Usage

tartufo

Find secrets hidden in the depths of git.

Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre-commit hook.

tartufo [OPTIONS] COMMAND [ARGS]...

Options

--default-regexes, --no-default-regexes

Whether to include the default regex list when configuring search patterns. Only applicable if –rules is also specified.

Default

True

--entropy, --no-entropy

Enable entropy checks.

Default

True

--regex, --no-regex

Enable high signal regexes checks.

Default

True

--scan-filenames, --no-scan-filenames

Check the names of files being scanned as well as their contents.

Default

True

-of, --output-format <output_format>

Specify the format in which the output needs to be generated –output-format json/compact/text. Either json, compact or text can be specified. If not provided (default) the output will be generated in text format.

Options

json | compact | text | report

-od, --output-dir <output_dir>

If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated.

-td, --temp-dir <temp_dir>

If specified, temporary files will be written to the specified path

--buffer-size <buffer_size>

Maximum number of issue to buffer in memory before shifting to temporary file buffering

Default

10000

--git-rules-repo <git_rules_repo>

A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning. By default, all .json files will be loaded from the root of that repository. –git-rules-files can be used to override this behavior and load specific files.

--git-rules-files <git_rules_files>

Used in conjunction with –git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times.

--config <config>

Read configuration from specified file. [default: tartufo.toml]

-q, --quiet, --no-quiet

Quiet mode. No outputs are reported if the scan is successful and doesn’t find any issues

-v, --verbose

Display more verbose output. Specifying this option multiple times will incrementally increase the amount of output.

--log-timestamps, --no-log-timestamps

Enable or disable timestamps in logging messages.

Default

True

--entropy-sensitivity <entropy_sensitivity>

Modify entropy detection sensitivity. This is expressed as on a scale of 0 to 100, where 0 means “totally nonrandom” and 100 means “totally random”. Decreasing the scanner’s sensitivity increases the likelihood that a given string will be identified as suspicious.

Default

75

-V, --version

Show the version and exit.

pre-commit

Scan staged changes in a pre-commit hook.

tartufo pre-commit [OPTIONS]

Options

--include-submodules, --exclude-submodules

Controls whether the contents of git submodules are scanned

Default

False

scan-folder

Scan a folder.

tartufo scan-folder [OPTIONS] TARGET

Options

--recurse, --no-recurse

Recurse and scan the entire folder

Default

True

--git-check, --no-git-check

Skip check if the folder is a git repo

Default

True

Arguments

TARGET

Required argument

scan-local-repo

Scan a repository already cloned to your local system.

tartufo scan-local-repo [OPTIONS] REPO_PATH

Options

--branch <branch>

Specify a branch name to scan only that branch.

--include-submodules, --exclude-submodules

Controls whether the contents of git submodules are scanned

Default

False

-p, --progress

Controls whether to display a progress bar

Default

False

Arguments

REPO_PATH

Required argument

scan-remote-repo

Automatically clone and scan a remote git repository.

tartufo scan-remote-repo [OPTIONS] GIT_URL

Options

--branch <branch>

Specify a branch name to scan only that branch.

-wd, --work-dir <work_dir>

Specify a working directory; this is where the repository will be cloned to before scanning.

--include-submodules, --exclude-submodules

Controls whether the contents of git submodules are scanned

Default

False

-p, --progress

Controls whether to display a progress bar

Default

False

Arguments

GIT_URL

Required argument

update-signatures

Update deprecated signatures for a local repository.

tartufo update-signatures [OPTIONS] REPO_PATH

Options

--branch <branch>

Specify a branch name to scan only that branch.

--include-submodules, --exclude-submodules

Controls whether the contents of git submodules are scanned

Default

False

--update-configuration, --no-update-configuration

Whether or not to overwrite the tartufo config file.

Default

True

--remove-duplicates, --no-remove-duplicates

Whether or not to remove duplicated signatures.

Default

True

Arguments

REPO_PATH

Required argument