GitHub Trufflehog activity
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects usage of Trufflehog credential scanning tool against GitHub repositories.
Strategy
This rule monitors GitHub audit logs for user agent strings associated with Trufflehog use. The detection creates higher severity alerts when Trufflehog usage is combined with VPN or tunnel usage marked as suspicious or malicious by threat intelligence. Trufflehog is a legitimate security tool used to detect exposed credentials in code repositories; however, unauthorized usage may indicate reconnaissance activity or credential harvesting attempts.
Triage and response
- Verify if
{{@github.actor}} has legitimate authorization to perform security scanning activities on the affected repositories. - Review the specific repositories that were scanned to determine if they contain sensitive or proprietary code.
- Examine any VPN or tunnel usage associated with the scanning activity to determine if it originates from expected security team infrastructure.
- Determine if any credentials or secrets were actually discovered and potentially compromised during the scanning activity.
