trufflehog
TruffleHog is an advanced secrets scanner that searches through git repositories, files, and other sources to find secrets, passwords, API keys, and other sensitive information that may have been accidentally committed to code. It combines pattern matching, entropy analysis, and verification capabilities to provide comprehensive secret detection.
Key Features:
- Git History Scanning: Deep analysis of entire git history including all branches, commits, and deleted files
- Entropy Analysis: Advanced mathematical analysis to detect high-entropy strings that may be secrets
- Pattern Matching: Extensive library of regex patterns for detecting known secret formats from popular services
- Secret Verification: Validates detected secrets by attempting authentication with the actual services
- Multi-Source Support: Scans git repositories, filesystems, cloud storage, databases, and container images
- Custom Detectors: Extensible framework for adding organization-specific secret detection patterns
- Performance Optimized: Efficient scanning algorithms suitable for large repositories and continuous monitoring
- Detailed Reporting: Comprehensive output with context, verification status, and remediation guidance
- False Positive Management: Sophisticated filtering and ignore systems to reduce noise and focus on real threats
trufflehog documentation
- Version in MegaLinter: 3.90.11
- Visit Official Web Site
- See How to configure trufflehog rules
Configuration in MegaLinter
- Enable trufflehog by adding
REPOSITORY_TRUFFLEHOGin ENABLE_LINTERS variable - Disable trufflehog by adding
REPOSITORY_TRUFFLEHOGin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_TRUFFLEHOG_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_TRUFFLEHOG_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| REPOSITORY_TRUFFLEHOG_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
project |
| REPOSITORY_TRUFFLEHOG_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_TRUFFLEHOG_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_TRUFFLEHOG_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_TRUFFLEHOG and its pre/post commands | None |
| REPOSITORY_TRUFFLEHOG_CONFIG_FILE | trufflehog configuration file name Use LINTER_DEFAULT to let the linter find it |
.trufflehog.yml |
| REPOSITORY_TRUFFLEHOG_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| REPOSITORY_TRUFFLEHOG_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_TRUFFLEHOG_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_TRUFFLEHOG_CLI_EXECUTABLE | Override CLI executable | ['trufflehog'] |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 127 |   |
| c_cpp | Optimized for pure C/C++ projects | 56 |   |
|
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 22 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 88 |   |
|
| documentation | MegaLinter for documentation projects | 49 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 64 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 73 |   |
|
| go | Optimized for GO based projects | 51 |   |
|
| java | Optimized for JAVA based projects | 54 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 |   |
|
| php | Optimized for PHP based projects | 54 |   |
|
| python | Optimized for PYTHON based projects | 65 |   |
|
| ruby | Optimized for RUBY based projects | 50 |   |
|
| rust | Optimized for RUST based projects | 50 |   |
|
| salesforce | Optimized for Salesforce based projects | 53 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 50 |   |
|
| terraform | Optimized for TERRAFORM based projects | 54 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
trufflehog is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using trufflehog configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make trufflehog analyze only updated files
Example calls
trufflehog filesystem .
Help content
usage: TruffleHog [<flags>] <command> [<args> ...]
TruffleHog is a tool for finding credentials.
Flags:
-h, --[no-]help Show context-sensitive help (also try
--help-long and --help-man).
--log-level=0 Logging verbosity on a scale of 0 (info) to 5
(trace). Can be disabled with "-1".
--[no-]profile Enables profiling and sets a pprof and fgprof
server on :18066.
-j, --[no-]json Output in JSON format.
--[no-]json-legacy Use the pre-v3.0 JSON format. Only works with
git, gitlab, and github sources.
--[no-]github-actions Output in GitHub Actions format.
--concurrency=4 Number of concurrent workers.
--[no-]no-verification Don't verify the results.
--results=RESULTS Specifies which type(s) of results to output:
verified (confirmed valid by API),
unknown (verification failed due to error),
unverified (detected but not verified),
filtered_unverified (unverified but would
have been filtered out). Defaults to
verified,unverified,unknown.
--[no-]no-color Disable colorized output
--[no-]allow-verification-overlap
Allow verification of similar credentials
across detectors
--[no-]filter-unverified Only output first unverified result per
chunk per detector if there are more than one
results.
--filter-entropy=FILTER-ENTROPY
Filter unverified results with Shannon entropy.
Start with 3.0.
--config=CONFIG Path to configuration file.
--[no-]print-avg-detector-time
Print the average time spent on each detector.
--[no-]no-update Don't check for updates.
--[no-]fail Exit with code 183 if results are found.
--[no-]fail-on-scan-errors
Exit with non-zero error code if an error
occurs during the scan.
--verifier=VERIFIER ... Set custom verification endpoints.
--[no-]custom-verifiers-only
Only use custom verification endpoints.
--detector-timeout=DETECTOR-TIMEOUT
Maximum time to spend scanning chunks per
detector (e.g., 30s).
--archive-max-size=ARCHIVE-MAX-SIZE
Maximum size of archive to scan. (Byte units
eg. 512B, 2KB, 4MB)
--archive-max-depth=ARCHIVE-MAX-DEPTH
Maximum depth of archive to scan.
--archive-timeout=ARCHIVE-TIMEOUT
Maximum time to spend extracting an archive.
--include-detectors="all" Comma separated list of detector types to
include. Protobuf name or IDs may be used,
as well as ranges.
--exclude-detectors=EXCLUDE-DETECTORS
Comma separated list of detector types to
exclude. Protobuf name or IDs may be used,
as well as ranges. IDs defined here take
precedence over the include list.
--[no-]no-verification-cache
Disable verification caching
--[no-]force-skip-binaries
Force skipping binaries.
--[no-]force-skip-archives
Force skipping archives.
--[no-]skip-additional-refs
Skip additional references.
--user-agent-suffix=USER-AGENT-SUFFIX
Suffix to add to User-Agent.
--[no-]version Show application version.
Commands:
help [<command>...]
Show help.
git [<flags>] <uri>
Find credentials in git repositories.
github [<flags>]
Find credentials in GitHub repositories.
github-experimental --repo=REPO [<flags>]
Run an experimental GitHub scan. Must specify at least one experimental
sub-module to run: object-discovery.
gitlab --token=TOKEN [<flags>]
Find credentials in GitLab repositories.
filesystem [<flags>] [<path>...]
Find credentials in a filesystem.
s3 [<flags>]
Find credentials in S3 buckets.
gcs [<flags>]
Find credentials in GCS buckets.
syslog --format=FORMAT [<flags>]
Scan syslog
circleci --token=TOKEN
Scan CircleCI
docker --image=IMAGE [<flags>]
Scan Docker Image
travisci --token=TOKEN
Scan TravisCI
postman [<flags>]
Scan Postman
elasticsearch [<flags>]
Scan Elasticsearch
jenkins --url=URL [<flags>]
Scan Jenkins
huggingface [<flags>]
Find credentials in HuggingFace datasets, models and spaces.
stdin
Find credentials from stdin.
multi-scan
Find credentials in multiple sources defined in configuration.
analyze
Analyze API keys for fine-grained permissions information.
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=docker depName=trufflesecurity/trufflehog
ARG REPOSITORY_TRUFFLEHOG_VERSION=3.90.11
FROM trufflesecurity/trufflehog:${REPOSITORY_TRUFFLEHOG_VERSION} AS trufflehog
COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/