Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
File systems, especially those on user endpoints, often contain files with plaintext credentials stored in them. However, filesystems tend to be quite large. Doing just one scan of a filesystem isn't sufficient for continuously monitoring for plaintext credentials on disk, but continuously scanning an entire filesystem or just one user's directory can be resource intensive. Having the ability to scan only new or modified files could help reduce the amount of resource utilization and speed up scan times for continuously scanning file systems.
Problem to be Addressed
I'm always frustrated when users at my company store secrets and other credentials in plaintext on their laptops. It makes it all too easy for an attacker to move laterally into systems associated with those credentials.
Description of the Preferred Solution
- Trufflehog is deployed on user endpoints (windows, mac, linux) and configured to run on a schedule
- Trufflehog's first scan of the file system scans all files with "verified" mode enabled by default (and maybe also by only recursively targeting the user directories by default)
- Future scans only scan new files or modified files since the most recent scan