{"id":6735,"date":"2021-06-29T13:50:45","date_gmt":"2021-06-29T08:20:45","guid":{"rendered":"https:\/\/opstree.com\/blog\/\/?p=6735"},"modified":"2021-06-29T13:50:45","modified_gmt":"2021-06-29T08:20:45","slug":"using-trufflehog-utility-in-your-jenkins-pipeline","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2021\/06\/29\/using-trufflehog-utility-in-your-jenkins-pipeline\/","title":{"rendered":"Using TruffleHog Utility in Your Jenkins Pipeline"},"content":{"rendered":"\n<p><strong>Introduction<\/strong><\/p>\n\n\n\n<p>This is a quick blog on how we can use the TruffleHog utility in our Jenkins pipeline to search for the secrets, passwords, sensitive keys which may have been accidentally committed in our repositories.<\/p>\n\n\n\n<p>TruffleHog proves to be a great tool in helping us to fetch the sensitive data from our repositories which we do not want to expose at any cost.<\/p>\n\n\n\n<p>Before moving further with this blog, I would like you all to take a look at the prerequisites that are mentioned below.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p><strong>Prerequisite:<\/strong><\/p>\n\n\n\n<ul><li>Basic understanding of Docker, Jenkins<\/li><li>Basic shell commands<\/li><\/ul>\n\n\n\n<p><strong>What is TruffleHog?<\/strong><\/p>\n\n\n\n<p>In simple words,  TruffleHog is a utility that searches through git repositories for secrets, private keys and credentials so that you can protect your data before a breach occurs.<\/p>\n\n\n\n<p>It is effective at finding secrets accidentally committed.<\/p>\n\n\n\n<p>TruffleHog previously functioned by running entropy checks on git diffs. This functionality still exists, but high signal regex (regular expressions) checks have been added, and the ability to suppress entropy checks have also been added.<\/p>\n\n\n\n<p><strong>How we can use TruffleHog utility in our Jenkins pipeline<\/strong>?<\/p>\n\n\n\n<p><strong>Use case:<\/strong> Let&#8217;s suppose there is a requirement from your client end to figure out all the secrets, sensitive API keys which are present in the code repositories.<br>The steps below will guide you on how to setup TruffleHog to meet the above requirement.<\/p>\n\n\n\n<p>In the following section, we will setup a Jenkins pipeline in which we will launch a Docker container with the help of Dockerfile and run our TruffleHog utility in that Docker container.<\/p>\n\n\n\n<p>Let&#8217;s get started. <\/p>\n\n\n\n<p>Step 1: Go to your Jenkins server and start creating a Freestyle project.<\/p>\n\n\n\n<p>Step 2: In the general section of your pipeline, give a brief description of your pipeline. (Optional)<\/p>\n\n\n\n<p>Step 3: Give a log rotation strategy to your pipeline. (Optional)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized is-style-default\"><img decoding=\"async\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/05\/image-8.png?w=943\" alt=\"\" class=\"wp-image-6753\" width=\"700\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Step 4: Here, we are leaving the rest of the options to default values. You can change and give options according to your need.<\/p>\n\n\n\n<p>Step 5: Under the source code management section, pass the repository URL. Your git repo contains a Dockerfile that will build your docker container.<\/p>\n\n\n\n<p>URL: https:\/\/github.com\/lakshayarora476\/truffleHog.git<\/p>\n\n\n\n<p>Pass the credentials for your repository. (if required)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/05\/image-9.png?w=932\" alt=\"\" class=\"wp-image-6759\" width=\"700\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Step 6: Under the &#8216;build&#8217; section, execute the below shell commands:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"690\" height=\"502\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/06\/image-9.png?w=690\" alt=\"\" class=\"wp-image-7160\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Explanation of the above shell command:<\/p>\n\n\n\n<p> <strong>cd \/var\/lib\/jenkins\/workspace\/Jenkins-TruffleHog: <\/strong>We are moving to the workspace directory of Jenkins<\/p>\n\n\n\n<p> <strong>docker stop $(docker ps -a -q):<\/strong> It will stop all the Docker containers which are currently in execution.<\/p>\n\n\n\n<p> <strong>docker rm $(docker ps -a -q):<\/strong> It will remove all the Docker containers.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>NOTE: The aim of this blog is to help you understand the concept of TruffleHog through the Jenkins pipeline. Hence, to make things simple, I am stopping and removing all the docker containers (under running state) so that we can focus only on the container running our TruffleHog utility.<\/strong><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p> <strong>docker build -t mypersonalimage . :<\/strong> It will build a Docker image from Dockerfile which we have cloned in our Jenkins pipeline. The name of your image will be &#8216; mypersonalimage &#8216;<\/p>\n\n\n\n<p> <strong>docker run -dit &#8211;name personalcontainer mypersonalimage:<\/strong> It will start the Docker container in detached mode from the previously built image. The name of your container will be &#8216; personalcontainer &#8216;.<\/p>\n\n\n\n<p> <strong>docker ps -a: <\/strong>Here we are listing all the Docker containers.<\/p>\n\n\n\n<p> <strong>docker exec personalcontainer trufflehog &#8211;entropy=NO<\/strong> <strong>&#8211;regex &#8211;json https:\/\/github.com\/lakshayarora476\/truffleHog.git &gt; output.txt : <\/strong><br>Here, we are executing the &#8216;TruffleHog&#8217; utility inside the docker container along with the git URL. It will run the TruffleHog utility against the git URL in the container and will output the result in the output.txt file.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>NOTE: Here, the reason, why I have included entropy and regex parameters, is that TruffleHog by default finds too many false positives: random-looking text which may not be a secret. So, there is an alternative search mode that uses regular expressions (regex) instead of entropy heuristic.<\/strong><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p> <strong>cat output.txt |grep -oE &#8220;\\&#8221;stringsFound\\&#8221;\\:.<em>[.<\/em>\\&#8221;]}&#8221;|sed -e &#8220;s\/,\\&#8221;.<em>]\/\/&#8221; -e &#8220;s\/}\/\/&#8221;|sed &#8220;s\/\\&#8221;stringsFound\\&#8221;:\/\/&#8221;|grep -o &#8220;\\&#8221;.<\/em>\\&#8221;&#8221;|awk -F &#8220;,&#8221; &#8216;{ for(i=1;i&lt;=NF;i++) print $i}&#8217; : <\/strong><br>This command is used to format the output from TruffleHog.<br><\/p>\n\n\n\n<p><strong>NOTE<\/strong>: <strong>Without the above command, your output will look something like this:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/05\/image-13.png?w=973\" alt=\"\" class=\"wp-image-6845\" width=\"700\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Step 7: After your pipeline is executed successfully, you can go to console output and see the pipeline result.<\/p>\n\n\n\n<p>It will list the secrets, API keys which looks something like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"427\" height=\"552\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/06\/image-1.png?w=427\" alt=\"\" class=\"wp-image-7011\" \/><\/figure>\n\n\n\n<p>Though, version control systems make it easy for developers to work collaboratively to create software. By storing a history of who made what changes and when, it makes it easy to combine edits made by different people without losing either person\u2019s work. <\/p>\n\n\n\n<p>However, all this stored history has a downside &#8211; it\u2019s all too easy for developers to commit information to the repository that shouldn\u2019t be visible to everyone who has access to the source. <\/p>\n\n\n\n<p>This could be files containing database passwords, deploy scripts including server credentials, or even the private key files for SSH or HTTPS. Removing the secret data from the current version doesn\u2019t help, because the previous version is stored in the history and is still accessible. <strong>TruffleHog is one tool that makes it easier to search through the history of a git repository to discover passwords and other secrets.<\/strong><\/p>\n\n\n\n<p>This was a basic example to help you understand how truffle hog works. You can tweak the commands according to your own needs and start experimenting.<\/p>\n\n\n\n<p>Happy Learning \ud83d\ude42<\/p>\n\n\n\n<p> <strong>Blog Pundit:<\/strong>  <strong><a href=\"https:\/\/opstree.com\/blog\/\/author\/naveenverma023\/\"><strong>Naveen Verma<\/strong><\/a><\/strong><\/p>\n\n\n\n<p>Opstree is an End to End DevOps solution provider<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-fill\"><a class=\"wp-block-button__link\" href=\"https:\/\/www.opstree.com\/contact-us\" target=\"_blank\" rel=\"noreferrer noopener\">CONTACT US<\/a><\/div>\n<\/div>\n\n\n\n<p class=\"has-text-align-center\"><strong>Connect Us <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-social-links aligncenter items-justified-right is-layout-flex wp-block-social-links-is-layout-flex\"><li class=\"wp-social-link wp-social-link-linkedin  wp-block-social-link\"><a href=\"https:\/\/www.linkedin.com\/company\/opstree-solutions\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M19.7,3H4.3C3.582,3,3,3.582,3,4.3v15.4C3,20.418,3.582,21,4.3,21h15.4c0.718,0,1.3-0.582,1.3-1.3V4.3 C21,3.582,20.418,3,19.7,3z M8.339,18.338H5.667v-8.59h2.672V18.338z M7.004,8.574c-0.857,0-1.549-0.694-1.549-1.548 c0-0.855,0.691-1.548,1.549-1.548c0.854,0,1.547,0.694,1.547,1.548C8.551,7.881,7.858,8.574,7.004,8.574z M18.339,18.338h-2.669 v-4.177c0-0.996-0.017-2.278-1.387-2.278c-1.389,0-1.601,1.086-1.601,2.206v4.249h-2.667v-8.59h2.559v1.174h0.037 c0.356-0.675,1.227-1.387,2.526-1.387c2.703,0,3.203,1.779,3.203,4.092V18.338z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">LinkedIn<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-youtube  wp-block-social-link\"><a href=\"https:\/\/www.youtube.com\/channel\/UCeLma6SpNYH7jjYKSBNSexw\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M21.8,8.001c0,0-0.195-1.378-0.795-1.985c-0.76-0.797-1.613-0.801-2.004-0.847c-2.799-0.202-6.997-0.202-6.997-0.202 h-0.009c0,0-4.198,0-6.997,0.202C4.608,5.216,3.756,5.22,2.995,6.016C2.395,6.623,2.2,8.001,2.2,8.001S2,9.62,2,11.238v1.517 c0,1.618,0.2,3.237,0.2,3.237s0.195,1.378,0.795,1.985c0.761,0.797,1.76,0.771,2.205,0.855c1.6,0.153,6.8,0.201,6.8,0.201 s4.203-0.006,7.001-0.209c0.391-0.047,1.243-0.051,2.004-0.847c0.6-0.607,0.795-1.985,0.795-1.985s0.2-1.618,0.2-3.237v-1.517 C22,9.62,21.8,8.001,21.8,8.001z M9.935,14.594l-0.001-5.62l5.404,2.82L9.935,14.594z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">YouTube<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-github  wp-block-social-link\"><a href=\"https:\/\/github.com\/OpsTree\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M12,2C6.477,2,2,6.477,2,12c0,4.419,2.865,8.166,6.839,9.489c0.5,0.09,0.682-0.218,0.682-0.484 c0-0.236-0.009-0.866-0.014-1.699c-2.782,0.602-3.369-1.34-3.369-1.34c-0.455-1.157-1.11-1.465-1.11-1.465 c-0.909-0.62,0.069-0.608,0.069-0.608c1.004,0.071,1.532,1.03,1.532,1.03c0.891,1.529,2.341,1.089,2.91,0.833 c0.091-0.647,0.349-1.086,0.635-1.337c-2.22-0.251-4.555-1.111-4.555-4.943c0-1.091,0.39-1.984,1.03-2.682 C6.546,8.54,6.202,7.524,6.746,6.148c0,0,0.84-0.269,2.75,1.025C10.295,6.95,11.15,6.84,12,6.836 c0.85,0.004,1.705,0.114,2.504,0.336c1.909-1.294,2.748-1.025,2.748-1.025c0.546,1.376,0.202,2.394,0.1,2.646 c0.64,0.699,1.026,1.591,1.026,2.682c0,3.841-2.337,4.687-4.565,4.935c0.359,0.307,0.679,0.917,0.679,1.852 c0,1.335-0.012,2.415-0.012,2.741c0,0.269,0.18,0.579,0.688,0.481C19.138,20.161,22,16.416,22,12C22,6.477,17.523,2,12,2z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">GitHub<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-facebook  wp-block-social-link\"><a href=\"https:\/\/www.facebook.com\/opstree\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M12 2C6.5 2 2 6.5 2 12c0 5 3.7 9.1 8.4 9.9v-7H7.9V12h2.5V9.8c0-2.5 1.5-3.9 3.8-3.9 1.1 0 2.2.2 2.2.2v2.5h-1.3c-1.2 0-1.6.8-1.6 1.6V12h2.8l-.4 2.9h-2.3v7C18.3 21.1 22 17 22 12c0-5.5-4.5-10-10-10z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">Facebook<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-medium  wp-block-social-link\"><a href=\"https:\/\/medium.com\/buildpiper\" class=\"wp-block-social-link-anchor\" target=\"_blank\" rel=\"noopener\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M20.962,7.257l-5.457,8.867l-3.923-6.375l3.126-5.08c0.112-0.182,0.319-0.286,0.527-0.286c0.05,0,0.1,0.008,0.149,0.02 c0.039,0.01,0.078,0.023,0.114,0.041l5.43,2.715l0.006,0.003c0.004,0.002,0.007,0.006,0.011,0.008 C20.971,7.191,20.98,7.227,20.962,7.257z M9.86,8.592v5.783l5.14,2.57L9.86,8.592z M15.772,17.331l4.231,2.115 C20.554,19.721,21,19.529,21,19.016V8.835L15.772,17.331z M8.968,7.178L3.665,4.527C3.569,4.479,3.478,4.456,3.395,4.456 C3.163,4.456,3,4.636,3,4.938v11.45c0,0.306,0.224,0.669,0.498,0.806l4.671,2.335c0.12,0.06,0.234,0.088,0.337,0.088 c0.29,0,0.494-0.225,0.494-0.602V7.231C9,7.208,8.988,7.188,8.968,7.178z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">Medium<\/span><\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction This is a quick blog on how we can use the TruffleHog utility in our Jenkins pipeline to search for the secrets, passwords, sensitive keys which may have been accidentally committed in our repositories. TruffleHog proves to be a great tool in helping us to fetch the sensitive data from our repositories which we &hellip; <a href=\"https:\/\/opstree.com\/blog\/2021\/06\/29\/using-trufflehog-utility-in-your-jenkins-pipeline\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Using TruffleHog Utility in Your Jenkins Pipeline&#8221;<\/span><\/a><\/p>\n","protected":false},"author":197679939,"featured_media":29900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[28070474],"tags":[2713785,44070,768739308,302106407,768739299,720449640,554708593],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/11\/DevSecOps-1.jpg","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-1KD","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/6735"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/197679939"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=6735"}],"version-history":[{"count":24,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/6735\/revisions"}],"predecessor-version":[{"id":7181,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/6735\/revisions\/7181"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/29900"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=6735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=6735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=6735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}