Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre-commit hook.
tartufo [OPTIONS] COMMAND [ARGS]...Options–default-regexes, –no-default-regexes
Whether to include the default regex list when configuring search patterns. Only applicable if –rules is also specified.Default
True–entropy, –no-entropy
Enable entropy checks.Default
True–regex, –no-regex
Enable high signal regexes checks.Default
True–scan-filenames, –no-scan-filenames
Check the names of files being scanned as well as their contents.Default
True-of, –output-format <output_format>
Specify the format in which the output needs to be generated –output-format json/compact/text. Either json, compact or text can be specified. If not provided (default) the output will be generated in text format.Options
json | compact | text | report-od, –output-dir <output_dir>
If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated.-td, –temp-dir <temp_dir>
If specified, temporary files will be written to the specified path–buffer-size <buffer_size>
Maximum number of issue to buffer in memory before shifting to temporary file bufferingDefault
10000–git-rules-repo <git_rules_repo>
A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning.
By default, all .json files will be loaded from the root of that repository. –git-rules-files can be used to override this behavior and load specific files.–git-rules-files <git_rules_files>
Used in conjunction with –git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times.–config <config>
Read configuration from specified file. [default: tartufo.toml]-q, –quiet, –no-quiet
Quiet mode. No outputs are reported if the scan is successful and doesn’t find any issues-v, –verbose¶
Display more verbose output. Specifying this option multiple times will incrementally increase the amount of output.–log-timestamps, –no-log-timestamps
Enable or disable timestamps in logging messages.Default
True–entropy-sensitivity <entropy_sensitivity>
Modify entropy detection sensitivity. This is expressed as on a scale of 0 to 100, where 0 means “totally nonrandom” and 100 means “totally random”.
Decreasing the scanner’s sensitivity increases the likelihood that a given string will be identified as suspicious.Default
75
For more information click here.
Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…
While file extensions in Linux are optional and often misleading, the file command helps decode what a…
The touch command is one of the quickest ways to create new empty files or update timestamps…
Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…
Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…
Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…