tartufo

tartufo searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed. tartufo also can be used by git pre-commit scripts to screen changes for secrets before they are committed to the repository.

This tool will go through the entire commit history of each branch, and check each diff from each commit, and check for secrets. This is both by regex and by entropy. For entropy checks, tartufo will evaluate the shannon entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string > 20 characters is detected, it will print to the screen.

Example

_images/example_issue.png

Quick start

Getting started is easy!

  1. Install tartufo from the tartufo page on the Python Package Index, by using pip or using docker to pull the tartufo image from Docker Hub.

    Install using pip:

    $ pip install tartufo
    

    Install using docker:

    $ docker pull godaddy/tartufo
    

    For more detail, see Installation.

  2. Use tartufo to scan your repository and find any secrets in its history!

    # You can scan a remote git repo
    $ tartufo scan-remote-repo git@github.com:my_user/my_repo.git
    
    # Or, scan a local clone of a repo!
    $ tartufo scan-local-repo /path/to/your/git/repo
    
    # Scan a remote repo using docker
    $ docker run --rm godaddy/tartufo scan-remote-repo https://github.com/my_user/my_repo.git
    
    # Mount a local clone of a repo and scan it using docker!
    $ docker run --rm -v "/path/to/your/git/repo:/git" godaddy/tartufo scan-local-repo /git
    

    For more detail on usage and options, see Usage and Features.

Attributions

This project was inspired by and built off of the work done by Dylan Ayrey on the truffleHog project.