Customizing TruffleHog
Customizing detection

8min
Detector identifiers
The lists accepted by --verify-detectors , --no-verify-detectors , --include-detectors, and --exclude-detectors consist of detector identifiers, each of which consists of a case-insensitive detector type name or number and an optional version indicator. Detector type names and numbers are defined in this canonical list. For example, the following identifiers all specify version 2 of the NPM token detector:
Text
npmtoken.v2
NpmToken.v2
49.v2
npmtoken.v2
NpmToken.v2
49.v2
﻿
An omitted detector version, or a detector version of 0, means "all versions." For example, the following detector identifiers all specify "all versions of the Gitlab detector":
Text
gitlab
Gitlab
Gitlab.v0
9
9.v0
gitlab
Gitlab
Gitlab.v0
9
9.v0
﻿
Include / exclude detectors
TruffleHog scanners running locally can optionally enable or disable specific detectors.
Configuration on the command line.
Allow-listing specific detectors
You can manually specify which detectors to use with the --include-detectors flag. The value is a comma-separated list of detector names.
Text
./trufflehog scan --config=config.yaml --include-detectors=AWS,GitHub
./trufflehog scan --config=config.yaml --include-detectors=AWS,GitHub
﻿
Deny-listing specific detectors
You can manually specify which detectors NOT to use with the --exclude-detectors flag. The value is a comma-separated list of detector names.
Text
./trufflehog scan --config=config.yaml --exclude-detectors=AWS,GitHub
./trufflehog scan --config=config.yaml --exclude-detectors=AWS,GitHub
﻿
Enable / disable verification
TruffleHog scanners running locally can optionally enable or disable verification for individual detectors. Any detectors configured this way will override source verification settings within the config.yaml file.
Configuration on the command line
When running the scan subcommand, the --verify-detectors and --no-verify-detectors CLI flags can be used to configure detector-specific verification override settings. Each flag takes as an argument a comma-separated list of detector identifiers. For example, this trufflehog invocation will force verification for AWS and Buildkite secrets, irrespective of whether the configured sources have their verify flag set:
Text
./scanner scan --config=config.yaml --verify-detectors=AWS,Buildkite
./scanner scan --config=config.yaml --verify-detectors=AWS,Buildkite
﻿
Both --verify-detectors and --no-verify-detectors can be specified in the same invocation:
Text
./scanner scan --config=config.yaml --verify-detectors=AWS --no-verify-detectors=Buildkite
./scanner scan --config=config.yaml --verify-detectors=AWS --no-verify-detectors=Buildkite
﻿
The special detector identifier all means "all detectors". For example, this invocation will enable verification for all secrets, irrespective of source configuration:
Text
./scanner scan --config=config.yaml --verify-detectors=all
./scanner scan --config=config.yaml --verify-detectors=all
﻿
--no-verify-detectors has precedence over --verify-detectors if there is a conflict. This can be combined with all to specify "all-except" logic. For example, this invocation will force verification for all secrets except AWS secrets:
Text
./scanner scan --config=config.yaml --verify-detectors=all --no-verify-detectors=AWS
./scanner scan --config=config.yaml --verify-detectors=all --no-verify-detectors=AWS
﻿
﻿
Updated 12 Jun 2024
Did this page help you?
Custom detectors
On-premise verification