Secrets Management

Secrets Management #

There are three ways to provide the required credentials to TruffleHog:

  1. Config flag with a URI to a secret manager (recommended)
  2. Config flag with a file
  3. Environment variables

Config with URI to a secret manager #

You can provide URIs to the scanner to indicate that it should retrieve the local configuration from different sources.

For example,

$ trufflehog scan --config="gsm://my-gcp-project/secret-name"

GCP Secrets Manager #

Google Secrets Manager secrets are expected to contain the yaml config file, and are specified with this schema:


Checkout the GCP Secret Manager documentation for more information on using that product.

Config with a file #

You can specify your configuration directly in a file. Environment variables in the form $VARIABLE and ${VARIABLE} found in the file will be expanded at runtime.

$ trufflehog scan --config="/path/to/config.yaml"

Environment variables #

Using environment variables can provide the bare-minumim configuration so that TruffleHog can connect to the API. If you’d like to use environment variables within a config file, see Config with a file .