I am attempting to manually setup truffleHog in GitLab CI to scan my GitLab repo for secrets. I think I've misconfigured my job. My guess would be the file path I'm passing to trufflehog is wrong, as the job runs quick and ends with a "job succeeded" despite the fact I have a dummy text file with "----BEGIN PGP PRIVATE KEY BLOCK-----" and "EAACEdEose0cBA23456gfde4567hgf" to test whether or not it's working as expected.
My .gitlab-ci.yml looks like:
stages:
- secrets
trufflehog:
stage: secrets
image: python:3-alpine
script:
- apk add --no-cache git
- pip install trufflehog
- adduser -S truffleHog
- trufflehog --entropy true "file://$PWD"
The raw output of the trufflehog command looks like this:
$ trufflehog --entropy true "file://$PWD"
[0Ksection_end:1570219434:build_script
[0Ksection_start:1570219434:after_script
[0Ksection_end:1570219435:after_script
[0Ksection_start:1570219435:archive_cache
[0Ksection_end:1570219437:archive_cache
[0Ksection_start:1570219437:upload_artifacts_on_success
[0Ksection_end:1570219438:upload_artifacts_on_success
[0KJob succeeded
Any suggestions where I might be going wrong?
As said in TruffleHog docs:
For scanning a repo you should not use the "file" option:
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
Anyway, if you want to scan a local dir with file option, it seems there is not quotation marks on the call:
truffleHog file:///user/dxa4481/codeprojects/truffleHog/
May you try it without the quotation if you have not spaces on dirs, or just this?
trufflehog --entropy true file:"//$PWD"