search

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
15.81k stars 1.65k forks source link

Azure Storage Account Blob Container Scanning Support #769

Open sfunkernw opened 2 years ago

sfunkernw commented 2 years ago

Feature Request

In addition to the AWS S3 bucket scanning mode, it would be great if TruffleHog would also support the same for Azure Cloud's Storage Account Blob Container.

Problem to be Addressed

It's tedious to download all the Azure Storage Account Blob container contents manually to run TruffleHog on it.

nerijus commented 1 year ago

Not only Azure, but any S3 provider - for example wasabi, Digital Ocean, etc.

IAMTHAT-IAM commented 3 months ago

To add support for scanning Azure Storage Account Blob Containers with TruffleHog, here's a solution you can implement:

  1. Use Azure CLI or PowerShell for automation: Instead of manually downloading blob contents, automate the process using Azure CLI or PowerShell. You can list and manage blob containers, and retrieve their properties and metadata using these tools.

  2. Generate a Shared Access Signature (SAS): Generate a SAS token to provide secure, temporary access to your blob storage. This allows TruffleHog to access the blob contents without exposing your account key. Be sure to set appropriate permissions and expiry times to ensure security.

  3. Set up a script: Create a script to iterate through your blob containers, download the contents to a local directory, and run TruffleHog on the downloaded data. This can be done using a combination of Azure CLI commands and a scripting language like Bash or Python.

Here's a basic outline of the steps you would follow:

Using Azure CLI

  1. List containers: 
    az storage container list --account-name <your-storage-account> --auth-mode key
  2. Generate SAS token: 
    az storage container generate-sas --account-name <your-storage-account> --name <container-name> --permissions lr --expiry <expiry-date>
  3. Download blobs: 
    az storage blob download-batch --source <container-name> --destination <local-path> --account-name <your-storage-account> --sas-token <sas-token>
  4. Run TruffleHog: 
    trufflehog filesystem <local-path>

Using PowerShell

  1. Authenticate and list containers: 
    $context = New-AzStorageContext -StorageAccountName <your-storage-account> -UseConnectedAccount
$containers = Get-AzStorageContainer -Context $context
  2. Generate SAS token: 
    $sas = New-AzStorageContainerSASToken -Name <container-name> -Context $context -Permission r -ExpiryTime (Get-Date).AddDays(1)
  3. Download blobs: 
    Get-AzStorageBlobContent -Container <container-name> -Blob <blob-name> -Destination <local-path> -Context $context -SASToken $sas
  4. Run TruffleHog: 
    trufflehog filesystem <local-path>

By automating these steps, you can efficiently scan Azure Blob Storage with TruffleHog without manually downloading each blob. For more detailed guidance, you can refer to the Azure documentation and TruffleHog's GitHub page [❞] [❞] [❞] [❞] [❞].