---
title: Configuring a scanner
slug: configuring-a-scanner
docTags: 
createdAt: 2024-04-18T14:39:04.999Z
---

## Configuring a scanner

Before a scanner can find secrets, it needs to know *where* to look. 

TruffleHog Enterprise supports two deployment options, and the configuration approach differs slightly between them:

### Hosted scanner

Runs in Truffle Security's infrastructure, in an isolated environment dedicated to your tenant. Configure it entirely from the web UI: connect sources and route notifications without managing any infrastructure. Every tenant starts with a default hosted scanner group, so you can be scanning within minutes.

Best for getting started quickly.

### Self-hosted scanner

Runs on hardware you operate (Kubernetes, VM, etc). Configure it through a local configuration file, and place it in its own scanner group. You manage the compute; Truffle Security manages the detection logic and updates.

Best for sources that aren't reachable from the public internet, or when data residency or network isolation requires scanning inside your environment.



:::BlockQuote
**Note:** Deployment support [Scan for secrets](docId:91JgobvG-nkxpHML0ko7k). Many sources can be scanned by either a hosted or self-hosted scanner, but a few are limited to one option. Check the individual source documentation for the deployment options supported by each.
:::











###

::::WorkflowBlock
:::WorkflowBlockItem
![](https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/eJqzb5a36qDT9lR7Vj-DO_image.png)
:::
::::