Customizing TruffleHog
Customizing detection
8min
detector identifiers the lists accepted by verify detectors , no verify detectors , include detectors , and exclude detectors consist of detector identifiers, each of which consists of a case insensitive detector type name or number and an optional version indicator detector type names and numbers are defined in this canonical list https //github com/trufflesecurity/trufflehog/blob/main/proto/detectors proto#l14 for example, the following identifiers all specify version 2 of the npm token detector npmtoken v2 npmtoken v2 49 v2 an omitted detector version, or a detector version of 0, means "all versions " for example, the following detector identifiers all specify "all versions of the gitlab detector" gitlab gitlab gitlab v0 9 9 v0 include / exclude detectors trufflehog scanners running locally can optionally enable or disable specific detectors configuration on the command line allow listing specific detectors you can manually specify which detectors to use with the include detectors flag the value is a comma separated list of detector names /trufflehog scan config=config yaml include detectors=aws,github deny listing specific detectors you can manually specify which detectors not to use with the exclude detectors flag the value is a comma separated list of detector names /trufflehog scan config=config yaml exclude detectors=aws,github enable / disable verification trufflehog scanners running locally can optionally enable or disable verification for individual detectors any detectors configured this way will override source verification settings within the config yaml file configuration on the command line when running the scan subcommand, the verify detectors and no verify detectors cli flags can be used to configure detector specific verification override settings each flag takes as an argument a comma separated list of detector identifiers for example, this trufflehog invocation will force verification for aws and buildkite secrets, irrespective of whether the configured sources have their verify flag set /scanner scan config=config yaml verify detectors=aws,buildkite both verify detectors and no verify detectors can be specified in the same invocation /scanner scan config=config yaml verify detectors=aws no verify detectors=buildkite the special detector identifier all means "all detectors" for example, this invocation will enable verification for all secrets, irrespective of source configuration /scanner scan config=config yaml verify detectors=all \ no verify detectors has precedence over verify detectors if there is a conflict this can be combined with all to specify "all except" logic for example, this invocation will force verification for all secrets except aws secrets /scanner scan config=config yaml verify detectors=all no verify detectors=aws