Detector-specific verification

Detector-specific verification

Trufflehog scanners running locally can optionally enable or disable verification for individual detectors. Any detectors configured this way will override source verification settings within the config.yaml file.

Configuration on the command line

When running the scan subcommand, the --verify-detectors and --no-verify-detectors CLI flags can be used to configure detector-specific verification override settings. Each flag takes as an argument a comma-separated list of detector identifiers. For example, this trufflehog invocation will force verification for AWS and Buildkite secrets, irrespective of whether the configured sources have their verify flag set:

./scanner scan --config=config.yaml --verify-detectors=AWS,Buildkite

Both --verify-detectors and --no-verify-detectors can be specified in the same invocation:

./scanner scan --config=config.yaml --verify-detectors=AWS --no-verify-detectors=Buildkite

The special detector identifier all means “all detectors”. For example, this invocation will enable verification for all secrets, irrespective of source configuration:

./scanner scan --config=config.yaml --verify-detectors=all

--no-verify-detectors has precedence over --verify-detectors if there is a conflict. This can be combined with all to specify “all-except” logic. For example, this invocation will force verification for all secrets except AWS secrets:

./scanner scan --config=config.yaml --verify-detectors=all --no-verify-detectors=AWS

Detector identifiers

The lists accepted by --verify-detectors and --no-verify-detectors consist of detector identifiers, each of which consists of a case-insensitive detector type name or number and an optional version indicator. Detector type names and numbers are defined in this canonical list. For example, the following identifiers all specify version 2 of the NPM token detector:


An omitted detector version, or a detector version of 0, means “all versions.” For example, the following detector identifiers all specify “all versions of the Gitlab detector”:


Last updated on 11-08-2023