Usage¶
tartufo¶
Find secrets hidden in the depths of git.
Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre-commit hook.
tartufo [OPTIONS] COMMAND [ARGS]...
Options
-
--rules
<rules>
¶ Path(s) to regex rules json list file(s).
-
--default-regexes
,
--no-default-regexes
¶
Whether to include the default regex list when configuring search patterns. Only applicable if –rules is also specified.
- Default
True
-
--entropy
,
--no-entropy
¶
Enable entropy checks.
- Default
True
-
--regex
,
--no-regex
¶
Enable high signal regexes checks.
- Default
True
-
--scan-filenames
,
--no-scan-filenames
¶
Check the names of files being scanned as well as their contents.
- Default
True
-
-ip
,
--include-path-patterns
<include_path_patterns>
¶ Specify a regular expression which matches Git object paths to include in the scan. This option can be specified multiple times to include multiple patterns. If not provided (default), all Git object paths are included unless otherwise excluded via the –exclude-path-patterns option.
-
-xp
,
--exclude-path-patterns
<exclude_path_patterns>
¶ Specify a regular expression which matches Git object paths to exclude from the scan. This option can be specified multiple times to exclude multiple patterns. If not provided (default), no Git object paths are excluded unless effectively excluded via the –include-path-patterns option.
-
-of
,
--output-format
<output_format>
¶ Specify the format in which the output needs to be generated –output-format json/compact/text. Either json, compact or text can be specified. If not provided (default) the output will be generated in text format.
- Options
json | compact | text
-
-xe
,
--exclude-entropy-patterns
<exclude_entropy_patterns>
¶ Specify a regular expression which matches entropy strings to exclude from the scan. This option can be specified multiple times to exclude multiple patterns. If not provided (default), no entropy strings will be excluded ({path regex}::{pattern regex}).
-
-e
,
--exclude-signatures
<exclude_signatures>
¶ Specify signatures of matches that you explicitly want to exclude from the scan, and mark as okay. These signatures are generated during the scan process, and reported out with each individual match. This option can be specified multiple times, to exclude as many signatures as you would like.
-
-od
,
--output-dir
<output_dir>
¶ If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated.
-
--git-rules-repo
<git_rules_repo>
¶ A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning. By default, all .json files will be loaded from the root of that repository. –git-rules-files can be used to override this behavior and load specific files.
-
--git-rules-files
<git_rules_files>
¶ Used in conjunction with –git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times.
-
--config
<config>
¶ Read configuration from specified file. [default: tartufo.toml]
-
-q
,
--quiet
,
--no-quiet
¶
Quiet mode. No outputs are reported if the scan is successful and doesn’t find any issues
-
-v
,
--verbose
¶
Display more verbose output. Specifying this option multiple times will incrementally increase the amount of output.
-
--log-timestamps
,
--no-log-timestamps
¶
Enable or disable timestamps in logging messages.
- Default
True
-
-b64
,
--b64-entropy-score
<b64_entropy_score>
¶ Modify the base64 entropy score. If a value greater than the default is specified, tartufo lists higher entropy base64 strings (longer or more randomized strings). A lower value lists lower entropy base64 strings (shorter or less randomized strings).
- Default
4.5
-
-hex
,
--hex-entropy-score
<hex_entropy_score>
¶ Modify the hexadecimal entropy score. If a value greater than the default is specified, tartufo lists higher entropy hexadecimal strings (longer or more randomized strings). A lower value lists lower entropy hexadecimal strings (shorter or less randomized strings).
- Default
3.0
-
-V
,
--version
¶
Show the version and exit.
pre-commit¶
Scan staged changes in a pre-commit hook.
tartufo pre-commit [OPTIONS]
Options
-
--include-submodules
,
--exclude-submodules
¶
Controls whether the contents of git submodules are scanned
- Default
False
scan-folder¶
Scan a folder.
tartufo scan-folder [OPTIONS] TARGET
Arguments
-
TARGET
¶
Required argument
scan-local-repo¶
Scan a repository already cloned to your local system.
tartufo scan-local-repo [OPTIONS] REPO_PATH
Options
-
--since-commit
<since_commit>
¶ Only scan from a given commit hash.
-
--max-depth
<max_depth>
¶ The max commit depth to go back when searching for secrets.
- Default
1000000
-
--branch
<branch>
¶ Specify a branch name to scan only that branch.
-
--include-submodules
,
--exclude-submodules
¶
Controls whether the contents of git submodules are scanned
- Default
False
Arguments
-
REPO_PATH
¶
Required argument
scan-remote-repo¶
Automatically clone and scan a remote git repository.
tartufo scan-remote-repo [OPTIONS] GIT_URL
Options
-
--since-commit
<since_commit>
¶ Only scan from a given commit hash.
-
--max-depth
<max_depth>
¶ The max commit depth to go back when searching for secrets.
- Default
1000000
-
--branch
<branch>
¶ Specify a branch name to scan only that branch.
-
-wd
,
--work-dir
<work_dir>
¶ Specify a working directory; this is where the repository will be cloned to before scanning.
-
--include-submodules
,
--exclude-submodules
¶
Controls whether the contents of git submodules are scanned
- Default
False
Arguments
-
GIT_URL
¶
Required argument