Usage¶
tartufo¶
Find secrets hidden in the depths of git.
Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre-commit hook.
tartufo [OPTIONS] COMMAND [ARGS]...
Options
- --default-regexes, --no-default-regexes¶
Whether to include the default regex list when configuring search patterns. Only applicable if –rules is also specified.
- Default
True
- --entropy, --no-entropy¶
Enable entropy checks.
- Default
True
- --regex, --no-regex¶
Enable high signal regexes checks.
- Default
True
- --scan-filenames, --no-scan-filenames¶
Check the names of files being scanned as well as their contents.
- Default
True
- -of, --output-format <output_format>¶
Specify the format in which the output needs to be generated –output-format json/compact/text. Either json, compact or text can be specified. If not provided (default) the output will be generated in text format.
- Options
json | compact | text | report
- -od, --output-dir <output_dir>¶
If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated.
- -td, --temp-dir <temp_dir>¶
If specified, temporary files will be written to the specified path
- --buffer-size <buffer_size>¶
Maximum number of issue to buffer in memory before shifting to temporary file buffering
- Default
10000
- --git-rules-repo <git_rules_repo>¶
A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning. By default, all .json files will be loaded from the root of that repository. –git-rules-files can be used to override this behavior and load specific files.
- --git-rules-files <git_rules_files>¶
Used in conjunction with –git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times.
- --config <config>¶
Read configuration from specified file. [default: tartufo.toml]
- -q, --quiet, --no-quiet¶
Quiet mode. No outputs are reported if the scan is successful and doesn’t find any issues
- -v, --verbose¶
Display more verbose output. Specifying this option multiple times will incrementally increase the amount of output.
- --log-timestamps, --no-log-timestamps¶
Enable or disable timestamps in logging messages.
- Default
True
- --entropy-sensitivity <entropy_sensitivity>¶
Modify entropy detection sensitivity. This is expressed as on a scale of 0 to 100, where 0 means “totally nonrandom” and 100 means “totally random”. Decreasing the scanner’s sensitivity increases the likelihood that a given string will be identified as suspicious.
- Default
75
- -V, --version¶
Show the version and exit.
pre-commit¶
Scan staged changes in a pre-commit hook.
tartufo pre-commit [OPTIONS]
Options
- --include-submodules, --exclude-submodules¶
Controls whether the contents of git submodules are scanned
- Default
False
scan-folder¶
Scan a folder.
tartufo scan-folder [OPTIONS] TARGET
Options
- --recurse, --no-recurse¶
Recurse and scan the entire folder
- Default
True
- --git-check, --no-git-check¶
Skip check if the folder is a git repo
- Default
True
Arguments
- TARGET¶
Required argument
scan-local-repo¶
Scan a repository already cloned to your local system.
tartufo scan-local-repo [OPTIONS] REPO_PATH
Options
- --branch <branch>¶
Specify a branch name to scan only that branch.
- --include-submodules, --exclude-submodules¶
Controls whether the contents of git submodules are scanned
- Default
False
- -p, --progress¶
Controls whether to display a progress bar
- Default
False
Arguments
- REPO_PATH¶
Required argument
scan-remote-repo¶
Automatically clone and scan a remote git repository.
tartufo scan-remote-repo [OPTIONS] GIT_URL
Options
- --branch <branch>¶
Specify a branch name to scan only that branch.
- -wd, --work-dir <work_dir>¶
Specify a working directory; this is where the repository will be cloned to before scanning.
- --include-submodules, --exclude-submodules¶
Controls whether the contents of git submodules are scanned
- Default
False
- -p, --progress¶
Controls whether to display a progress bar
- Default
False
Arguments
- GIT_URL¶
Required argument
update-signatures¶
Update deprecated signatures for a local repository.
tartufo update-signatures [OPTIONS] REPO_PATH
Options
- --branch <branch>¶
Specify a branch name to scan only that branch.
- --include-submodules, --exclude-submodules¶
Controls whether the contents of git submodules are scanned
- Default
False
- --update-configuration, --no-update-configuration¶
Whether or not to overwrite the tartufo config file.
- Default
True
- --remove-duplicates, --no-remove-duplicates¶
Whether or not to remove duplicated signatures.
- Default
True
Arguments
- REPO_PATH¶
Required argument