GitHub Trufflehog activity

Goal

Detects usage of Trufflehog credential scanning tool against GitHub repositories.

Strategy

This rule monitors GitHub audit logs for user agent strings associated with Trufflehog use. The detection creates higher severity alerts when Trufflehog usage is combined with VPN or tunnel usage marked as suspicious or malicious by threat intelligence. Trufflehog is a legitimate security tool used to detect exposed credentials in code repositories; however, unauthorized usage may indicate reconnaissance activity or credential harvesting attempts.

Triage and response

  • Verify if {{@github.actor}} has legitimate authorization to perform security scanning activities on the affected repositories.
  • Review the specific repositories that were scanned to determine if they contain sensitive or proprietary code.
  • Examine any VPN or tunnel usage associated with the scanning activity to determine if it originates from expected security team infrastructure.
  • Determine if any credentials or secrets were actually discovered and potentially compromised during the scanning activity.