tartufo searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed. tartufo also can be used by git pre-commit scripts to screen changes for secrets before they are committed to the repository.
This tool will go through the entire commit history of each branch, and check each diff from each commit, and check for secrets. This is both by regex and by entropy. For entropy checks, tartufo will evaluate the shannon entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string > 20 characters is detected, it will print to the screen.
Getting started is easy!
Install tartufo from the tartufo page on the Python Package Index, by using
dockerto pull the
tartufoimage from Docker Hub.
$ pip install tartufo
$ docker pull godaddy/tartufo
For more detail, see Installation.
tartufoto scan your repository and find any secrets in its history!
# You can scan a remote git repo $ tartufo scan-remote-repo email@example.com:my_user/my_repo.git # Or, scan a local clone of a repo! $ tartufo scan-local-repo /path/to/your/git/repo
# Scan a remote repo using docker $ docker run --rm godaddy/tartufo scan-remote-repo https://github.com/my_user/my_repo.git # Mount a local clone of a repo and scan it using docker! $ docker run --rm -v "/path/to/your/git/repo:/git" godaddy/tartufo scan-local-repo /git