trufflehog

TruffleHog is an advanced secrets scanner that searches through git repositories, files, and other sources to find secrets, passwords, API keys, and other sensitive information that may have been accidentally committed to code. It combines pattern matching, entropy analysis, and verification capabilities to provide comprehensive secret detection.

Key Features:

Git History Scanning: Deep analysis of entire git history including all branches, commits, and deleted files
Entropy Analysis: Advanced mathematical analysis to detect high-entropy strings that may be secrets
Pattern Matching: Extensive library of regex patterns for detecting known secret formats from popular services
Secret Verification: Validates detected secrets by attempting authentication with the actual services
Multi-Source Support: Scans git repositories, filesystems, cloud storage, databases, and container images
Custom Detectors: Extensible framework for adding organization-specific secret detection patterns
Performance Optimized: Efficient scanning algorithms suitable for large repositories and continuous monitoring
Detailed Reporting: Comprehensive output with context, verification status, and remediation guidance
False Positive Management: Sophisticated filtering and ignore systems to reduce noise and focus on real threats

trufflehog documentation

Version in MegaLinter: 3.89.2
Visit Official Web Site
See How to configure trufflehog rules

Configuration in MegaLinter

Enable trufflehog by adding REPOSITORY_TRUFFLEHOG in ENABLE_LINTERS variable
Disable trufflehog by adding REPOSITORY_TRUFFLEHOG in DISABLE_LINTERS variable

Variable	Description	Default value
REPOSITORY_TRUFFLEHOG_ARGUMENTS	User custom arguments to add in linter CLI call Ex: `-s --foo "bar"`
REPOSITORY_TRUFFLEHOG_COMMAND_REMOVE_ARGUMENTS	User custom arguments to remove from command line before calling the linter Ex: `-s --foo "bar"`
REPOSITORY_TRUFFLEHOG_CLI_LINT_MODE	Override default CLI lint mode ⚠️ As default value is project, overriding might not work - `file`: Calls the linter for each file - `list_of_files`: Call the linter with the list of files as argument - `project`: Call the linter from the root of the project	`project`
REPOSITORY_TRUFFLEHOG_PRE_COMMANDS	List of bash commands to run before the linter	None
REPOSITORY_TRUFFLEHOG_POST_COMMANDS	List of bash commands to run after the linter	None
REPOSITORY_TRUFFLEHOG_UNSECURED_ENV_VARIABLES	List of env variables explicitly not filtered before calling REPOSITORY_TRUFFLEHOG and its pre/post commands	None
REPOSITORY_TRUFFLEHOG_CONFIG_FILE	trufflehog configuration file nameUse `LINTER_DEFAULT` to let the linter find it	`.trufflehog.yml`
REPOSITORY_TRUFFLEHOG_RULES_PATH	Path where to find linter configuration file	Workspace folder, then MegaLinter default rules
REPOSITORY_TRUFFLEHOG_DISABLE_ERRORS	Run linter but consider errors as warnings	`false`
REPOSITORY_TRUFFLEHOG_DISABLE_ERRORS_IF_LESS_THAN	Maximum number of errors allowed	`0`
REPOSITORY_TRUFFLEHOG_CLI_EXECUTABLE	Override CLI executable	`['trufflehog']`

MegaLinter Flavors

This linter is available in the following flavors

Flavor	Description	Embedded linters
all	Default MegaLinter Flavor	126
c_cpp	Optimized for pure C/C++ projects	56
ci_light	Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML	22
cupcake	MegaLinter for the most commonly used languages	87
documentation	MegaLinter for documentation projects	49
dotnet	Optimized for C, C++, C# or VB based projects	64
dotnetweb	Optimized for C, C++, C# or VB based projects with JS/TS	73
go	Optimized for GO based projects	51
java	Optimized for JAVA based projects	54
javascript	Optimized for JAVASCRIPT or TYPESCRIPT based projects	59
php	Optimized for PHP based projects	54
python	Optimized for PYTHON based projects	65
ruby	Optimized for RUBY based projects	50
rust	Optimized for RUST based projects	50
salesforce	Optimized for Salesforce based projects	54
security	Optimized for security	24
swift	Optimized for SWIFT based projects	50
terraform	Optimized for TERRAFORM based projects	54

Behind the scenes

How are identified applicable files

If this linter is active, all files will always be linted

How the linting is performed

trufflehog is called once on the whole project directory (project CLI lint mode)

filtering can not be done using MegaLinter configuration variables,it must be done using trufflehog configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false doesn't make trufflehog analyze only updated files

Example calls

trufflehog filesystem .

Help content

usage: TruffleHog [<flags>] <command> [<args> ...]

TruffleHog is a tool for finding credentials.


Flags:
  -h, --[no-]help                Show context-sensitive help (also try
                                 --help-long and --help-man).
      --log-level=0              Logging verbosity on a scale of 0 (info) to 5
                                 (trace). Can be disabled with "-1".
      --[no-]profile             Enables profiling and sets a pprof and fgprof
                                 server on :18066.
  -j, --[no-]json                Output in JSON format.
      --[no-]json-legacy         Use the pre-v3.0 JSON format. Only works with
                                 git, gitlab, and github sources.
      --[no-]github-actions      Output in GitHub Actions format.
      --concurrency=4            Number of concurrent workers.
      --[no-]no-verification     Don't verify the results.
      --results=RESULTS          Specifies which type(s) of results to
                                 output: verified, unknown, unverified,
                                 filtered_unverified. Defaults to
                                 verified,unverified,unknown.
      --[no-]no-color            Disable colorized output
      --[no-]allow-verification-overlap
                                 Allow verification of similar credentials
                                 across detectors
      --[no-]filter-unverified   Only output first unverified result per
                                 chunk per detector if there are more than one
                                 results.
      --filter-entropy=FILTER-ENTROPY
                                 Filter unverified results with Shannon entropy.
                                 Start with 3.0.
      --config=CONFIG            Path to configuration file.
      --[no-]print-avg-detector-time
                                 Print the average time spent on each detector.
      --[no-]no-update           Don't check for updates.
      --[no-]fail                Exit with code 183 if results are found.
      --verifier=VERIFIER ...    Set custom verification endpoints.
      --[no-]custom-verifiers-only
                                 Only use custom verification endpoints.
      --detector-timeout=DETECTOR-TIMEOUT
                                 Maximum time to spend scanning chunks per
                                 detector (e.g., 30s).
      --archive-max-size=ARCHIVE-MAX-SIZE
                                 Maximum size of archive to scan. (Byte units
                                 eg. 512B, 2KB, 4MB)
      --archive-max-depth=ARCHIVE-MAX-DEPTH
                                 Maximum depth of archive to scan.
      --archive-timeout=ARCHIVE-TIMEOUT
                                 Maximum time to spend extracting an archive.
      --include-detectors="all"  Comma separated list of detector types to
                                 include. Protobuf name or IDs may be used,
                                 as well as ranges.
      --exclude-detectors=EXCLUDE-DETECTORS
                                 Comma separated list of detector types to
                                 exclude. Protobuf name or IDs may be used,
                                 as well as ranges. IDs defined here take
                                 precedence over the include list.
      --[no-]no-verification-cache
                                 Disable verification caching
      --[no-]force-skip-binaries
                                 Force skipping binaries.
      --[no-]force-skip-archives
                                 Force skipping archives.
      --[no-]skip-additional-refs
                                 Skip additional references.
      --user-agent-suffix=USER-AGENT-SUFFIX
                                 Suffix to add to User-Agent.
      --[no-]version             Show application version.

Commands:
help [<command>...]
    Show help.

git [<flags>] <uri>
    Find credentials in git repositories.

github [<flags>]
    Find credentials in GitHub repositories.

github-experimental --repo=REPO [<flags>]
    Run an experimental GitHub scan. Must specify at least one experimental
    sub-module to run: object-discovery.

gitlab --token=TOKEN [<flags>]
    Find credentials in GitLab repositories.

filesystem [<flags>] [<path>...]
    Find credentials in a filesystem.

s3 [<flags>]
    Find credentials in S3 buckets.

gcs [<flags>]
    Find credentials in GCS buckets.

syslog [<flags>]
    Scan syslog

circleci --token=TOKEN
    Scan CircleCI

docker --image=IMAGE [<flags>]
    Scan Docker Image

travisci --token=TOKEN
    Scan TravisCI

postman [<flags>]
    Scan Postman

elasticsearch [<flags>]
    Scan Elasticsearch

jenkins --url=URL [<flags>]
    Scan Jenkins

huggingface [<flags>]
    Find credentials in HuggingFace datasets, models and spaces.

stdin
    Find credentials from stdin.

multi-scan
    Find credentials in multiple sources defined in configuration.

analyze
    Analyze API keys for fine-grained permissions information.

Installation on mega-linter Docker image

Dockerfile commands :

# renovate: datasource=docker depName=trufflesecurity/trufflehog
ARG REPOSITORY_TRUFFLEHOG_VERSION=3.89.2
FROM trufflesecurity/trufflehog:${REPOSITORY_TRUFFLEHOG_VERSION} AS trufflehog
COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/