Detector-specific verification
Detector-specific verification
TruffleHog scanners running locally can optionally enable or disable verification for individual detectors. Any detectors configured this way will override source verification settings within the config.yaml file.
Configuration on the command line
When running the scan subcommand, the --verify-detectors and --no-verify-detectors CLI flags can be used to configure detector-specific verification override settings. Each flag takes as an argument a comma-separated list of detector identifiers. For example, this trufflehog invocation will force verification for AWS and Buildkite secrets, irrespective of whether the configured sources have their verify flag set:
./scanner scan --config=config.yaml --verify-detectors=AWS,Buildkite
Both --verify-detectors and --no-verify-detectors can be specified in the same invocation:
./scanner scan --config=config.yaml --verify-detectors=AWS --no-verify-detectors=Buildkite
The special detector identifier all means “all detectors”. For example, this invocation will enable verification for all secrets, irrespective of source configuration:
./scanner scan --config=config.yaml --verify-detectors=all
--no-verify-detectors has precedence over --verify-detectors if there is a conflict. This can be combined with all to specify “all-except” logic. For example, this invocation will force verification for all secrets except AWS secrets:
./scanner scan --config=config.yaml --verify-detectors=all --no-verify-detectors=AWS
Detector identifiers
The lists accepted by --verify-detectors and --no-verify-detectors consist of detector identifiers, each of which consists of a case-insensitive detector type name or number and an optional version indicator. Detector type names and numbers are defined in this canonical list. For example, the following identifiers all specify version 2 of the NPM token detector:
npmtoken.v2
NpmToken.v2
49.v2
An omitted detector version, or a detector version of 0, means “all versions.” For example, the following detector identifiers all specify “all versions of the Gitlab detector”:
gitlab
Gitlab
Gitlab.v0
9
9.v0