We look forward to announcing our partnership and integration with Truffle Security, bringing Truffle Hog’s powerful secret scanning capabilities to the platform as part of our ongoing commitment to security.
Trufflehog is an open source tool that detects and detects secret leaks in your code. A wide range of detectors for popular SaaS and cloud providers scan files and repositories for sensitive information such as credentials, tokens, encryption keys and more.
Incorrectly committing secrets to code a repository can have serious consequences. By scanning secret repositories, Trufflehog helps developers to catch and delete this sensitive information before it becomes an issue, protect their data and prevent expensive security incidents.
We worked with the Truffle Hog team on two different initiatives to bolster automated scan pipelines at Truffle Hog to combat secret leaks in public and private repositories.
Enhance your automated scan pipeline with Truffle Hog
When you hug them in your face, they work to protect your users’ confidential information. This is why we implemented an automated security scan pipeline that scans all repositories and commits. We expanded our automated scan pipeline to include truffle hogs. This means there are three types of scans.
Malware Scan: Scan for known malware signatures using Kuramaff Pickles Scan: Pickle files of malicious executable code using Picklesker’s secret scan: Scan for passwords, tokens, and API keys using Truffle Hog
Every time you push it to the repository, run the Trufflehog Files -System command on all new or modified files to scan for potential secrets. If a verified confidentiality is detected, you can notify the user via email and take corrective action.
Verified secrets are confirmed to work to authenticate to each provider. However, please note that unverified secrets are not necessarily harmless or invalid. Verification may fail for technical reasons, such as when downtime from a provider.
Even when we do it for you, it is always worth running a truffle hog in your own repository. For example, you might want to spin a leaked secret and see that it appears as “unverified”, or you might want to manually check whether an unverified secret still poses a threat.
Eventually you’ll be taken to the Trufflehog Huggingface command, the native hugging face scanner that supported LFS Land support.
Truffle Hognative Hug Face Scanner
The goal of creating native embracing face scanners in Trufflehog is to allow users (and the security team that protects them) to actively scan their account data for leaked secrets.
Trufflehog’s new open source embracing face integration allows you to scan models, datasets, spaces, and related PRs and discussions. The only limitation is that Trufflehog does not scan files currently stored in LFS. Their team is about to address this with all Git sources right away.
To scan all your or your organization’s embracing face models, datasets, and spaces for secrets using truffle hogs, run the following command:
Trufflehog Huggingface -User Trufflehog Huggingface -ORG TRUFFLEHOG HUGGINGFACE -USER -ORG
Optionally, you can scan face discussions and PR comments, including (-include-discussions) and PRS (-include-prs) flags.
If you only scan one model, dataset or space, each Trufflehog has a specific flag.
Trufflehog Huggingface – Model Trufflehog Hug Face – Date Set Trufflehog Hug Face – Space
If you need to pass an authentication token, you can do so using the -token flag or by setting the Huggingface_token environment variable.
Below is an example of the output of a truffle hog when running on McPotato/42-eicar-Street:
Trufflehog Huggingface – Model McPotato/42-eicar-Street🐷🔑🐷 Trufflehog. Unearth your secrets. 🐷🔑🐷2024-09-02T16:39:30+02:00 INFO-0 TRUFFLEHOG RUNNING source {“source_manager_worker_id”: “3krwu”, “with_units”: false, “arget_count”: 0, “source_manager_units_configurable”: true} 2024-09-02T16:39:30+02:00 INFO-0 TRUFFLEHOG complete enumeration {“num_models”: 1, “num_spaces”: 0, “num_datasets”: 0} 2024-09-02t16:39:32+02: {“source_manager_worker_id”: “3krwu”, “model”: “https://huggingface.co/mcpotato/42-eicar-street.git”, “repo”: “https://huggingface.co/mcpotato/42-eicar-street.git.giT”Decoder Type: Plain Raw Results: HF_KIBMVMXOWCWYJCQYJNIHPXGSTXGPRIZFYC COMMIC: 9CB3222A7C2B4EC7C9F18045F0FA05015B831F256Email: LUC Georges File: Luc Georges File: Token_Leak.yml Line: Token_l Line: 1 Link: 1 Link: 1 Link: 1 Link: https://huggingface.co/mcpotato/42-eicar-street/blob/9cb322a7c2b4ec7c9f18045f0fa05015b831f256/token_leak.yml#l1Repository: https://huggingface.co/mcpotato/42-eicar-street.git resource_type: Model timestamp: 2024-06-17 13:11:50 +0000 2024-09-02t16:39:32 +02:00 info-0 info-0 trufflehog extrufflehog exit edinide extreading ” “verified_secrets”: 0, “unverified_secrets”: 1, “scan_duration”: “2.176551292s”, “Trufflehog_version”: “3.81.10”}}
Praise to the Trufflehog team for providing such an incredible tool to make our community safe! We look forward to more features to continue working together to make the hub safe for everyone.
