Usage¶

tartufo¶

Find secrets hidden in the depths of git.

Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre-commit hook.

tartufo [OPTIONS] COMMAND [ARGS]...

Options

--json, --no-json¶: Output in JSON format.

--rules <rules>¶: Path(s) to regex rules json list file(s).

--default-regexes, --no-default-regexes¶

Whether to include the default regex list when configuring search patterns. Only applicable if –rules is also specified.

Default: True

--entropy, --no-entropy¶

Enable entropy checks.

Default: True

--regex, --no-regex¶

Enable high signal regexes checks.

Default: False

-i, --include-paths <include_paths>¶: File with regular expressions (one per line), at least one of which must match a Git object path in order for it to be scanned; lines starting with ‘#’ are treated as comments and are ignored. If empty or not provided (default), all Git object paths are included unless otherwise excluded via the –exclude-paths option.

-x, --exclude-paths <exclude_paths>¶: File with regular expressions (one per line), none of which may match a Git object path in order for it to be scanned; lines starting with ‘#’ are treated as comments and are ignored. If empty or not provided (default), no Git object paths are excluded unless effectively excluded via the –include-paths option.

-e, --exclude-signatures <exclude_signatures>¶: Specify signatures of matches that you explicitly want to exclude from the scan, and mark as okay. These signatures are generated during the scan process, and reported out with each individual match. This option can be specified multiple times, to exclude as many signatures as you would like.

-od, --output-dir <output_dir>¶: If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated.

--git-rules-repo <git_rules_repo>¶: A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning. By default, all .json files will be loaded from the root of that repository. –git-rules-files can be used to override this behavior and load specific files.

--git-rules-files <git_rules_files>¶: Used in conjunction with –git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times.

--config <config>¶: Read configuration from specified file. [default: tartufo.toml]

-q, --quiet, --no-quiet¶: Quiet mode. No outputs are reported if the scan is successful and doesn’t find any issues

-v, --verbose¶: Display more verbose output. Specifying this option multiple times will incrementally increase the amount of output.

-V, --version¶: Show the version and exit.

pre-commit¶

Scan staged changes in a pre-commit hook.

tartufo pre-commit [OPTIONS]

scan-local-repo¶

Scan a repository already cloned to your local system.

tartufo scan-local-repo [OPTIONS] REPO_PATH

Options

--since-commit <since_commit>¶: Only scan from a given commit hash.

--max-depth <max_depth>¶

The max commit depth to go back when searching for secrets.

Default: 1000000

--branch <branch>¶: Specify a branch name to scan only that branch.

--fetch, --no-fetch¶

Controls whether or not the remote repo is fetched prior to local scanning

Default: True

Arguments

REPO_PATH¶: Required argument

scan-remote-repo¶

Automatically clone and scan a remote git repository.

tartufo scan-remote-repo [OPTIONS] GIT_URL

Options

--since-commit <since_commit>¶: Only scan from a given commit hash.

--max-depth <max_depth>¶

The max commit depth to go back when searching for secrets.

Default: 1000000

--branch <branch>¶: Specify a branch name to scan only that branch.

-wd, --work-dir <work_dir>¶: Specify a working directory; this is where the repository will be cloned to before scanning.

Arguments

GIT_URL¶: Required argument