trufflehog
trufflehog documentation
- Version in MegaLinter: 3.85.0
- Visit Official Web Site
- See How to configure trufflehog rules
Configuration in MegaLinter
- Enable trufflehog by adding
REPOSITORY_TRUFFLEHOG
in ENABLE_LINTERS variable - Disable trufflehog by adding
REPOSITORY_TRUFFLEHOG
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_TRUFFLEHOG_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_TRUFFLEHOG_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
REPOSITORY_TRUFFLEHOG_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
project |
REPOSITORY_TRUFFLEHOG_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_TRUFFLEHOG_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_TRUFFLEHOG_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_TRUFFLEHOG and its pre/post commands | None |
REPOSITORY_TRUFFLEHOG_CONFIG_FILE | trufflehog configuration file nameUse LINTER_DEFAULT to let the linter find it |
.trufflehog.yml |
REPOSITORY_TRUFFLEHOG_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_TRUFFLEHOG_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_TRUFFLEHOG_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_TRUFFLEHOG_CLI_EXECUTABLE | Override CLI executable | ['trufflehog'] |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 124 | ||
c_cpp | Optimized for pure C/C++ projects | 54 | ||
ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 21 | ||
cupcake | MegaLinter for the most commonly used languages | 83 | ||
documentation | MegaLinter for documentation projects | 49 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 62 | ||
dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 71 | ||
go | Optimized for GO based projects | 51 | ||
java | Optimized for JAVA based projects | 52 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 | ||
php | Optimized for PHP based projects | 54 | ||
python | Optimized for PYTHON based projects | 62 | ||
ruby | Optimized for RUBY based projects | 50 | ||
rust | Optimized for RUST based projects | 50 | ||
salesforce | Optimized for Salesforce based projects | 54 | ||
security | Optimized for security | 24 | ||
swift | Optimized for SWIFT based projects | 50 | ||
terraform | Optimized for TERRAFORM based projects | 54 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
trufflehog is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using trufflehog configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make trufflehog analyze only updated files
Example calls
trufflehog filesystem .
Help content
usage: TruffleHog [<flags>] <command> [<args> ...]
TruffleHog is a tool for finding credentials.
Flags:
-h, --[no-]help Show context-sensitive help (also try
--help-long and --help-man).
--log-level=0 Logging verbosity on a scale of 0 (info) to 5
(trace). Can be disabled with "-1".
--[no-]profile Enables profiling and sets a pprof and fgprof
server on :18066.
-j, --[no-]json Output in JSON format.
--[no-]json-legacy Use the pre-v3.0 JSON format. Only works with
git, gitlab, and github sources.
--[no-]github-actions Output in GitHub Actions format.
--concurrency=4 Number of concurrent workers.
--[no-]no-verification Don't verify the results.
--[no-]only-verified Only output verified results.
--[no-]allow-verification-overlap
Allow verification of similar credentials
across detectors
--[no-]filter-unverified Only output first unverified result per
chunk per detector if there are more than one
results.
--filter-entropy=FILTER-ENTROPY
Filter unverified results with Shannon entropy.
Start with 3.0.
--config=CONFIG Path to configuration file.
--[no-]print-avg-detector-time
Print the average time spent on each detector.
--[no-]no-update Don't check for updates.
--[no-]fail Exit with code 183 if results are found.
--verifier=VERIFIER ... Set custom verification endpoints.
--[no-]custom-verifiers-only
Only use custom verification endpoints.
--archive-max-size=ARCHIVE-MAX-SIZE
Maximum size of archive to scan. (Byte units
eg. 512B, 2KB, 4MB)
--archive-max-depth=ARCHIVE-MAX-DEPTH
Maximum depth of archive to scan.
--archive-timeout=ARCHIVE-TIMEOUT
Maximum time to spend extracting an archive.
--include-detectors="all" Comma separated list of detector types to
include. Protobuf name or IDs may be used,
as well as ranges.
--exclude-detectors=EXCLUDE-DETECTORS
Comma separated list of detector types to
exclude. Protobuf name or IDs may be used,
as well as ranges. IDs defined here take
precedence over the include list.
--[no-]force-skip-binaries
Force skipping binaries.
--[no-]force-skip-archives
Force skipping archives.
--[no-]skip-additional-refs
Skip additional references.
--user-agent-suffix=USER-AGENT-SUFFIX
Suffix to add to User-Agent.
--[no-]version Show application version.
Commands:
help [<command>...]
Show help.
git [<flags>] <uri>
Find credentials in git repositories.
github [<flags>]
Find credentials in GitHub repositories.
github-experimental --repo=REPO [<flags>]
Run an experimental GitHub scan. Must specify at least one experimental
sub-module to run: object-discovery.
gitlab --token=TOKEN [<flags>]
Find credentials in GitLab repositories.
filesystem [<flags>] [<path>...]
Find credentials in a filesystem.
s3 [<flags>]
Find credentials in S3 buckets.
gcs [<flags>]
Find credentials in GCS buckets.
syslog [<flags>]
Scan syslog
circleci --token=TOKEN
Scan CircleCI
docker --image=IMAGE [<flags>]
Scan Docker Image
travisci --token=TOKEN
Scan TravisCI
postman [<flags>]
Scan Postman
elasticsearch [<flags>]
Scan Elasticsearch
jenkins --url=URL [<flags>]
Scan Jenkins
huggingface [<flags>]
Find credentials in HuggingFace datasets, models and spaces.
analyze [<key-type>]
Analyze API keys for fine-grained permissions information.
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=docker depName=trufflesecurity/trufflehog
ARG REPOSITORY_TRUFFLEHOG_VERSION=3.85.0
FROM trufflesecurity/trufflehog:${REPOSITORY_TRUFFLEHOG_VERSION} AS trufflehog
COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/