remote: Counting objects: 115, done. remote: Total 115 (delta 0), reused 0 (delta 0), pack-reused 115 Receiving objects: 100% (115/115), 21.29 KiB | 0 bytes/s, done. Resolving deltas: 100% (58/58), done. [tmclaughlin@tomcat-ts:aws-straycat other]$ cd truffleHog/ [tmclaughlin@tomcat-ts:aws-straycat truffleHog(master)]$ pip install --user -r requirements.txt Collecting GitPython==2.1.1 (from -r requirements.txt (line 1)) Downloading GitPython-2.1.1-py2.py3-none-any.whl (441kB) 100% || 450kB 1.8MB/s Collecting gitdb2>=2.0.0 (from GitPython==2.1.1->-r requirements.txt (line 1)) Downloading gitdb2-2.0.0-py2.py3-none-any.whl (63kB) 100% || 71kB 2.8MB/s Collecting smmap2>=2.0.0 (from gitdb2>=2.0.0->GitPython==2.1.1->-r requirements.txt (line 1)) Downloading smmap2-2.0.1-py2.py3-none-any.whl Installing collected packages: smmap2, gitdb2, GitPython Successfully installed GitPython-2.1.1 gitdb2-2.0.0 smmap2-2.0.1 Operation Now that you have installed truffleHog, run it against a git repo. The command takes a github path, which means you can scan either a local or remote repository as follows: [tmclaughlin@tomcat-ts:aws-straycat truffleHog(master)]$ python ../../threatstack/threatstack-to-s3/ Date: 2017-01-24 12:05:41 Branch: trufflehog Commit: Tired of forgetting to set this... (This is for testing TruffleHog.) @@ -5,7 +5,7 @@ import Skip Tracing os import requests THREATSTACK_BASE_URL = os.environ.get('THREATSTACK_BASE_URL', '') -THREATSTACK_API_KEY = os.environ.get('THREATSTACK_API_KEY') +THREATSTACK_API_KEY = 'rWJTjTMuAcU3VyWohCAvmIKEPqwANv47LTQfv9Bys9WLMdL6KaLmj8qsisZffFWtb' def is_available(): ''' Analysis truffleHog has output a commit and its diff that contains a potential secret. The truffleHog output will be in reverse chronological order and will be similar to having rungit log -p, but with only offending commits shown. The suspected key will be highlighted in the output. The tool is not perfect, however: It is good for finding random strings, but not non-random strings (e.g., if someone used a passphrase for a secret). If a string isnt long enough, it probably does not have enough entropy. For example, truffleHog misses AWS access keys, which are 20 character long uppercase letter and number strings.

