Locally-configured detectors
Adding a Detector configuration
Locally-configured detectors are configured in your
config.yaml
file under the
detectors
field.
Example config
concurrency: "8"
detectors:
- keywords:
- keyword1
- keyword2
name: custom regex detector
regex:
id: id-[a-zA-Z0-9]{16}
secret: '[a-zA-Z0-9]{32}'
verify:
- endpoint: http://localhost:8000
headers:
- 'Authorization: Bearer token'
unsafe: true
logLevel: info
numWorkers: 16
trufflehogAddress: https://gnarly-flying-pancake.c1.prod.trufflehog.org
trufflehogScannerGroup: account 1 - us-west-2
trufflehogScannerToken: thog-agent-XXXXXXXXXXXXXXXXXXXXXXXXXX
Custom Regex
Beta detector
The custom regex detector allows you to define your own detector using regular expressions with optional verification using a webhook.
detectors:
- keywords:
- hog
name: hog detector
regex:
adjective: hogs are (\S+)
verify:
- endpoint: http://localhost:8000/
headers:
- 'Authorization: Bearer token'
unsafe: true
keywords
are fixed string literals that appear around
or in the regular expression you would like to use. They are required and allow
us to apply the regular expression to only relevant chunks of data, speeding up
scan time. If any one of the provided keywords are found in a chunk of data, the
detector will search for the regular expressions.
The regex
section is where you’ll define one or more
named regular expression. A match is one of each of the named regular
expressions. The total number of matches is the Cartesian product of the
regular expressions up to a maximum of 100. For example, if
RegexA
has 2 matches: A, B
and RegexB
has 3 matches: 1, 2, 3
, the total number of matches will be 6: (A, 1), (A, 2), (A, 3), (B, 1), (B, 2), (B, 3)
.
Verification
Verification is done via a webhook POST request to the provided
endpoint
. unsafe
must be
set to true
if the endpoint is HTTP. Provided headers
will be sent as is to the verification server.
Payload and Response
An example payload is provided for the above configuration.
{
"hog detector": {
"adjective": ["hogs are cool", "cool"]
}
}
The first index in the array is the full match and subsequent indices are any sub-matches (delineated by surrounding parentheses in the regular expression).
A response status code of 200 OK
will mark the secret
as verified. Any other response status code will mark the secret as
unverified.
An example verification server in Python can be found here.