Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre-commit hook.
tartufo [OPTIONS] COMMAND [ARGS]...Options–default-regexes, –no-default-regexes
Whether to include the default regex list when configuring search patterns. Only applicable if –rules is also specified.Default
True–entropy, –no-entropy
Enable entropy checks.Default
True–regex, –no-regex
Enable high signal regexes checks.Default
True–scan-filenames, –no-scan-filenames
Check the names of files being scanned as well as their contents.Default
True-of, –output-format <output_format>
Specify the format in which the output needs to be generated –output-format json/compact/text. Either json, compact or text can be specified. If not provided (default) the output will be generated in text format.Options
json | compact | text | report-od, –output-dir <output_dir>
If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated.-td, –temp-dir <temp_dir>
If specified, temporary files will be written to the specified path–buffer-size <buffer_size>
Maximum number of issue to buffer in memory before shifting to temporary file bufferingDefault
10000–git-rules-repo <git_rules_repo>
A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning.
By default, all .json files will be loaded from the root of that repository. –git-rules-files can be used to override this behavior and load specific files.–git-rules-files <git_rules_files>
Used in conjunction with –git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times.–config <config>
Read configuration from specified file. [default: tartufo.toml]-q, –quiet, –no-quiet
Quiet mode. No outputs are reported if the scan is successful and doesn’t find any issues-v, –verbose¶
Display more verbose output. Specifying this option multiple times will incrementally increase the amount of output.–log-timestamps, –no-log-timestamps
Enable or disable timestamps in logging messages.Default
True–entropy-sensitivity <entropy_sensitivity>
Modify entropy detection sensitivity. This is expressed as on a scale of 0 to 100, where 0 means “totally nonrandom” and 100 means “totally random”.
Decreasing the scanner’s sensitivity increases the likelihood that a given string will be identified as suspicious.Default
75
For more information click here.
What Are Bash Comments? In Bash scripting, comments are notes in your code that the…
When you write a Bash script in Linux, you want it to run correctly every…
Introduction If you’re new to Bash scripting, one of the first skills you’ll need is…
What is Bash Scripting? Bash scripting allows you to save multiple Linux commands in a file and…
When it comes to automating tasks on Linux, Bash scripting is an essential skill for both beginners…
Learn how to create and use Bash functions with this complete tutorial. Includes syntax, arguments,…