trufflehog
Find credentials all over the place
Details
Category: Static Code Analysis
Publisher: trickest
Created Date: 6/23/2021
Container: quay.io/trickest/trufflehog:v3.61.0
Source URL: https://github.com/trufflesecurity/trufflehog
Parameters
key
string
Command:
--key
- S3 key used to authenticate.org
string
requiredCommand:
--org
- GitHub/GitLab organization to scan.bare
boolean
Command:
--bare
- Scan bare repository (e.g. useful while using in pre-receive hooks)file
file
requiredCommand:
- Path to file to scan (must use the `filesystem` mode)json
boolean
Command:
--json
- Output in JSON format.mode
string
requiredCommand:
- Scan mode (available options: git, github, gitlab, filesystem, s3, gcs, circleci, and docker)repo
string
requiredCommand:
--repo
- GitHub/GitLab repository to scan.debug
boolean
Command:
--debug
- Run in debug mode.image
string
requiredCommand:
--image
- Docker image to scan. Image registry is assumed.token
string
requiredCommand:
--token
- GitHub/GitLab/CircleCI tokentrace
boolean
Command:
--trace
- Run in trace mode.branch
string
Command:
--branch
- Branch to scan.bucket
string
Command:
--bucket
- Name of S3 bucket to scan.config
file
Command:
--config
- Path to configuration file.secret
string
Command:
--secret
- S3 secret used to authenticate.api-key
string
Command:
--api-key
- GCS API key used to authenticate.git-url
string
requiredCommand:
- Git repository URL. https://, file://, or ssh:// schema expected (must use the `git` mode)endpoint
string
Command:
--endpoint
- GitHub/GitLab endpointrole-arn
string
Command:
--role-arn
- Specify the ARN of an IAM role to assume for scanning.verifier
string
Command:
--verifier
- Set custom verification endpoints.directory
folder
requiredCommand:
- Path to directory to scan (must use the `filesystem` mode)max-depth
string
Command:
--max-depth
- Maximum depth of commits to scan.no-update
boolean
Command:
--no-update
- Don't check for updates.project-id
boolean
Command:
--project-id
- GCS project ID used to authenticate. Can NOT be used with unauth scan.concurrency
string
Command:
--concurrency
- Number of concurrent workers (default: 1).json-legacy
boolean
Command:
--json-legacy
- Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.pr-comments
boolean
Command:
--pr-comments
- Include pull request descriptions and comments in scan.since-commit
string
Command:
--since-commit
- Commit to start scan from.without-auth
boolean
Command:
--without-auth
- Scan GCS buckets without authentication. This will only work for public bucketsexclude-globs
string
Command:
--exclude-globs
- Comma separated list of globs to exclude in scan. This option filters at the `git log` level, resulting in faster scans.exclude-paths
file
Command:
--exclude-paths
- Path to file with newline separated regexes for files to exclude in scan.exclude-repos
string
Command:
--exclude-repos
- Repositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: trufflesecurity/trufflehog, trufflesecurity/t*gist-comments
boolean
Command:
--gist-comments
- Include gist comments in scan.include-forks
boolean
Command:
--include-forks
- Include forks in scan.include-paths
file
Command:
--include-paths
- Path to file with newline separated regexes for files to include in scan.include-repos
string
Command:
--include-repos
- Repositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: trufflesecurity/trufflehog, trufflesecurity/t*only-verified
boolean
Command:
--only-verified
- Only output verified results.session-token
string
Command:
--session-token
- S3 session token used to authenticate temporary credentials.filter-entropy
string
Command:
--filter-entropy
- Filter unverified results with Shannon entropy. Start with 3.0.github-actions
boolean
Command:
--github-actions
- Output in GitHub Actions format.issue-comments
boolean
Command:
--issue-comments
- Include issue descriptions and comments in scan.archive-timeout
string
Command:
--archive-timeout
- Maximum time to spend extracting an archive.exclude-buckets
string
Command:
--exclude-buckets
- Buckets to exclude from scan. Comma separated list of buckets. Globs are supportedexclude-objects
string
Command:
--exclude-objects
- Objects to exclude from scan. Comma separated list of buckets. Globs are supportedinclude-buckets
string
Command:
--include-buckets
- Buckets to scan. Comma separated list of buckets. Globs are supportedinclude-members
boolean
Command:
--include-members
- Include organization member repositories in scan.include-objects
string
Command:
--include-objects
- Objects to scan. Comma separated list of buckets. Globs are supportedmax-object-size
string
Command:
--max-object-size
- Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)no-verification
boolean
Command:
--no-verification
- Don't verify the resultsservice-account
file
Command:
--service-account
- Path to GCS service account JSON file.archive-max-size
string
Command:
--archive-max-size
- Maximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB)archive-max-depth
string
Command:
--archive-max-depth
- Maximum depth of archive to scan.cloud-environment
boolean
Command:
--cloud-environment
- Use default IAM credentials in cloud environment.exclude-detectors
string
Command:
--exclude-detectors
- Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.filter-unverified
boolean
Command:
--filter-unverified
- Only output first unverified result per chunk per detector if there are more than one results.include-detectors
string
Command:
--include-detectors
- Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.print-avg-detector-time
boolean
Command:
--print-avg-detector-time
- Print the average time spent on each detector.