Secrets Management

Secrets Management #

There are three ways to provide the required credentials to TruffleHog:

  1. Config flag with a URI to a secret manager (recommended)
  2. Config flag with a file
  3. Environment variables

Config with URI to a secret manager #

You can provide URIs to the scanner to indicate that it should retrieve the local configuration from different sources.

For example,

$ trufflehog scan --config="gsm://my-gcp-project/secret-name"
...

GCP Secrets Manager #

Google Secrets Manager secrets are expected to contain the yaml config file, and are specified with this schema:

gsm://GCP_PROJECT_NAME/SECRET_NAME

Checkout the GCP Secret Manager documentation for more information on using that product.

Config with a file #

You can specify your configuration directly in a file. Environment variables in the form $VARIABLE and ${VARIABLE} found in the file will be expanded at runtime.

$ trufflehog scan --config="/path/to/config.yaml"
...

Environment variables #

Using environment variables can provide the bare-minumim configuration so that TruffleHog can connect to the API. If you’d like to use environment variables within a config file, see Config with a file .

TRUFFLEHOG_API_ADDRESS=real-big-chipmunk.api.c1.prod.trufflehog.org:8443
TRUFFLEHOG_SCANNER_GROUP=Some scanner group
TRUFFLEHOG_SCANNER_TOKEN=thog-agent-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX