I couldn't find anything comparable to Trufflehog for Docker images, even though I have constantly read articles about "secrets discovered in public images." So I built my own (hopefully) comparable tool.
But trufflehog supports docker images already? The trufflehog readme has examples[0]
# to scan from a remote registry
trufflehog docker --image trufflesecurity/secrets
# to scan from the local docker daemon
trufflehog docker --image docker://new_image:tag
# to scan from an image saved as a tarball
trufflehog docker --image file://path_to_image.tar
That aside, I just tested against trufflehog myself. It did take about 10-15%longer for a scan to complete but this is expected. Layerleak is scanning any additional or deleted tags found for the digest while trufflehog only scans the one. I am proud of the project, so I am showing it off. If you dont like, dont use :)
The first like of the GitHub README is much better IMO: layerleak the Docker Hub Secret Scanner
layerleak has neither of those issues or requirements.
Try it and let me know what you think.
Nothing in his message says it requires the docker daemon? it says it can scan an image from a docker daemon if you want.
I just tried myself and it doesn't require docker at all, you don't need anything docker related even installed on the system.
I tried them both to compare:
- trufflehog: 19 seconds
- layerleak: 26 seconds
" # to scan from the local docker daemon"
That aside, I just tested against trufflehog myself. It did take about 10-15%longer for a scan to complete but this is expected. Layerleak is scanning any additional or deleted tags found for the digest while trufflehog only scans the one. I am proud of the project, so I am showing it off. If you dont like, dont use :)
Thanks for checking it out.