This is an enhanced version of the truffleHog scanner

Package is available on PyPI

pip install trufflehog3

Full API documentation is available at feeltheajf.github.io/trufflehog3.

You can always check available options by running

trufflehog3 --help

Here are some basic examples to get you started

# clone remote Git repository, scan 10 latest commits and output to stdout
$ trufflehog3 --max-depth 10 https://github.com/feeltheajf/trufflehog3

# disable Git history search, scan current directory and save report as JSON
$ trufflehog3 --no-history --format json --output report.json

# render HTML report from JSON
$ trufflehog3 -R report.json --output report.html

v3 was heavily updated both under the hood and from API perspective. See below for more details on new features.

.trufflehog3.yml is automatically detected in the root of the scanned directory. However, you can still specify custom path using -c/--config CLI argument. Do not forget to check out the updated .trufflehog3.yml config file format.

HTML reports are now much prettier and more useful than ever. You can filter out specific rules or paths on the fly without fiddling with raw data. Have a look at a sample HTML report and try it on your own.

Inline nosecret comments are now supported for excluding false positives

# skip all rules
password = ""  # nosecret

# only skip rule with specific id
password = ""  # nosecret: generic.password

If for some reason you would like to avoid such behavior, there is a new --ignore-nosecret CLI flag which will tell trufflehog3 to ignore all inline comments.

You can now run an incremental scan by specifying the path to the baseline JSON report as -i/--incremental CLI argument. In this case, only the new issues compared to the baseline will be reported.

Multiprocessing support allows for much faster scans. You can alter the number of processes using -p/--processes CLI argument.

Special thanks to Dylan Ayrey (@dxa4481), developer of the original truffleHog scanner