This is an enhanced version of the Python-based truffleHog scanner
Package is available on PyPI
pip install trufflehog3
Full API documentation is available at feeltheajf.github.io/trufflehog3.
You can always check available options by running
trufflehog3 --help
Here are some basic examples to get you started
# clone remote Git repository, scan 10 latest commits and output to stdout
$ trufflehog3 --max-depth 10 https://github.com/feeltheajf/trufflehog3
# disable Git history search, scan current directory and save report as JSON
$ trufflehog3 --no-history --format json --output report.json
# render HTML report from JSON
$ trufflehog3 -R report.json --output report.html
v3 was heavily updated both under the hood and from API perspective. See below for more details on new features.
.trufflehog3.yml
is automatically detected in the root of the scanned directory. However, you can still specify custom path using -c/--config
CLI argument. Do not forget to check out the updated .trufflehog3.yml config file format.
HTML reports are now much prettier and more useful than ever. You can filter out specific rules or paths on the fly without fiddling with raw data. Have a look at a sample HTML report and try it on your own.
Inline nosecret
comments are now supported for excluding false positives
# skip all rules
password = "" # nosecret
# only skip rule with specific id
password = "" # nosecret: generic.password
If for some reason you would like to avoid such behavior, there is a new --ignore-nosecret
CLI flag which will tell trufflehog3 to ignore all inline comments.
You can now run an incremental scan by specifying the path to the baseline JSON report as -i/--incremental
CLI argument. In this case, only the new issues compared to the baseline will be reported.
Multiprocessing support allows for much faster scans. You can alter the number of processes using -p/--processes
CLI argument.
Special thanks to Dylan Ayrey (@dxa4481), developer of the original truffleHog scanner