Secrets management

There are three ways to provide the required credentials to TruffleHog:

  1. Config flag with a URI to a secret manager (recommended)
  2. Config flag with a file
  3. Environment variables

Config with URI to a secret manager

You can provide URIs to the scanner to indicate that it should retrieve the local configuration from different sources.

For example,

$ trufflehog scan --config="gsm://my-gcp-project/secret-name"
...

AWS Secrets Manager

AWS Secrets Manager secrets are expected to contain the Plaintext yaml config file, and are specified with this schema to the --config flag:

asm://REGION/SECRET_NAME

Check out the AWS Secret Manager documentation for more information on using that product.

GCP Secrets Manager

Google Secrets Manager secrets are expected to contain the yaml config file, and are specified with this schema to the --config flag:

gsm://GCP_PROJECT_NAME/SECRET_NAME

Check out the GCP Secret Manager documentation for more information on using that product.

Azure Key Vault

Azure Key Vault secrets are expected to contain the yaml config file, and are specified with this schema to the --config flag:

akv://AZURE_VAULT_NAME/SECRET_NAME

Check out the Azure Key Vault documentation for more information on using that product.

Config with a file

You can specify your configuration directly in a file. Environment variables in the form $VARIABLE and ${VARIABLE} found in the file will be expanded at runtime.

$ trufflehog scan --config="/path/to/config.yaml"
...

Environment variables

Using environment variables can provide the bare-minimum configuration so that TruffleHog can connect to the API. If you’d like to use environment variables within a config file, see Config with a file.

TRUFFLEHOG_API_ADDRESS=real-big-chipmunk.api.c1.prod.trufflehog.org:8443
TRUFFLEHOG_SCANNER_GROUP=Some scanner group
TRUFFLEHOG_SCANNER_TOKEN=thog-agent-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX