Usage Of Tartufo – A Comprehensive Guide To Securing Your Git Repositories

Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre-commit hook.

tartufo [OPTIONS] COMMAND [ARGS]...

Options–default-regexes, –no-default-regexes

Whether to include the default regex list when configuring search patterns. Only applicable if –rules is also specified.Default

True–entropy, –no-entropy

Enable entropy checks.Default

True–regex, –no-regex

Enable high signal regexes checks.Default

True–scan-filenames, –no-scan-filenames

Check the names of files being scanned as well as their contents.Default

True-of, –output-format <output_format>

Specify the format in which the output needs to be generated –output-format json/compact/text. Either json, compact or text can be specified. If not provided (default) the output will be generated in text format.Options

json | compact | text | report-od, –output-dir <output_dir>

If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated.-td, –temp-dir <temp_dir>

If specified, temporary files will be written to the specified path–buffer-size <buffer_size>

Maximum number of issue to buffer in memory before shifting to temporary file bufferingDefault

10000–git-rules-repo <git_rules_repo>

A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning.

By default, all .json files will be loaded from the root of that repository. –git-rules-files can be used to override this behavior and load specific files.–git-rules-files <git_rules_files>

Used in conjunction with –git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times.–config <config>

Read configuration from specified file. [default: tartufo.toml]-q, –quiet, –no-quiet

Quiet mode. No outputs are reported if the scan is successful and doesn’t find any issues-v, –verbose¶

Display more verbose output. Specifying this option multiple times will incrementally increase the amount of output.–log-timestamps, –no-log-timestamps

Enable or disable timestamps in logging messages.Default

True–entropy-sensitivity <entropy_sensitivity>

Modify entropy detection sensitivity. This is expressed as on a scale of 0 to 100, where 0 means “totally nonrandom” and 100 means “totally random”.

Decreasing the scanner’s sensitivity increases the likelihood that a given string will be identified as suspicious.Default

75

For more information click here.