Settings

Theme

Show HN: Layerleak – Like Trufflehog, but for Docker Hub

github.com

9 points by brumbelow a day ago · 8 comments

Reader
darknavi a day ago

A small ask: Don't have the main tag like for your product refer to another product. I know what Docker Hub is, but I have no idea what Trufflehog is.

The first like of the GitHub README is much better IMO: layerleak the Docker Hub Secret Scanner

  • brumbelowOP a day ago

    Thanks for the advice! Did not even consider that. I just updated it

brumbelowOP a day ago

I couldn't find anything comparable to Trufflehog for Docker images, even though I have constantly read articles about "secrets discovered in public images." So I built my own (hopefully) comparable tool.

  • captn3m0 a day ago

    But trufflehog supports docker images already? The trufflehog readme has examples[0]

        # to scan from a remote registry
    trufflehog docker --image trufflesecurity/secrets 
    # to scan from the local docker daemon

    trufflehog docker --image docker://new_image:tag

    # to scan from an image saved as a tarball
    trufflehog docker --image file://path_to_image.tar
    [0]: https://github.com/trufflesecurity/trufflehog#11-scan-a-dock...
    • brumbelowOP a day ago

      That's true, but as you can see from your paste, Trufflehog requires the docker daemon and is generally pretty resource intensive while scanning.

      layerleak has neither of those issues or requirements.

      Try it and let me know what you think.

      • KomoD 21 hours ago

        > That's true, but as you can see from your paste, Trufflehog requires the docker daemon and is generally pretty resource intensive while scanning.

        Nothing in his message says it requires the docker daemon? it says it can scan an image from a docker daemon if you want.

        I just tried myself and it doesn't require docker at all, you don't need anything docker related even installed on the system.

        I tried them both to compare:

        - trufflehog: 19 seconds

        - layerleak: 26 seconds

        • brumbelowOP 20 hours ago

          His paste literally says...

          " # to scan from the local docker daemon"

          That aside, I just tested against trufflehog myself. It did take about 10-15%longer for a scan to complete but this is expected. Layerleak is scanning any additional or deleted tags found for the digest while trufflehog only scans the one. I am proud of the project, so I am showing it off. If you dont like, dont use :)

          Thanks for checking it out.

          • KomoD 19 hours ago

            Yeah, like I explained you CAN use an image from a docker daemon if you WANT to:

                trufflehog docker --image docker://new_image:tag
            If you don't want to scan from a docker daemon then, you can pull from docker hub:

                trufflehog docker --image trufflesecurity/secrets
            or from a tarball:

                trufflehog docker --image file://path_to_image.tar

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection