This is an enhanced version of the Python-based truffleHog scanner
Package is available on PyPI
pip install trufflehog3
Full API documentation is available at feeltheajf.github.io/trufflehog3.
You can always check available options by running
trufflehog3 --help
Here are some basic examples to get you started
# clone remote Git repository, scan 10 latest commits and output to stdout
$ trufflehog3 --depth 10 https://github.com/feeltheajf/trufflehog3
# disable Git history search, scan current directory and save report as JSON
$ trufflehog3 --no-history --format json --output report.json
# render HTML report from JSON
$ trufflehog3 -R report.json --output report.html
v3 was heavily updated both under the hood and from API perspective. See below for more details on new features.
.trufflehog3.yml is automatically detected in the root of the scanned directory. However, you can still specify custom path using -c/--config CLI argument. Do not forget to check out the updated .trufflehog3.yml config file format.
HTML reports are now much prettier and more useful than ever. You can filter out specific rules or paths on the fly without fiddling with raw data. Have a look at a sample HTML report and try it on your own.
Inline nosecret comments are now supported for excluding false positives
# skip all rules
password = "" # nosecret
# only skip rule with specific id
password = "" # nosecret: generic.password
If for some reason you would like to avoid such behavior, there is a new --ignore-nosecret CLI flag which will tell trufflehog3 to ignore all inline comments.
You can now run an incremental scan by specifying the path to the baseline JSON report as -i/--incremental CLI argument. In this case, only the new issues compared to the baseline will be reported.
Multiprocessing support allows for much faster scans. You can alter the number of processes using -p/--processes CLI argument.
Special thanks to Dylan Ayrey (@dxa4481), developer of the original truffleHog scanner
FAQs
Find secrets in your codebase
We found that trufflehog3 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.