Commit to start scan from." ) . String ( )
gitScanBranch = gitScan . Flag ( "branch" , "Branch to scan." ) . String ( )
gitScanMaxDepth = gitScan . Flag ( "max-depth" , "Maximum depth of commits to scan." ) . Int ( )
_ = gitScan . Flag ( "allow" , "No-op flag for backwards compat." ) . Bool ( )
_ = gitScan . Flag ( "entropy" , "No-op flag for backwards compat." ) . Bool ( )
_ = gitScan . Flag ( "regex" , "No-op flag for backwards compat." ) . Bool ( )
githubScan = cli . Command ( "github" , "Find credentials in GitHub repositories." )
githubScanEndpoint = githubScan . Flag ( "endpoint" , "GitHub endpoint." ) . Default ( "https://api.github.com" ) . String ( )
githubScanRepos = githubScan . Flag ( "repo" , ` GitHub repository to scan. You can repeat this flag. Example: "https://github.com/dustin-decker/secretsandstuff" ` ) . Strings ( )
githubScanOrgs = githubScan . Flag ( "org" , ` GitHub organization to scan. You can repeat this flag. Example: "trufflesecurity" ` ) . Strings ( )
githubScanToken = githubScan . Flag ( "token" , "GitHub token." ) . String ( )
githubIncludeForks = githubScan . Flag ( "include-forks" , "Include forks in scan." ) . Bool ( )
githubIncludeMembers = githubScan . Flag ( "include-members" , "Include organization member repositories in scan." ) . Bool ( )
gitlabScan = cli . Command ( "gitlab" , "Find credentials in GitLab repositories." )
// TODO: Add more GitLab options
gitlabScanEndpoint = gitlabScan . Flag ( "endpoint" , "GitLab endpoint." ) . Default ( "https://gitlab.com" ) . String ( )
gitlabScanRepos = gitlabScan . Flag ( "repo" , "GitLab repo url. You can repeat this flag. Leave empty to scan all repos accessible with provided credential. Example: https://gitlab.com/org/repo.git" ) . Strings ( )
gitlabScanToken = gitlabScan . Flag ( "token" , "GitLab token." ) . Required ( ) . String ( )
filesystemScan = cli . Command ( "filesystem" , "Find credentials in a filesystem." )
filesystemDirectories = filesystemScan . Flag ( "directory" , "Path to directory to scan. You can repeat this flag." ) . Required ( ) . Strings ( )
// TODO: Add more filesystem scan options. Currently only supports scanning a list of directories.
// filesystemScanRecursive = filesystemScan.Flag("recursive", "Scan recursively.").Short('r').Bool()
// filesystemScanIncludePaths = filesystemScan.Flag("include-paths", "Path to file with newline separated regexes for files to include in scan.").Short('i').String()
// filesystemScanExcludePaths = filesystemScan.Flag("exclude-paths", "Path to file with newline separated regexes for files to exclude in scan.").Short('x').String()
s3Scan = cli . Command ( "s3" , "Find credentials in S3 buckets." )
s3ScanKey = s3Scan . Flag ( "key" , "S3 key used to authenticate." ) . String ( )
s3ScanSecret = s3Scan . Flag ( "secret" , "S3 secret used to authenticate." ) . String ( )
s3ScanCloudEnv = s3Scan . Flag ( "cloud-environment" , "Use IAM credentials in cloud environment." ) . Bool ( )
s3ScanBuckets = s3Scan . Flag ( "bucket" , "Name of S3 bucket to scan. You can repeat this flag." ) . Strings ( )
2022-05-04 22:08:11 +00:00
syslogScan = cli . Command ( "syslog" , "Scan syslog" )
syslogAddress = syslogScan . Flag ( "address" , "Address and port to listen on for syslog. Example: 127.0.0.1:514" ) . String ( )
syslogProtocol = syslogScan . Flag ( "protocol" , "Protocol to listen on. udp or tcp" ) . String ( )
syslogTLSCert = syslogScan . Flag ( "cert" , "Path to TLS cert." ) . String ( )
syslogTLSKey = syslogScan . Flag ( "key" , "Path to TLS key." ) . String ( )
syslogFormat = syslogScan . Flag ( "format" , "Log format. Can be rfc3164 or rfc5424" ) . String ( )
2022-04-03 18:51:56 +00:00
)
func init ( ) {
for i , arg := range os . Args {
if strings . HasPrefix ( arg , "--" ) {
2022-04-04 07:04:24 +00:00
split := strings . SplitN ( arg , "=" , 2 )
split [ 0 ] = strings . ReplaceAll ( split [ 0 ] , "_" , "-" )
os . Args [ i ] = strings . Join ( split , "=" )
2022-04-03 18:51:56 +00:00
}
}
2022-04-11 16:47:03 +00:00
cli . Version ( "trufflehog " + version . BuildVersion )
2022-04-03 18:51:56 +00:00
cmd = kingpin . MustParse ( cli . Parse ( os . Args [ 1 : ] ) )
2022-04-04 04:13:39 +00:00
if * jsonOut {
logrus . SetFormatter ( & logrus . JSONFormatter { } )
}
2022-04-11 23:38:08 +00:00
switch {
case * trace :
logrus . SetLevel ( logrus . TraceLevel )
logrus . Debugf ( "running version %s" , version . BuildVersion )
case * debug :
2022-04-04 04:13:39 +00:00
logrus . SetLevel ( logrus . DebugLevel )
logrus . Debugf ( "running version %s" , version . BuildVersion )
2022-04-11 23:38:08 +00:00
default :
2022-04-04 04:13:39 +00:00
logrus . SetLevel ( logrus . InfoLevel )
}
2022-04-03 18:51:56 +00:00
}
2022-01-13 20:02:24 +00:00
func main ( ) {
2022-04-03 18:51:56 +00:00
updateCfg := overseer . Config {
Program : run ,
Debug : * debug ,
RestartSignal : syscall . SIGTERM ,
// TODO: Eventually add a PreUpgrade func for signature check w/ x509 PKCS1v15
// PreUpgrade: checkUpdateSignature(binaryPath string),
}
if ! * noUpdate {
updateCfg . Fetcher = updater . Fetcher ( version . BuildVersion )
}
2022-04-08 06:55:01 +00:00
if version . BuildVersion == "dev" {
updateCfg . Fetcher = nil
}
2022-04-03 18:51:56 +00:00
err := overseer . RunErr ( updateCfg )
if err != nil {
logrus . WithError ( err ) . Fatal ( "error occured with trufflehog updater 🐷" )
}
}
func run ( state overseer . State ) {
2022-04-11 16:47:03 +00:00
if * debug {
2022-04-03 18:51:56 +00:00
fmt . Println ( "trufflehog " + version . BuildVersion )
}
2022-02-23 15:40:18 +00:00
// When setting a base commit, chunks must be scanned in order.
if * gitScanSinceCommit != "" {
* concurrency = 1
}
2022-02-04 03:07:39 +00:00
if * debug {
go func ( ) {
2022-02-07 18:29:06 +00:00
router := mux . NewRouter ( )
router . PathPrefix ( "/debug/pprof" ) . Handler ( http . DefaultServeMux )
router . PathPrefix ( "/debug/fgprof" ) . Handler ( fgprof . Handler ( ) )
2022-02-10 18:54:33 +00:00
logrus . Info ( "starting pprof and fgprof server on :18066 /debug/pprof and /debug/fgprof" )
2022-02-07 18:29:06 +00:00
if err := http . ListenAndServe ( ":18066" , router ) ; err != nil {
2022-02-10 18:54:33 +00:00
logrus . Error ( err )
2022-02-07 18:29:06 +00:00
}
2022-02-04 03:07:39 +00:00
} ( )
}
2022-01-13 20:02:24 +00:00
ctx := context . TODO ( )
e := engine . Start ( ctx ,
engine . WithConcurrency ( * concurrency ) ,
engine . WithDecoders ( decoders . DefaultDecoders ( ) ... ) ,
2022-01-19 06:24:56 +00:00
engine . WithDetectors ( ! * noVerification , engine . DefaultDetectors ( ) ... ) ,
2022-01-13 20:02:24 +00:00
)
2022-01-14 20:40:50 +00:00
filter , err := common . FilterFromFiles ( * gitScanIncludePaths , * gitScanExcludePaths )
if err != nil {
2022-02-16 05:49:54 +00:00
logrus . WithError ( err ) . Fatal ( "could not create filter" )
2022-01-14 20:40:50 +00:00
}
2022-01-20 00:48:37 +00:00
var repoPath string
2022-04-30 00:28:04 +00:00
var remote bool
2022-01-13 20:02:24 +00:00
switch cmd {
case gitScan . FullCommand ( ) :
2022-01-20 00:48:37 +00:00
repoPath , remote , err = git . PrepareRepo ( * gitScanURI )
2022-01-15 00:07:45 +00:00
if err != nil || repoPath == "" {
logrus . WithError ( err ) . Fatal ( "error preparing git repo for scanning" )
}
if remote {
defer os . RemoveAll ( repoPath )
}
2022-03-01 04:25:24 +00:00
err = e . ScanGit ( ctx , repoPath , * gitScanBranch , * gitScanSinceCommit , * gitScanMaxDepth , filter )
2022-01-13 20:02:24 +00:00
if err != nil {
logrus . WithError ( err ) . Fatal ( "Failed to scan git." )
}
case githubScan . FullCommand ( ) :
2022-01-20 00:13:59 +00:00
if len ( * githubScanOrgs ) == 0 && len ( * githubScanRepos ) == 0 {
log . Fatal ( "You must specify at least one organization or repository." )
}
2022-04-02 01:22:37 +00:00
err = e . ScanGitHub ( ctx , * githubScanEndpoint , * githubScanRepos , * githubScanOrgs , * githubScanToken , * githubIncludeForks , filter , * concurrency , * githubIncludeMembers )
2022-01-20 00:13:59 +00:00
if err != nil {
logrus . WithError ( err ) . Fatal ( "Failed to scan git." )
}
2022-01-13 20:02:24 +00:00
case gitlabScan . FullCommand ( ) :
2022-03-15 00:05:15 +00:00
err := e . ScanGitLab ( ctx , * gitlabScanEndpoint , * gitlabScanToken , * gitlabScanRepos )
if err != nil {
logrus . WithError ( err ) . Fatal ( "Failed to scan GitLab." )
}
2022-01-20 00:13:59 +00:00
case filesystemScan . FullCommand ( ) :
2022-03-15 00:04:19 +00:00
err := e . ScanFileSystem ( ctx , * filesystemDirectories )
if err != nil {
logrus . WithError ( err ) . Fatal ( "Failed to scan filesystem" )
}
2022-01-20 00:13:59 +00:00
case s3Scan . FullCommand ( ) :
2022-03-15 00:07:07 +00:00
err := e . ScanS3 ( ctx , * s3ScanKey , * s3ScanSecret , * s3ScanCloudEnv , * s3ScanBuckets )
if err != nil {
logrus . WithError ( err ) . Fatal ( "Failed to scan S3." )
}
2022-05-04 22:08:11 +00:00
case syslogScan . FullCommand ( ) :
err := e . ScanSyslog ( ctx , * syslogAddress , * syslogProtocol , * syslogTLSCert , * syslogTLSKey , * syslogFormat , * concurrency )
if err != nil {
logrus . WithError ( err ) . Fatal ( "Failed to scan syslog." )
}
2022-01-13 20:02:24 +00:00
}
2022-01-20 00:48:37 +00:00
if ! * jsonLegacy && ! * jsonOut {
2022-02-08 17:12:41 +00:00
fmt . Fprintf ( os . Stderr , "🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷\n\n" )
2022-01-20 00:48:37 +00:00
}
2022-01-20 17:43:37 +00:00
2022-03-01 04:38:13 +00:00
foundResults := false
2022-01-13 20:02:24 +00:00
for r := range e . ResultsChan ( ) {
2022-01-27 04:38:31 +00:00
if * onlyVerified && ! r . Verified {
continue
}
2022-03-01 04:38:13 +00:00
foundResults = true
2022-01-20 17:43:37 +00:00
2022-01-20 00:48:37 +00:00
switch {
case * jsonLegacy :
2022-04-30 00:28:04 +00:00
repoPath , remote , err = git . PrepareRepo ( r . SourceMetadata . GetGithub ( ) . Repository )
if err != nil || repoPath == "" {
logrus . WithError ( err ) . Fatal ( "error preparing git repo for scanning" )
}
2022-01-20 00:48:37 +00:00
legacy := output . ConvertToLegacyJSON ( & r , repoPath )
out , err := json . Marshal ( legacy )
2022-01-13 20:02:24 +00:00
if err != nil {
logrus . WithError ( err ) . Fatal ( "could not marshal result" )
}
fmt . Println ( string ( out ) )
2022-04-30 00:28:04 +00:00
if remote {
os . RemoveAll ( repoPath )
}
2022-01-20 00:48:37 +00:00
case * jsonOut :
2022-05-13 16:02:33 +00:00
v := & struct {
// SourceMetadata contains source-specific contextual information.
SourceMetadata * source_metadatapb . MetaData
// SourceID is the ID of the source that the API uses to map secrets to specific sources.
SourceID int64
// SourceType is the type of Source.
SourceType sourcespb . SourceType
// SourceName is the name of the Source.
SourceName string
// DetectorType is the type of Detector.
DetectorType detectorspb . DetectorType
// DetectorName is the string name of the DetectorType.
DetectorName string
Verified bool
// Raw contains the raw secret identifier data. Prefer IDs over secrets since it is used for deduping after hashing.
Raw [ ] byte
// Redacted contains the redacted version of the raw secret identification data for display purposes.
// A secret ID should be used if available.
Redacted string
ExtraData map [ string ] string
StructuredData * detectorspb . StructuredData
} {
SourceMetadata : r . SourceMetadata ,
SourceID : r . SourceID ,
SourceType : r . SourceType ,
SourceName : r . SourceName ,
DetectorType : r . DetectorType ,
DetectorName : r . DetectorType . String ( ) ,
Verified : r . Verified ,
Raw : r . Raw ,
Redacted : r . Redacted ,
ExtraData : r . ExtraData ,
StructuredData : r . StructuredData ,
}
out , err := json . Marshal ( v )
2022-01-20 00:48:37 +00:00
if err != nil {
logrus . WithError ( err ) . Fatal ( "could not marshal result" )
}
fmt . Println ( string ( out ) )
default :
2022-01-21 02:14:16 +00:00
output . PrintPlainOutput ( & r )
2022-01-13 20:02:24 +00:00
}
}
2022-01-21 02:14:16 +00:00
logrus . Debugf ( "scanned %d chunks" , e . ChunksScanned ( ) )
2022-02-07 18:29:06 +00:00
if * printAvgDetectorTime {
printAverageDetectorTime ( e )
}
2022-03-01 04:38:13 +00:00
2022-04-21 17:08:51 +00:00
if foundResults && * fail {
logrus . Debug ( "exiting with code 183 because results were found" )
os . Exit ( 183 )
2022-03-01 04:38:13 +00:00
}
2022-02-07 18:29:06 +00:00
}
func printAverageDetectorTime ( e * engine . Engine ) {
fmt . Fprintln ( os . Stderr , "Average detector time is the measurement of average time spent on each detector when results are returned." )
for detectorName , durations := range e . DetectorAvgTime ( ) {
var total time . Duration
for _ , d := range durations {
total += d
}
avgDuration := total / time . Duration ( len ( durations ) )
fmt . Fprintf ( os . Stderr , "%s: %s\n" , detectorName , avgDuration )
}
2022-01-20 00:48:37 +00:00
}
