trufflehog
trufflehog documentation
- Version in MegaLinter: 3.73.0
- Visit Official Web Site
- See How to configure trufflehog rules
Configuration in MegaLinter
- Enable trufflehog by adding
REPOSITORY_TRUFFLEHOGin ENABLE_LINTERS variable - Disable trufflehog by adding
REPOSITORY_TRUFFLEHOGin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_TRUFFLEHOG_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_TRUFFLEHOG_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| REPOSITORY_TRUFFLEHOG_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_TRUFFLEHOG_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_TRUFFLEHOG_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_TRUFFLEHOG and its pre/post commands | None |
| REPOSITORY_TRUFFLEHOG_CONFIG_FILE | trufflehog configuration file nameUse LINTER_DEFAULT to let the linter find it |
.trufflehog.yml |
| REPOSITORY_TRUFFLEHOG_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| REPOSITORY_TRUFFLEHOG_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_TRUFFLEHOG_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_TRUFFLEHOG_CLI_EXECUTABLE | Override CLI executable | ['trufflehog'] |
MegaLinter Flavours
This linter is available in the following flavours
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 122 |   |
| c_cpp | Optimized for pure C/C++ projects | 55 |   |
|
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 21 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 84 |   |
|
| documentation | MegaLinter for documentation projects | 51 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 64 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 73 |   |
|
| go | Optimized for GO based projects | 53 |   |
|
| java | Optimized for JAVA based projects | 54 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 60 |   |
|
| php | Optimized for PHP based projects | 54 |   |
|
| python | Optimized for PYTHON based projects | 64 |   |
|
| ruby | Optimized for RUBY based projects | 51 |   |
|
| rust | Optimized for RUST based projects | 51 |   |
|
| salesforce | Optimized for Salesforce based projects | 55 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 51 |   |
|
| terraform | Optimized for TERRAFORM based projects | 55 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
trufflehog is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using trufflehog configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make trufflehog analyze only updated files
Example calls
trufflehog filesystem .
Help content
usage: TruffleHog [<flags>] <command> [<args> ...]
TruffleHog is a tool for finding credentials.
Flags:
-h, --[no-]help Show context-sensitive help (also try
--help-long and --help-man).
--[no-]debug Run in debug mode.
--[no-]trace Run in trace mode.
--[no-]profile Enables profiling and sets a pprof and fgprof
server on :18066.
-j, --[no-]json Output in JSON format.
--[no-]json-legacy Use the pre-v3.0 JSON format. Only works with
git, gitlab, and github sources.
--[no-]github-actions Output in GitHub Actions format.
--concurrency=4 Number of concurrent workers.
--[no-]no-verification Don't verify the results.
--[no-]only-verified Only output verified results.
--[no-]allow-verification-overlap
Allow verification of similar credentials
across detectors
--[no-]filter-unverified Only output first unverified result per
chunk per detector if there are more than one
results.
--filter-entropy=FILTER-ENTROPY
Filter unverified results with Shannon entropy.
Start with 3.0.
--config=CONFIG Path to configuration file.
--[no-]print-avg-detector-time
Print the average time spent on each detector.
--[no-]no-update Don't check for updates.
--[no-]fail Exit with code 183 if results are found.
--verifier=VERIFIER ... Set custom verification endpoints.
--[no-]custom-verifiers-only
Only use custom verification endpoints.
--archive-max-size=ARCHIVE-MAX-SIZE
Maximum size of archive to scan. (Byte units
eg. 512B, 2KB, 4MB)
--archive-max-depth=ARCHIVE-MAX-DEPTH
Maximum depth of archive to scan.
--archive-timeout=ARCHIVE-TIMEOUT
Maximum time to spend extracting an archive.
--include-detectors="all" Comma separated list of detector types to
include. Protobuf name or IDs may be used,
as well as ranges.
--exclude-detectors=EXCLUDE-DETECTORS
Comma separated list of detector types to
exclude. Protobuf name or IDs may be used,
as well as ranges. IDs defined here take
precedence over the include list.
--[no-]version Show application version.
Commands:
help [<command>...]
Show help.
git [<flags>] <uri>
Find credentials in git repositories.
github [<flags>]
Find credentials in GitHub repositories.
gitlab --token=TOKEN [<flags>]
Find credentials in GitLab repositories.
filesystem [<flags>] [<path>...]
Find credentials in a filesystem.
s3 [<flags>]
Find credentials in S3 buckets.
gcs [<flags>]
Find credentials in GCS buckets.
syslog [<flags>]
Scan syslog
circleci --token=TOKEN
Scan CircleCI
docker --image=IMAGE
Scan Docker Image
travisci --token=TOKEN
Scan TravisCI
postman [<flags>]
Scan Postman
Installation on mega-linter Docker image
- Dockerfile commands :
FROM trufflesecurity/trufflehog:latest as trufflehog
COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/