Customizing TruffleHog

Customizing detection

8min

Detector identifiers

The lists accepted by --verify-detectors , --no-verify-detectors , --include-detectors, and --exclude-detectors consist of detector identifiers, each of which consists of a case-insensitive detector type name or number and an optional version indicator. Detector type names and numbers are defined in this canonical list. For example, the following identifiers all specify version 2 of the NPM token detector:

Text


An omitted detector version, or a detector version of 0, means "all versions." For example, the following detector identifiers all specify "all versions of the Gitlab detector":

Text


Include / exclude detectors

TruffleHog scanners running locally can optionally enable or disable specific detectors.

Configuration on the command line.

Allow-listing specific detectors

You can manually specify which detectors to use with the --include-detectors flag. The value is a comma-separated list of detector names.

Text


Deny-listing specific detectors

You can manually specify which detectors NOT to use with the --exclude-detectors flag. The value is a comma-separated list of detector names.

Text


Enable / disable verification

TruffleHog scanners running locally can optionally enable or disable verification for individual detectors. Any detectors configured this way will override source verification settings within the config.yaml file.

Configuration on the command line

When running the scan subcommand, the --verify-detectors and --no-verify-detectors CLI flags can be used to configure detector-specific verification override settings. Each flag takes as an argument a comma-separated list of detector identifiers. For example, this trufflehog invocation will force verification for AWS and Buildkite secrets, irrespective of whether the configured sources have their verify flag set:

Bash


Both --verify-detectors and --no-verify-detectors can be specified in the same invocation:

Bash


The special detector identifier all means "all detectors". For example, this invocation will enable verification for all secrets, irrespective of source configuration:

Bash


--no-verify-detectors has precedence over --verify-detectors if there is a conflict. This can be combined with all to specify "all-except" logic. For example, this invocation will force verification for all secrets except AWS secrets:

Bash