Skip to content

Commit 69c370a

Browse files
devatsecureclaude
devatsecure
and
claude
committed
feat: Enable all phases by default and wire TruffleHog scanner
Enable DAST, fuzzing, runtime security, collaborative reasoning, AI enrichment, and TruffleHog secret scanning by default. All phases now run out-of-the-box for complete security coverage. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent e70bf28 commit 69c370a

2 files changed

Lines changed: 50 additions & 10 deletions

File tree

scripts/hybrid/cli.py

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -62,18 +62,19 @@ def main():
6262
parser.add_argument("--enable-semgrep", action="store_true", default=True, help="Enable Semgrep SAST")
6363
parser.add_argument("--enable-trivy", action="store_true", default=True, help="Enable Trivy CVE scanning")
6464
parser.add_argument("--enable-checkov", action="store_true", default=True, help="Enable Checkov IaC scanning")
65+
parser.add_argument("--enable-trufflehog", action="store_true", default=True, help="Enable TruffleHog secret scanning")
6566
parser.add_argument("--enable-api-security", action="store_true", default=True, help="Enable API Security scanning")
66-
parser.add_argument("--enable-dast", action="store_true", default=False, help="Enable DAST scanning")
67+
parser.add_argument("--enable-dast", action="store_true", default=True, help="Enable DAST scanning")
6768
parser.add_argument("--enable-supply-chain", action="store_true", default=True, help="Enable Supply Chain Attack Detection")
68-
parser.add_argument("--enable-fuzzing", action="store_true", default=False, help="Enable Intelligent Fuzzing Engine")
69+
parser.add_argument("--enable-fuzzing", action="store_true", default=True, help="Enable Intelligent Fuzzing Engine")
6970
parser.add_argument("--enable-threat-intel", action="store_true", default=True, help="Enable Threat Intelligence Enrichment")
7071
parser.add_argument("--enable-remediation", action="store_true", default=True, help="Enable Automated Remediation Engine")
71-
parser.add_argument("--enable-runtime-security", action="store_true", default=False, help="Enable Container Runtime Security Monitoring")
72+
parser.add_argument("--enable-runtime-security", action="store_true", default=True, help="Enable Container Runtime Security Monitoring")
7273
parser.add_argument("--enable-regression-testing", action="store_true", default=True, help="Enable Security Regression Testing")
7374
parser.add_argument(
7475
"--enable-ai-enrichment",
7576
action="store_true",
76-
default=False,
77+
default=True,
7778
help="Enable AI enrichment with Claude/OpenAI",
7879
)
7980
parser.add_argument(
@@ -102,8 +103,8 @@ def main():
102103
parser.add_argument(
103104
"--enable-collaborative-reasoning",
104105
action="store_true",
105-
default=False,
106-
help="Enable collaborative reasoning (multi-agent discussion, adds cost)",
106+
default=True,
107+
help="Enable collaborative reasoning (multi-agent discussion)",
107108
)
108109
parser.add_argument(
109110
"--enable-disclosure-report",
@@ -139,6 +140,7 @@ def main():
139140

140141
# Read feature flags from environment variables (GitHub Action inputs)
141142
# These override defaults but are overridden by explicit CLI args
143+
enable_trufflehog = get_bool_env("ENABLE_TRUFFLEHOG", args.enable_trufflehog)
142144
enable_api_security = get_bool_env("ENABLE_API_SECURITY", args.enable_api_security)
143145
enable_dast = get_bool_env("ENABLE_DAST", args.enable_dast)
144146
enable_supply_chain = get_bool_env("ENABLE_SUPPLY_CHAIN", args.enable_supply_chain)
@@ -168,6 +170,7 @@ def main():
168170
# Initialize analyzer
169171
analyzer = HybridSecurityAnalyzer(
170172
enable_semgrep=args.enable_semgrep,
173+
enable_trufflehog=enable_trufflehog,
171174
enable_trivy=args.enable_trivy,
172175
enable_checkov=args.enable_checkov,
173176
enable_api_security=enable_api_security,

scripts/hybrid_analyzer.py

Lines changed: 41 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -148,19 +148,20 @@ def __init__(
148148
enable_trivy: bool = True,
149149
enable_checkov: bool = True,
150150
enable_api_security: bool = True,
151-
enable_dast: bool = False,
151+
enable_dast: bool = True,
152152
enable_supply_chain: bool = True,
153-
enable_fuzzing: bool = False,
153+
enable_fuzzing: bool = True,
154154
enable_threat_intel: bool = True,
155155
enable_remediation: bool = True,
156-
enable_runtime_security: bool = False,
156+
enable_runtime_security: bool = True,
157157
enable_regression_testing: bool = True,
158158
enable_ai_enrichment: bool = True,
159159
enable_argus: bool = False, # Use existing argus if needed
160160
enable_sandbox: bool = True, # Validate exploits in Docker sandbox
161161
enable_multi_agent: bool = True, # Use specialized agent personas
162162
enable_spontaneous_discovery: bool = True, # Discover issues beyond scanner rules
163-
enable_collaborative_reasoning: bool = False, # Multi-agent discussion (opt-in, more expensive)
163+
enable_collaborative_reasoning: bool = True, # Multi-agent discussion
164+
enable_trufflehog: bool = True, # TruffleHog verified secret detection
164165
enable_iris: bool = True, # IRIS-style semantic analysis (arXiv 2405.17238)
165166
ai_provider: Optional[str] = None,
166167
dast_target_url: Optional[str] = None,
@@ -213,6 +214,7 @@ def __init__(
213214
self.enable_multi_agent = enable_multi_agent
214215
self.enable_spontaneous_discovery = enable_spontaneous_discovery
215216
self.enable_collaborative_reasoning = enable_collaborative_reasoning
217+
self.enable_trufflehog = enable_trufflehog
216218
self.enable_iris = enable_iris
217219
self.ai_provider = ai_provider
218220
self.dast_target_url = dast_target_url
@@ -232,6 +234,7 @@ def __init__(
232234
self.remediation_engine = None
233235
self.runtime_security_monitor = None
234236
self.regression_tester = None
237+
self.trufflehog_scanner = None
235238
self.sandbox_validator = None
236239
self.ai_client = None
237240

@@ -332,6 +335,16 @@ def __init__(
332335
logger.warning(f"⚠️ Semgrep scanner not available: {e}")
333336
self.enable_semgrep = False
334337

338+
if self.enable_trufflehog:
339+
try:
340+
from trufflehog_scanner import TruffleHogScanner
341+
342+
self.trufflehog_scanner = TruffleHogScanner()
343+
logger.info("✅ TruffleHog scanner initialized")
344+
except (ImportError, RuntimeError) as e:
345+
logger.warning(f"⚠️ TruffleHog scanner not available: {e}")
346+
self.enable_trufflehog = False
347+
335348
if self.enable_trivy:
336349
try:
337350
from trivy_scanner import TrivyScanner
@@ -539,6 +552,30 @@ def analyze(
539552
logger.error(f" ❌ Semgrep scan failed: {e}")
540553
logger.info(" 💡 Continuing with other scanners...")
541554

555+
# Run TruffleHog
556+
if self.enable_trufflehog and self.trufflehog_scanner:
557+
try:
558+
logger.info(" 🔍 Running TruffleHog secret scanner...")
559+
th_result = self.trufflehog_scanner.scan(str(target_path), scan_type="filesystem")
560+
th_findings_raw = th_result.get("findings", [])
561+
trufflehog_findings = []
562+
for f in th_findings_raw:
563+
trufflehog_findings.append(HybridFinding(
564+
finding_id=f"trufflehog-{f.get('detector_type', 'unknown')}-{len(trufflehog_findings)}",
565+
source_tool="trufflehog",
566+
severity="critical" if f.get("verified") else "high",
567+
category="secrets",
568+
title=f"Secret detected: {f.get('detector_type', 'Unknown')}",
569+
description=f"TruffleHog detected a {'verified' if f.get('verified') else 'potential'} {f.get('detector_name', 'secret')} in {f.get('file_path', 'unknown')}",
570+
file_path=f.get("file_path", ""),
571+
line_number=f.get("line"),
572+
))
573+
all_findings.extend(trufflehog_findings)
574+
logger.info(f" ✅ TruffleHog: {len(trufflehog_findings)} secrets detected")
575+
except Exception as e:
576+
logger.error(f" ❌ TruffleHog scan failed: {e}")
577+
logger.info(" 💡 Continuing with other scanners...")
578+
542579
# Run Trivy
543580
if self.enable_trivy and self.trivy_scanner:
544581
try:

0 commit comments

Comments
 (0)