@godaddy/tartufo-node
Advanced tools
Tartufo is an open-source project provides tooling to look for and find secrets that may or may not have been accidentally committed to code. It provides a wonderful pre-commit mode that is perfect for keeping repositories clean of committed secrets.
This package exists to help orchestrate making sure Tartufo is available for use by local developers working in pure-javascript projects. When installed into your projects, it will provide a local you can use in your package.json scripts.
This package prefers to use a globally-installed tartufo if present, otherwise it will install a local copy.
This package requires that Python 3.6+ be installed and available. It expects to find python either at the command python3 or python if the former is not available.
This package does not currently support Windows!
We recommend using Homebrew to install Python via brew install python.
Please follow your distro's recommendations for installing Python.
Windows is not yet supported with this package. This documentation will be udpated when it is supported.
Run npm install --save-dev @godaddy/tartufo-node to install in your local project
You can use tartufo like any other npm-provided bin, for example to use tartufo as a pre-commit you could combine it with Husky:
Add the following to your package.json:
{
"scripts": {
"tartufo:pre-commit": "tartufo pre-commit"
}
}
Then tell Husky to run the command on pre-commit:
npx husky add .husky/pre-commit "npm run tartufo:pre-commit"
git add .husky/pre-commit
Alternatively you could work with tartufo directly via npx, for example you could run npx tartufo --help in your project to see command line tools available to you.
This package provides a tartufo-helper tool to help diagnose issues locally. To do so, run npx tartufo-helper doctor to see debugging output. If necessary, it may recommend you run npx tartufo-helper reset to reset your local installation.
This package takes advantage of preinstall and postinstall npm lifecycle hooks. When installing into your package, two things will happen:
First, the preinstall script will validate your local environment and fail if it cannot find Python 3.6+.
Second postinstall script will check if you have tartufo available globally. If so, the postinstall script will exit as there is nothing to do!
However if no tartufo is available, it will create a venv locally (in the node_modules folder) and use pip to install tartufo.
FAQs
Ensures Tartufo is available for npm-based projects
We found that @godaddy/tartufo-node demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 13 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.
Security News
Tailwind Labs laid off 75% of its engineering team after revenue dropped 80%, as LLMs redirect traffic away from documentation where developers discover paid products.
Security News
The planned feature introduces a review step before releases go live, following the Shai-Hulud attacks and a rocky migration off classic tokens that disrupted maintainer workflows.