Details

Category: Static Code Analysis

Publisher: trickest

Created Date: 6/23/2021

Container: quay.io/trickest/trufflehog:v3.61.0

Source URL: https://github.com/trufflesecurity/trufflehog

Parameters

key
string
Command: --key - S3 key used to authenticate.
org
string
required
Command: --org - GitHub/GitLab organization to scan.
bare
boolean
Command: --bare - Scan bare repository (e.g. useful while using in pre-receive hooks)
file
file
required
Command: - Path to file to scan (must use the `filesystem` mode)
json
boolean
Command: --json - Output in JSON format.
mode
string
required
Command: - Scan mode (available options: git, github, gitlab, filesystem, s3, gcs, circleci, and docker)
repo
string
required
Command: --repo - GitHub/GitLab repository to scan.
debug
boolean
Command: --debug - Run in debug mode.
image
string
required
Command: --image - Docker image to scan. Image registry is assumed.
token
string
required
Command: --token - GitHub/GitLab/CircleCI token
trace
boolean
Command: --trace - Run in trace mode.
branch
string
Command: --branch - Branch to scan.
bucket
string
Command: --bucket - Name of S3 bucket to scan.
config
file
Command: --config - Path to configuration file.
secret
string
Command: --secret - S3 secret used to authenticate.
api-key
string
Command: --api-key - GCS API key used to authenticate.
git-url
string
required
Command: - Git repository URL. https://, file://, or ssh:// schema expected (must use the `git` mode)
endpoint
string
Command: --endpoint - GitHub/GitLab endpoint
role-arn
string
Command: --role-arn - Specify the ARN of an IAM role to assume for scanning.
verifier
string
Command: --verifier - Set custom verification endpoints.
directory
folder
required
Command: - Path to directory to scan (must use the `filesystem` mode)
max-depth
string
Command: --max-depth - Maximum depth of commits to scan.
no-update
boolean
Command: --no-update - Don't check for updates.
project-id
boolean
Command: --project-id - GCS project ID used to authenticate. Can NOT be used with unauth scan.
concurrency
string
Command: --concurrency - Number of concurrent workers (default: 1).
json-legacy
boolean
Command: --json-legacy - Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.
pr-comments
boolean
Command: --pr-comments - Include pull request descriptions and comments in scan.
since-commit
string
Command: --since-commit - Commit to start scan from.
without-auth
boolean
Command: --without-auth - Scan GCS buckets without authentication. This will only work for public buckets
exclude-globs
string
Command: --exclude-globs - Comma separated list of globs to exclude in scan. This option filters at the `git log` level, resulting in faster scans.
exclude-paths
file
Command: --exclude-paths - Path to file with newline separated regexes for files to exclude in scan.
exclude-repos
string
Command: --exclude-repos - Repositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: trufflesecurity/trufflehog, trufflesecurity/t*
gist-comments
boolean
Command: --gist-comments - Include gist comments in scan.
include-forks
boolean
Command: --include-forks - Include forks in scan.
include-paths
file
Command: --include-paths - Path to file with newline separated regexes for files to include in scan.
include-repos
string
Command: --include-repos - Repositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: trufflesecurity/trufflehog, trufflesecurity/t*
only-verified
boolean
Command: --only-verified - Only output verified results.
session-token
string
Command: --session-token - S3 session token used to authenticate temporary credentials.
filter-entropy
string
Command: --filter-entropy - Filter unverified results with Shannon entropy. Start with 3.0.
github-actions
boolean
Command: --github-actions - Output in GitHub Actions format.
issue-comments
boolean
Command: --issue-comments - Include issue descriptions and comments in scan.
archive-timeout
string
Command: --archive-timeout - Maximum time to spend extracting an archive.
exclude-buckets
string
Command: --exclude-buckets - Buckets to exclude from scan. Comma separated list of buckets. Globs are supported
exclude-objects
string
Command: --exclude-objects - Objects to exclude from scan. Comma separated list of buckets. Globs are supported
include-buckets
string
Command: --include-buckets - Buckets to scan. Comma separated list of buckets. Globs are supported
include-members
boolean
Command: --include-members - Include organization member repositories in scan.
include-objects
string
Command: --include-objects - Objects to scan. Comma separated list of buckets. Globs are supported
max-object-size
string
Command: --max-object-size - Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)
no-verification
boolean
Command: --no-verification - Don't verify the results
service-account
file
Command: --service-account - Path to GCS service account JSON file.
archive-max-size
string
Command: --archive-max-size - Maximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB)
archive-max-depth
string
Command: --archive-max-depth - Maximum depth of archive to scan.
cloud-environment
boolean
Command: --cloud-environment - Use default IAM credentials in cloud environment.
exclude-detectors
string
Command: --exclude-detectors - Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.
filter-unverified
boolean
Command: --filter-unverified - Only output first unverified result per chunk per detector if there are more than one results.
include-detectors
string
Command: --include-detectors - Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.
print-avg-detector-time
boolean
Command: --print-avg-detector-time - Print the average time spent on each detector.