Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre-commit hook.
tartufo [OPTIONS] COMMAND [ARGS]...Options–default-regexes, –no-default-regexes
Whether to include the default regex list when configuring search patterns. Only applicable if –rules is also specified.Default
True–entropy, –no-entropy
Enable entropy checks.Default
True–regex, –no-regex
Enable high signal regexes checks.Default
True–scan-filenames, –no-scan-filenames
Check the names of files being scanned as well as their contents.Default
True-of, –output-format <output_format>
Specify the format in which the output needs to be generated –output-format json/compact/text. Either json, compact or text can be specified. If not provided (default) the output will be generated in text format.Options
json | compact | text | report-od, –output-dir <output_dir>
If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated.-td, –temp-dir <temp_dir>
If specified, temporary files will be written to the specified path–buffer-size <buffer_size>
Maximum number of issue to buffer in memory before shifting to temporary file bufferingDefault
10000–git-rules-repo <git_rules_repo>
A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning.
By default, all .json files will be loaded from the root of that repository. –git-rules-files can be used to override this behavior and load specific files.–git-rules-files <git_rules_files>
Used in conjunction with –git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times.–config <config>
Read configuration from specified file. [default: tartufo.toml]-q, –quiet, –no-quiet
Quiet mode. No outputs are reported if the scan is successful and doesn’t find any issues-v, –verbose¶
Display more verbose output. Specifying this option multiple times will incrementally increase the amount of output.–log-timestamps, –no-log-timestamps
Enable or disable timestamps in logging messages.Default
True–entropy-sensitivity <entropy_sensitivity>
Modify entropy detection sensitivity. This is expressed as on a scale of 0 to 100, where 0 means “totally nonrandom” and 100 means “totally random”.
Decreasing the scanner’s sensitivity increases the likelihood that a given string will be identified as suspicious.Default
75
For more information click here.
Webmin is an open-source web-based control panel for Linux servers. It gives you a browser interface…
MariaDB is an open-source relational database management system. It was created by the original MySQL developers…
Corruption investigations need accuracy, patience, and strong evidence. In 2026, OSINT tools can help researchers,…
Private investigators use OSINT to collect public information, verify identities, review business connections, check public…
Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…
Docker is an open-source platform that lets you package and run applications inside containers. Each container…