Linux command
trufflehog 命令
网络
复制后可按需替换文件名、目录或参数。
常用示例
Scan git repository
trufflehog git [https://github.com/user/repo]
Scan local git repository
trufflehog git file://[/path/to/repo]
Scan filesystem
trufflehog filesystem [/path/to/scan]
Scan GitHub organization
trufflehog github --org [organization]
Scan S3 bucket
trufflehog s3 --bucket [bucket-name]
Only verified secrets
trufflehog git --only-verified [https://github.com/user/repo]
Output as JSON
trufflehog git --json [https://github.com/user/repo]
Scan specific branch
trufflehog git --branch [main] [https://github.com/user/repo]
说明
trufflehog finds secrets and credentials in code repositories, filesystems, and cloud storage. It uses hundreds of detectors for API keys, passwords, and tokens. The tool scans git history, catching secrets that were committed and later deleted. Each commit is checked against detector patterns. High entropy strings are flagged as potential secrets. Verification mode (--only-verified) actively tests found credentials against their services. This confirms whether secrets are still valid, prioritizing real exposures over false positives. Detectors cover major services: AWS, GCP, Azure, GitHub, Slack, Stripe, Twilio, and many more. Custom regex patterns can extend detection. Multiple source types enable comprehensive scanning: repositories, organizations, cloud storage, Docker images, and local filesystems. JSON output integrates with security tools and CI/CD pipelines. Exit codes indicate whether secrets were found, enabling automated gates.
参数
- git _URL_
- Scan git repository.
- github
- Scan GitHub (org, user, or repo).
- gitlab
- Scan GitLab.
- filesystem _PATH_
- Scan local filesystem.
- s3
- Scan S3 bucket.
- gcs
- Scan Google Cloud Storage.
- docker
- Scan Docker image.
- --only-verified
- Only report verified credentials.
- --json
- Output as JSON.
- --no-update
- Don't check for updates.
- --concurrency _NUM_
- Scanner concurrency.
- --include-paths _FILE_
- Only scan matching paths.
- --exclude-paths _FILE_
- Skip matching paths.
- --include-detectors _LIST_
- Only use specified detectors.
- --exclude-detectors _LIST_
- Skip specified detectors.
- --branch _NAME_
- Scan specific branch.
- --since-commit _HASH_
- Start from commit.
- --max-depth _NUM_
- Maximum commit history depth.
- --no-verification
- Skip credential verification against services.
FAQ
What is the trufflehog command used for?
trufflehog finds secrets and credentials in code repositories, filesystems, and cloud storage. It uses hundreds of detectors for API keys, passwords, and tokens. The tool scans git history, catching secrets that were committed and later deleted. Each commit is checked against detector patterns. High entropy strings are flagged as potential secrets. Verification mode (--only-verified) actively tests found credentials against their services. This confirms whether secrets are still valid, prioritizing real exposures over false positives. Detectors cover major services: AWS, GCP, Azure, GitHub, Slack, Stripe, Twilio, and many more. Custom regex patterns can extend detection. Multiple source types enable comprehensive scanning: repositories, organizations, cloud storage, Docker images, and local filesystems. JSON output integrates with security tools and CI/CD pipelines. Exit codes indicate whether secrets were found, enabling automated gates.
How do I run a basic trufflehog example?
Run `trufflehog git [https://github.com/user/repo]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does git _URL_ do in trufflehog?
Scan git repository.