tartufo¶
tartufo searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed. tartufo also can be used by git pre-commit scripts to screen changes for secrets before they are committed to the repository.
This tool will go through the entire commit history of each branch, and check each diff from each commit, and check for secrets. This is both by regex and by entropy. For entropy checks, tartufo will evaluate the shannon entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string > 20 characters is detected, it will print to the screen.
Example¶
Quick start¶
Getting started is easy!
Install tartufo from the tartufo page on the Python Package Index, by using
pip
or usingdocker
to pull thetartufo
image from Docker Hub.Install using
pip
:$ pip install tartufo
Install using
docker
:$ docker pull godaddy/tartufo
For more detail, see Installation.
Use
tartufo
to scan your repository and find any secrets in its history!# You can scan a remote git repo $ tartufo scan-remote-repo git@github.com:my_user/my_repo.git # Or, scan a local clone of a repo! $ tartufo scan-local-repo /path/to/your/git/repo
# Scan a remote repo using docker $ docker run --rm godaddy/tartufo scan-remote-repo https://github.com/my_user/my_repo.git # Mount a local clone of a repo and scan it using docker! $ docker run --rm -v "/path/to/your/git/repo:/git" godaddy/tartufo scan-local-repo /git
For more detail on usage and options, see Usage and Features.
Attributions¶
This project was inspired by and built off of the work done by Dylan Ayrey on the truffleHog project.