GitHub

github edition enterprise + open source the github integration scans repositories, gists, issues, and pull requests on github cloud or github enterprise server for credentials and other sensitive data for of push events as they occur, see the github real time docid\ yesn9axi56x8yu47iqbkr source instead configuration the github integration can be configured in trufflehog under integrations , or via a local configuration file (below) web configuration configure this integration from the integrations page in trufflehog you'll need either a github personal access token (classic), or a github app installed on the accounts or organizations you want to scan local configuration local configuration supports two authentication methods bearer token — uses a github personal access token (classic) github app — uses a registered github app, which can scan repositories across any account or organization where the app is installed bearer token create a classic personal access token with the following scopes repo — read access to repository contents gist — read access to gists read\ org — read organization membership fine grained tokens are not supported sources \ connection "@type" type googleapis com/sources github endpoint https //github ourbusiness com token xxxxxxxxxxxxxxxxxxxxxxxxxx ignorerepos \ trufflesecurity/trufflehog includeforks false includegistcomments true includeissuecomments true includepullrequestcomments true scanusers false skipbinaries true name github scanperiod 12h type source type github verify true github app a single github app can scan repositories across multiple accounts or organizations as long as the app is installed on each of them each account requires a separate trufflehog source configuration using the same appid paired with that account's installationid and a unique name setup is a three step process register the app, install it, and configure trufflehog step 1 register a github app sign in to github and navigate to your account settings for an app owned by a personal account click your profile photo, then settings for an app owned by an organization click your profile photo, then your organizations , then settings next to the organization in the left sidebar, click developer settings click github apps , then new github app fill in the app details field value github app name any descriptive name (e g , trufflehog scanner app) homepage url your trufflehog instance url https //\<your org> c1 prod trufflehog org webhook leave active selected webhook url https //\<your org> c1 prod trufflehog org/sources/github/webhook configure the following permissions if you change permissions after the app is installed, the installation must be re authorized for changes to take effect permission group permission access repository contents read only repository metadata (mandatory) read only repository webhooks read and write repository issues read only repository pull requests read only organization members read only account gists read only under where can this github app be installed? , choose only on this account to restrict installation to the creating account any account to allow installation on any user or organization click create github app generate a private key from settings > developer settings > github apps > \[your app] > private keys > generate a private key a single private key works across all installations of the app note the app id shown on the app's about page — you'll need it for configuration step 2 install the github app from developer settings > github apps , select your app in the left panel under general , click install app click install next to the account where you want to install the app select all repositories , review the permissions, and click install find the installation id by navigating to settings > integrations > applications > installed github apps , clicking the gear icon next to your app, and copying the trailing number from the url https //github com/settings/installations/\<installationid> a new installation id is generated each time the app is installed on a different account step 3 configure trufflehog sources \ connection "@type" type googleapis com/sources github repositories \ https //github com/sandbox/test secrets git \ https //github com/sandbox/test repo git githubapp privatekey | \ begin rsa private key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \ end rsa private key installationid "54544692" appid "989473" ignorerepos \ trufflesecurity/trufflehog includeforks false includegistcomments true includeissuecomments true includepullrequestcomments true scanusers false skipbinaries true name github test 1 scanperiod 12h type source type github verify true to scan additional accounts with the same app, add a separate source entry using the same appid paired with each account's installationid and a unique name configuration options field type required description endpoint string no the github api endpoint omit for github cloud repositories list no explicit list of repositories to scan omit to enumerate accessible repositories instead (recommended) organizations list no explicit list of organizations to scan omit to enumerate (recommended) scanusers boolean no enumerate organization members and scan their public repositories includeforks boolean no include forked repositories defaults to false head string no branch to use as the head when scanning a diff range base string no branch to use as the base when scanning a diff range ignorerepos list no repositories to skip during scanning includerepos list no repositories to explicitly include in the scan includepullrequestcomments boolean no include pull request comments includeissuecomments boolean no include issue comments ignoregists boolean no skip gist scanning entirely includegistcomments boolean no include gist comments skipbinaries boolean no skip binary files skiparchives boolean no skip archive files includewikis boolean no include repository wikis capabilities feature supported scan archive files ✅ scan archived repositories ✅ scan base64 encoded data ✅ scan binaries ✅ scan comments (issues, prs, gists) ✅ scan gists ✅ scan forks ✅ scan history ✅ scan version history ✅ scan in ci ✅ include / exclude filters ✅ pre commit ✅ pre receive ✅ auto resume ✅ notes trufflehog does not scan diffs larger than 1 gb scanning in github actions is supported but requires additional setup https //docs trufflesecurity com/scanning in ci personal access tokens must be classic tokens fine grained tokens are not supported for real time scanning of push events, use the github real time docid\ yesn9axi56x8yu47iqbkr integration default gist scanning behavior gists are scanned by default unless any of the following is true ignoregists is true repositories is set (an explicit repo list overrides default gist enumeration) organizations is set and scanusers is false