We’re excited to announce the official open-source release of native Jenkins secret scanning to TruffleHog. This closely follows our recent release of a native ElasticSearch scanner, and we're thrilled to expand our capabilities further.
Note: While this integration is new to the open-source community, this feature has been a part of TruffleHog Enterprise for over a year. In response to several community requests, we decided to release our Jenkins integration publicly.
Why Secret Scanning in Jenkins?
In CI/CD pipelines, secrets can inadvertently leak through various channels, most commonly during pipeline execution and within log files. Identifying and mitigating these leaks is crucial to maintaining your project's security posture. TruffleHog’s new integration for Jenkins aims to simplify and automate this process.
Scanning Jenkins Logs for Secrets
To start scanning your Jenkins logs, you’ll need the server’s IP address or domain, along with your username and password. Here’s the command to run:If your server does not require authentication (side note: it really should, and we have research coming next week documenting why), you can run the following command:
If your server does not require authentication (side note: it really should, and we have research coming next week documenting why), you can run the following command:
The output should look familiar to other TruffleHog commands.
In addition to the typical secret details, TruffleHog lists the build number, project name and a direct link to the log containing the exposed secret.
What’s Scanned?
When thinking about CI/CD pipelines, secrets typically leak in one of two places:
Inside the actual pipeline during execution.
Inside log files.
For several years, our open-source community has been able to call TruffleHog from within any CI/CD pipeline to search for secrets using the git command. For example:
With this new release, TruffleHog can natively scan build log data (referred to as Console Output inside the Jenkins UI).
Simplified Workflow
Before this release, users had to download each log file to disk and then run TruffleHog’s file system command. Now, you simply point TruffleHog to a Jenkins server, and the log data (Console Output) from all builds are checked for secrets.
Join Our Community
We love our open-source community. If you have ideas for improving the Jenkins scanner, please open a PR or Issue. We’re happy to look into making this integration even better!
Conclusion
By incorporating native Jenkins secret scanning, TruffleHog continues to enhance its capabilities in securing CI/CD pipelines. We look forward to your feedback and contributions!
