trufflehog
Find credentials all over the place
Name:trufflehog
Category:Static Code Analysis
Publisher:trickest
Created:6/23/2021
Container:
quay.io/trickest/trufflehog:v3.61.0Output Type:
License:Unknown
Source:View Source
Parameters
--keyS3 key used to authenticate.--orgGitHub/GitLab organization to scan.--bareScan bare repository (e.g. useful while using in pre-receive hooks)--jsonOutput in JSON format.--repoGitHub/GitLab repository to scan.--debugRun in debug mode.--imageDocker image to scan. Image registry is assumed.--tokenGitHub/GitLab/CircleCI token--traceRun in trace mode.--branchBranch to scan.--bucketName of S3 bucket to scan.--configPath to configuration file.--secretS3 secret used to authenticate.--api-keyGCS API key used to authenticate.--endpointGitHub/GitLab endpoint--role-arnSpecify the ARN of an IAM role to assume for scanning.--verifierSet custom verification endpoints.--max-depthMaximum depth of commits to scan.--no-updateDon't check for updates.--project-idGCS project ID used to authenticate. Can NOT be used with unauth scan.--concurrencyNumber of concurrent workers (default: 1).--json-legacyUse the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.--pr-commentsInclude pull request descriptions and comments in scan.--since-commitCommit to start scan from.--without-authScan GCS buckets without authentication. This will only work for public buckets--exclude-globsComma separated list of globs to exclude in scan. This option filters at the `git log` level, resulting in faster scans.--exclude-pathsPath to file with newline separated regexes for files to exclude in scan.--exclude-reposRepositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: trufflesecurity/trufflehog, trufflesecurity/t*--gist-commentsInclude gist comments in scan.--include-forksInclude forks in scan.--include-pathsPath to file with newline separated regexes for files to include in scan.--include-reposRepositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: trufflesecurity/trufflehog, trufflesecurity/t*--only-verifiedOnly output verified results.--session-tokenS3 session token used to authenticate temporary credentials.--filter-entropyFilter unverified results with Shannon entropy. Start with 3.0.--github-actionsOutput in GitHub Actions format.--issue-commentsInclude issue descriptions and comments in scan.--archive-timeoutMaximum time to spend extracting an archive.--exclude-bucketsBuckets to exclude from scan. Comma separated list of buckets. Globs are supported--exclude-objectsObjects to exclude from scan. Comma separated list of buckets. Globs are supported--include-bucketsBuckets to scan. Comma separated list of buckets. Globs are supported--include-membersInclude organization member repositories in scan.--include-objectsObjects to scan. Comma separated list of buckets. Globs are supported--max-object-sizeMaximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)--no-verificationDon't verify the results--service-accountPath to GCS service account JSON file.--archive-max-sizeMaximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB)--archive-max-depthMaximum depth of archive to scan.--cloud-environmentUse default IAM credentials in cloud environment.--exclude-detectorsComma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.--filter-unverifiedOnly output first unverified result per chunk per detector if there are more than one results.--include-detectorsComma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.--print-avg-detector-timePrint the average time spent on each detector.