2022-01-13 20:02:24 +00:00
package main
import (
"context"
"encoding/json"
"fmt"
"log"
"os"
"runtime"
"strconv"
"github.com/sirupsen/logrus"
2022-01-20 00:13:59 +00:00
kingpin "gopkg.in/alecthomas/kingpin.v2"
"github.com/trufflesecurity/trufflehog/pkg/common"
2022-01-13 20:02:24 +00:00
"github.com/trufflesecurity/trufflehog/pkg/decoders"
"github.com/trufflesecurity/trufflehog/pkg/engine"
2022-01-20 17:43:37 +00:00
"github.com/trufflesecurity/trufflehog/pkg/pb/source_metadatapb"
2022-01-20 00:13:59 +00:00
"github.com/trufflesecurity/trufflehog/pkg/sources/git"
2022-01-13 20:02:24 +00:00
)
func main ( ) {
cli := kingpin . New ( "TruffleHog" , "TruffleHog is a tool for finding credentials." )
debug := cli . Flag ( "debug" , "Run in debug mode" ) . Bool ( )
2022-01-19 00:59:18 +00:00
jsonOut := cli . Flag ( "json" , "Output in JSON format." ) . Short ( 'j' ) . Bool ( )
2022-01-13 20:02:24 +00:00
concurrency := cli . Flag ( "concurrency" , "Number of concurrent workers." ) . Default ( strconv . Itoa ( runtime . NumCPU ( ) ) ) . Int ( )
2022-01-19 06:24:56 +00:00
noVerification := cli . Flag ( "no-verification" , "Don't verify the results." ) . Bool ( )
2022-01-13 20:02:24 +00:00
// rules := cli.Flag("rules", "Path to file with custom rules.").String()
gitScan := cli . Command ( "git" , "Find credentials in git repositories." )
gitScanURI := gitScan . Arg ( "uri" , "Git repository URL. https:// or file:// schema expected." ) . Required ( ) . String ( )
2022-01-14 20:40:50 +00:00
gitScanIncludePaths := gitScan . Flag ( "include_paths" , "Path to file with newline separated regexes for files to include in scan." ) . Short ( 'i' ) . String ( )
gitScanExcludePaths := gitScan . Flag ( "exclude_paths" , "Path to file with newline separated regexes for files to exclude in scan." ) . Short ( 'x' ) . String ( )
2022-01-13 20:02:24 +00:00
// gitScanSinceCommit := gitScan.Flag("since_commit", "Commit to start scan from.").String()
gitScanBranch := gitScan . Flag ( "branch" , "Branch to scan." ) . String ( )
// gitScanMaxDepth := gitScan.Flag("max_depth", "Maximum depth of commits to scan.").Int()
gitScan . Flag ( "allow" , "No-op flag for backwards compat." ) . Bool ( )
gitScan . Flag ( "entropy" , "No-op flag for backwards compat." ) . Bool ( )
gitScan . Flag ( "regex" , "No-op flag for backwards compat." ) . Bool ( )
githubScan := cli . Command ( "github" , "Find credentials in GitHub repositories." )
2022-01-20 00:13:59 +00:00
githubScanEndpoint := githubScan . Flag ( "endpoint" , "GitHub endpoint." ) . Default ( "https://api.github.com" ) . String ( )
githubScanRepos := githubScan . Flag ( "repo" , ` GitHub repository to scan. You can repeat this flag. Example: "https://github.com/dustin-decker/secretsandstuff" ` ) . Strings ( )
githubScanOrgs := githubScan . Flag ( "org" , ` GitHub organization to scan. You can repeat this flag. Example: "trufflesecurity" ` ) . Strings ( )
githubScanToken := githubScan . Flag ( "token" , "GitHub token." ) . String ( )
2022-01-13 20:02:24 +00:00
gitlabScan := cli . Command ( "gitlab" , "Find credentials in GitLab repositories." )
// gitlabScanTarget := gitlabScan.Arg("target", "GitLab target. Can be a repository, user or organization.").Required().String()
// gitlabScanToken := gitlabScan.Flag("token", "GitLab token.").String()
2022-01-20 00:13:59 +00:00
bitbucketScan := cli . Command ( "bitbucket" , "Find credentials in Bitbucket repositories." )
2022-01-13 20:02:24 +00:00
// bitbucketScanTarget := bitbucketScan.Arg("target", "Bitbucket target. Can be a repository, user or organization.").Required().String()
// bitbucketScanToken := bitbucketScan.Flag("token", "Bitbucket token.").String()
2022-01-20 00:13:59 +00:00
filesystemScan := cli . Command ( "filesystem" , "Find credentials in a filesystem." )
2022-01-13 20:02:24 +00:00
// filesystemScanPath := filesystemScan.Arg("path", "Path to scan.").Required().String()
// filesystemScanRecursive := filesystemScan.Flag("recursive", "Scan recursively.").Short('r').Bool()
// filesystemScanIncludePaths := filesystemScan.Flag("include_paths", "Path to file with newline separated regexes for files to include in scan.").Short('i').String()
// filesystemScanExcludePaths := filesystemScan.Flag("exclude_paths", "Path to file with newline separated regexes for files to exclude in scan.").Short('x').String()
2022-01-20 00:13:59 +00:00
s3Scan := cli . Command ( "s3" , "Find credentials in an S3 bucket." )
2022-01-13 20:02:24 +00:00
cmd := kingpin . MustParse ( cli . Parse ( os . Args [ 1 : ] ) )
if * jsonOut {
logrus . SetFormatter ( & logrus . JSONFormatter { } )
}
if * debug {
logrus . SetLevel ( logrus . DebugLevel )
} else {
logrus . SetLevel ( logrus . InfoLevel )
}
ctx := context . TODO ( )
e := engine . Start ( ctx ,
engine . WithConcurrency ( * concurrency ) ,
engine . WithDecoders ( decoders . DefaultDecoders ( ) ... ) ,
2022-01-19 06:24:56 +00:00
engine . WithDetectors ( ! * noVerification , engine . DefaultDetectors ( ) ... ) ,
2022-01-13 20:02:24 +00:00
)
2022-01-14 20:40:50 +00:00
filter , err := common . FilterFromFiles ( * gitScanIncludePaths , * gitScanExcludePaths )
if err != nil {
logrus . WithError ( err )
}
2022-01-13 20:02:24 +00:00
switch cmd {
case gitScan . FullCommand ( ) :
2022-01-15 00:07:45 +00:00
repoPath , remote , err := git . PrepareRepo ( * gitScanURI )
if err != nil || repoPath == "" {
logrus . WithError ( err ) . Fatal ( "error preparing git repo for scanning" )
}
if remote {
defer os . RemoveAll ( repoPath )
}
err = e . ScanGit ( ctx , repoPath , * gitScanBranch , "HEAD" , filter )
2022-01-13 20:02:24 +00:00
if err != nil {
logrus . WithError ( err ) . Fatal ( "Failed to scan git." )
}
case githubScan . FullCommand ( ) :
2022-01-20 00:13:59 +00:00
if len ( * githubScanOrgs ) == 0 && len ( * githubScanRepos ) == 0 {
log . Fatal ( "You must specify at least one organization or repository." )
}
err = e . ScanGitHub ( ctx , * githubScanEndpoint , * githubScanRepos , * githubScanOrgs , * githubScanToken , filter , * concurrency )
if err != nil {
logrus . WithError ( err ) . Fatal ( "Failed to scan git." )
}
2022-01-13 20:02:24 +00:00
case gitlabScan . FullCommand ( ) :
log . Fatal ( "gitlab not implemented" )
2022-01-20 00:13:59 +00:00
case bitbucketScan . FullCommand ( ) :
log . Fatal ( "bitbucket not implemented" )
case filesystemScan . FullCommand ( ) :
log . Fatal ( "filesystem not implemented" )
case s3Scan . FullCommand ( ) :
log . Fatal ( "s3 not implemented" )
2022-01-13 20:02:24 +00:00
}
2022-01-20 17:43:37 +00:00
stdoutLogger := logrus . New ( )
stdoutLogger . SetOutput ( os . Stdout )
stdoutLogger . SetFormatter ( & logrus . TextFormatter { } )
2022-01-13 20:02:24 +00:00
for r := range e . ResultsChan ( ) {
2022-01-20 17:43:37 +00:00
type outputFormat struct {
DetectorType string
SourceType string
Verified bool
* source_metadatapb . MetaData
}
output := outputFormat {
DetectorType : r . Result . DetectorType . String ( ) ,
SourceType : r . SourceType . String ( ) ,
Verified : r . Result . Verified ,
MetaData : r . SourceMetadata ,
}
2022-01-13 20:02:24 +00:00
if * jsonOut {
// todo - add parity to trufflehog's existing output for git
// source
2022-01-20 17:43:37 +00:00
out , err := json . Marshal ( output )
2022-01-13 20:02:24 +00:00
if err != nil {
logrus . WithError ( err ) . Fatal ( "could not marshal result" )
}
fmt . Println ( string ( out ) )
} else {
2022-01-20 17:43:37 +00:00
out , err := structToFields ( output )
if err != nil {
logrus . WithError ( err ) . Fatal ( "could not marshal result" )
}
stdoutLogger . WithFields ( out ) . Info ( "found secret" )
2022-01-13 20:02:24 +00:00
}
}
2022-01-19 06:24:56 +00:00
logrus . Infof ( "scanned %d chunks" , e . ChunksScanned ( ) )
2022-01-13 20:02:24 +00:00
}
2022-01-20 17:43:37 +00:00
func structToFields ( obj interface { } ) ( fields logrus . Fields , err error ) {
data , err := json . Marshal ( obj )
if err != nil {
return
}
err = json . Unmarshal ( data , & fields )
return
}