# 
[](https://github.com/godaddy/tartufo/actions?query=workflow%3Aci)
[](https://codecov.io/gh/godaddy/tartufo)
[](https://pypi.org/project/tartufo/)
[](https://pypi.org/project/tartufo/)
[](https://pypi.org/project/tartufo/)
[](https://pypi.org/project/tartufo/)
[](https://tartufo.readthedocs.io/en/latest/?badge=latest)
[](https://github.com/godaddy/tartufo/blob/main/LICENSE)
`tartufo` searches through git repositories for secrets, digging deep into
commit history and branches. This is effective at finding secrets accidentally
committed. `tartufo` also can be used by git pre-commit scripts to screen
changes for secrets before they are committed to the repository.
This tool will go through the entire commit history of each branch, and check
each diff from each commit, and check for secrets. This is both by regex and by
entropy. For entropy checks, tartufo will evaluate the shannon entropy for both
the base64 char set and hexidecimal char set for every blob of text greater
than 20 characters comprised of those character sets in each diff. If at any
point a high entropy string > 20 characters is detected, it will print to the
screen.
## Example
## Documentation
Our main documentation site is hosted by Read The Docs, at
<https://tartufo.readthedocs.io>.
## Usage
```bash
Usage: tartufo [OPTIONS] COMMAND [ARGS]...
Find secrets hidden in the depths of git.
Tartufo will, by default, scan the entire history of a git repository for
any text which looks like a secret, password, credential, etc. It can also
be made to work in pre-commit mode, for scanning blobs of text as a pre-
commit hook.
Options:
--default-regexes / --no-default-regexes
Whether to include the default regex list
when configuring search patterns. Only
applicable if --rules is also specified.
[default: default-regexes]
--entropy / --no-entropy Enable entropy checks. [default: entropy]
--regex / --no-regex Enable high signal regexes checks.
[default: regex]
--scan-filenames / --no-scan-filenames
Check the names of files being scanned as
well as their contents. [default: scan-
filenames]
-of, --output-format [json|compact|text|report]
Specify the format in which the output needs
to be generated `--output-format
json/compact/text/report`. Either `json`,
`compact`, `text` or `report` can be
specified. If not provided (default) the
output will be generated in `text` format.
-od, --output-dir DIRECTORY If specified, all issues will be written out
as individual JSON files to a uniquely named
directory under this one. This will help
with keeping the results of individual runs
of tartufo separated.
-td, --temp-dir DIRECTORY If specified, temporary files will be
written to the specified path
--buffer-size INTEGER Maximum number of issue to buffer in memory
before shifting to temporary file buffering
[default: 10000]
--git-rules-repo TEXT A file path, or git URL, pointing to a git
repository containing regex rules to be used
for scanning. By default, all .json files
will be loaded from the root of that
repository. --git-rules-files can be used to
override this behavior and load specific
files.
--git-rules-files TEXT Used in conjunction with --git-rules-repo,
specify glob-style patterns for files from
which to load the regex rules. Can be
specified multiple times.
--config FILE Read configuration from specified file.
[default: tartufo.toml]
--target-config/--no-target-config
Enable or Disable processing of the config file in the
repository or folder being scanned
i.e. config files like tartufo.toml or pyproject.toml
[default: target-config]
-q, --quiet / --no-quiet Quiet mode. No outputs are reported if the
scan is successful and doesn't find any
issues
-v, --verbose Display more verbose output. Specifying this
option multiple times will incrementally
increase the amount of output.
--log-timestamps / --no-log-timestamps
Enable or disable timestamps in logging
messages. [default: log-timestamps]
--entropy-sensitivity INTEGER RANGE
Modify entropy detection sensitivity. This
is expressed as on a scale of 0 to 100,
where 0 means "totally nonrandom" and 100
means "totally random". Decreasing the
scanner's sensitivity increases the
likelihood that a given string will be
identified as suspicious. [default: 75;
0<=x<=100]
--color / --no-color Enable or disable terminal color. If not
provided (default), enabled if output is a
terminal (TTY).
-V, --version Show the version and exit.
-h, --help Show this message and exit.
Commands:
pre-commit Scan staged changes in a pre-commit hook.
scan-remote-repo Automatically clone and scan a remote git repository.
scan-folder Scan a folder.
scan-local-repo Scan a repository already cloned to your local system.
```
## Contributing
All contributors and contributions are welcome! Please see [our contributing
docs] for more information.
## Attributions
This project was inspired by and built off of the work done by Dylan Ayrey on
the [truffleHog] project.
[our contributing docs]: https://tartufo.readthedocs.io/en/latest/CONTRIBUTING.html
[pre-commit]: https://pre-commit.com/
[truffleHog]: https://github.com/dxa4481/truffleHog
Raw data
{
"_id": null,
"home_page": "https://github.com/godaddy/tartufo/",
"name": "tartufo",
"maintainer": "GoDaddy",
"docs_url": null,
"requires_python": "<3.14,>=3.8",
"maintainer_email": "oss@godaddy.com",
"keywords": "git, security, secrets, entropy, scanner",
"author": "GoDaddy",
"author_email": "oss@godaddy.com",
"download_url": "https://files.pythonhosted.org/packages/52/70/2e1422e84b1f817cb4f626337a783e44c60d9c4c1ada8c9f1a671afadb33/tartufo-5.0.2.tar.gz",
"platform": null,
"description": "# \n\n[](https://github.com/godaddy/tartufo/actions?query=workflow%3Aci)\n[](https://codecov.io/gh/godaddy/tartufo)\n[](https://pypi.org/project/tartufo/)\n[](https://pypi.org/project/tartufo/)\n[](https://pypi.org/project/tartufo/)\n[](https://pypi.org/project/tartufo/)\n[](https://tartufo.readthedocs.io/en/latest/?badge=latest)\n[](https://github.com/godaddy/tartufo/blob/main/LICENSE)\n\n`tartufo` searches through git repositories for secrets, digging deep into\ncommit history and branches. This is effective at finding secrets accidentally\ncommitted. `tartufo` also can be used by git pre-commit scripts to screen\nchanges for secrets before they are committed to the repository.\n\nThis tool will go through the entire commit history of each branch, and check\neach diff from each commit, and check for secrets. This is both by regex and by\nentropy. For entropy checks, tartufo will evaluate the shannon entropy for both\nthe base64 char set and hexidecimal char set for every blob of text greater\nthan 20 characters comprised of those character sets in each diff. If at any\npoint a high entropy string > 20 characters is detected, it will print to the\nscreen.\n\n## Example\n\n\n\n## Documentation\n\nOur main documentation site is hosted by Read The Docs, at\n<https://tartufo.readthedocs.io>.\n\n## Usage\n\n```bash\nUsage: tartufo [OPTIONS] COMMAND [ARGS]...\n\n Find secrets hidden in the depths of git.\n\n Tartufo will, by default, scan the entire history of a git repository for\n any text which looks like a secret, password, credential, etc. It can also\n be made to work in pre-commit mode, for scanning blobs of text as a pre-\n commit hook.\n\nOptions:\n --default-regexes / --no-default-regexes\n Whether to include the default regex list\n when configuring search patterns. Only\n applicable if --rules is also specified.\n [default: default-regexes]\n --entropy / --no-entropy Enable entropy checks. [default: entropy]\n --regex / --no-regex Enable high signal regexes checks.\n [default: regex]\n --scan-filenames / --no-scan-filenames\n Check the names of files being scanned as\n well as their contents. [default: scan-\n filenames]\n -of, --output-format [json|compact|text|report]\n Specify the format in which the output needs\n to be generated `--output-format\n json/compact/text/report`. Either `json`,\n `compact`, `text` or `report` can be\n specified. If not provided (default) the\n output will be generated in `text` format.\n -od, --output-dir DIRECTORY If specified, all issues will be written out\n as individual JSON files to a uniquely named\n directory under this one. This will help\n with keeping the results of individual runs\n of tartufo separated.\n -td, --temp-dir DIRECTORY If specified, temporary files will be\n written to the specified path\n --buffer-size INTEGER Maximum number of issue to buffer in memory\n before shifting to temporary file buffering\n [default: 10000]\n --git-rules-repo TEXT A file path, or git URL, pointing to a git\n repository containing regex rules to be used\n for scanning. By default, all .json files\n will be loaded from the root of that\n repository. --git-rules-files can be used to\n override this behavior and load specific\n files.\n --git-rules-files TEXT Used in conjunction with --git-rules-repo,\n specify glob-style patterns for files from\n which to load the regex rules. Can be\n specified multiple times.\n --config FILE Read configuration from specified file.\n [default: tartufo.toml]\n --target-config/--no-target-config\n Enable or Disable processing of the config file in the\n repository or folder being scanned\n i.e. config files like tartufo.toml or pyproject.toml\n [default: target-config]\n -q, --quiet / --no-quiet Quiet mode. No outputs are reported if the\n scan is successful and doesn't find any\n issues\n -v, --verbose Display more verbose output. Specifying this\n option multiple times will incrementally\n increase the amount of output.\n --log-timestamps / --no-log-timestamps\n Enable or disable timestamps in logging\n messages. [default: log-timestamps]\n --entropy-sensitivity INTEGER RANGE\n Modify entropy detection sensitivity. This\n is expressed as on a scale of 0 to 100,\n where 0 means \"totally nonrandom\" and 100\n means \"totally random\". Decreasing the\n scanner's sensitivity increases the\n likelihood that a given string will be\n identified as suspicious. [default: 75;\n 0<=x<=100]\n --color / --no-color Enable or disable terminal color. If not\n provided (default), enabled if output is a\n terminal (TTY).\n -V, --version Show the version and exit.\n -h, --help Show this message and exit.\n\nCommands:\n pre-commit Scan staged changes in a pre-commit hook.\n scan-remote-repo Automatically clone and scan a remote git repository.\n scan-folder Scan a folder.\n scan-local-repo Scan a repository already cloned to your local system.\n```\n\n## Contributing\n\nAll contributors and contributions are welcome! Please see [our contributing\ndocs] for more information.\n\n## Attributions\n\nThis project was inspired by and built off of the work done by Dylan Ayrey on\nthe [truffleHog] project.\n\n[our contributing docs]: https://tartufo.readthedocs.io/en/latest/CONTRIBUTING.html\n[pre-commit]: https://pre-commit.com/\n[truffleHog]: https://github.com/dxa4481/truffleHog\n",
"bugtrack_url": null,
"license": "GPL-2.0-only",
"summary": "tartufo is a tool for scanning git repositories for secrets/passwords/high-entropy data",
"version": "5.0.2",
"project_urls": {
"Documentation": "https://tartufo.readthedocs.io/",
"Homepage": "https://github.com/godaddy/tartufo/",
"Repository": "https://github.com/godaddy/tartufo/"
},
"split_keywords": [
"git",
" security",
" secrets",
" entropy",
" scanner"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "b488799d0049a29e719d5039c07722866035dc422504ff31ade4bf8c9123e2ed",
"md5": "fb3b8e0471eaa65b89f262bfc4139b30",
"sha256": "affe16e3c6830ee7c6693580b88f00acee0f22c82bf1c291fb83435f476f7d0a"
},
"downloads": -1,
"filename": "tartufo-5.0.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "fb3b8e0471eaa65b89f262bfc4139b30",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<3.14,>=3.8",
"size": 55380,
"upload_time": "2024-10-17T23:16:35",
"upload_time_iso_8601": "2024-10-17T23:16:35.547898Z",
"url": "https://files.pythonhosted.org/packages/b4/88/799d0049a29e719d5039c07722866035dc422504ff31ade4bf8c9123e2ed/tartufo-5.0.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "52702e1422e84b1f817cb4f626337a783e44c60d9c4c1ada8c9f1a671afadb33",
"md5": "944ba881880075c6ad2a22f7f6682d89",
"sha256": "d7f680da7aadc91840d2bde2605a9e71fa635ac1c6ee39490fb11e9a1494ff58"
},
"downloads": -1,
"filename": "tartufo-5.0.2.tar.gz",
"has_sig": false,
"md5_digest": "944ba881880075c6ad2a22f7f6682d89",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<3.14,>=3.8",
"size": 51538,
"upload_time": "2024-10-17T23:16:37",
"upload_time_iso_8601": "2024-10-17T23:16:37.360664Z",
"url": "https://files.pythonhosted.org/packages/52/70/2e1422e84b1f817cb4f626337a783e44c60d9c4c1ada8c9f1a671afadb33/tartufo-5.0.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-10-17 23:16:37",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "godaddy",
"github_project": "tartufo",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"tox": true,
"lcname": "tartufo"
}
JSON
