---
title: Customizing detection
slug: customizing-detection
docTags: 
createdAt: 2024-05-13T23:01:14.103Z
---

# Detector identifiers

The lists accepted by `--verify-detectors` , `--no-verify-detectors` , `--include-detectors`, and `--exclude-detectors` consist of detector identifiers, each of which consists of a case-insensitive detector type name or number and an optional version indicator. Detector type names and numbers are defined in [this canonical list](https://github.com/trufflesecurity/trufflehog/blob/main/proto/detectors.proto#L14). For example, the following identifiers all specify version 2 of the NPM token detector:

```text
npmtoken.v2
NpmToken.v2
49.v2
```

An omitted detector version, or a detector version of 0, means "all versions." For example, the following detector identifiers all specify "all versions of the Gitlab detector":

```text
gitlab
Gitlab
Gitlab.v0
9
9.v0
```

# Include / exclude detectors

TruffleHog scanners running locally can optionally enable or disable specific detectors.

## Configuration on the command line.

### Allow-listing specific detectors

You can manually specify which detectors to use with the `--include-detectors` flag. The value is a comma-separated list of detector names.

```none
./trufflehog scan --config=config.yaml --include-detectors=AWS,GitHub
```

### Deny-listing specific detectors

You can manually specify which detectors NOT to use with the `--exclude-detectors` flag. The value is a comma-separated list of detector names.

```none
./trufflehog scan --config=config.yaml --exclude-detectors=AWS,GitHub
```

# Enable / disable verification

TruffleHog scanners running locally can optionally enable or disable verification for individual detectors. Any detectors configured this way will override source verification settings within the config.yaml file.

## Configuration on the command line

When running the `scan` subcommand, the `--verify-detectors` and `--no-verify-detectors` CLI flags can be used to configure detector-specific verification override settings. Each flag takes as an argument a comma-separated list of detector identifiers. For example, this trufflehog invocation will force verification for AWS and Buildkite secrets, irrespective of whether the configured sources have their `verify` flag set:

```bash
./scanner scan --config=config.yaml --verify-detectors=AWS,Buildkite
```

Both `--verify-detectors` and `--no-verify-detectors` can be specified in the same invocation:

```bash
./scanner scan --config=config.yaml --verify-detectors=AWS --no-verify-detectors=Buildkite
```

The special detector identifier `all` means "all detectors". For example, this invocation will enable verification for all secrets, irrespective of source configuration:

```bash
./scanner scan --config=config.yaml --verify-detectors=all
```

`--no-verify-detectors` has precedence over `--verify-detectors` if there is a conflict. This can be combined with `all` to specify "all-except" logic. For example, this invocation will force verification for all secrets *except* AWS secrets:

```bash
./scanner scan --config=config.yaml --verify-detectors=all --no-verify-detectors=AWS
```