Running the scanner
If youβve provided the configuration as a file, run the scanner with filepath provided.
The TruffleHog scanner supports concurrency. By default, it uses a concurrency value that is equal to the number of CPU cores that you have. The detection engine will fully utilize this concurrency, but only some source integrations support concurrency. Some source integrations that fetch data via APIs, such as Slack, Jira, and Confluence may have their throughput limited on the API server side and may not saturate your CPU.
CPU: 4 cores or more
Memory: 16GB or more
Storage: 10GB or more in the systemβs temporary directory
See Resource Requirementsο»Ώ for more details.
--debug, -v: Enables debug mode, increasing verbosity of logs for detailed output useful in debugging. Activates a pprof server for application profiling during execution.
--json: Formats the output as JSON.
--run-once: Executes the scan only once, making the program exit after a single scan instead of running and scanning periodically. WARNING: Using this flag will prevent notifications being sent from local scanners.
--fail-verified: Returns a non-zero exit code when verified secrets are found.
--archive-max-size: Sets a limit on the size of archives to scan, taking a value representing the maximum size in bytes.
--archive-max-depth: Limits how deeply nested archives are inspected. Accepts a value representing the maximum depth to scan.
--archive-timeout: Sets a limit on the time to spend extracting an archive. Accepts a duration value (e.g., β5mβ for 5 minutes).
ο»Ώ
Note: Obtain a full list of commands and flags by running the ββhelpβ command.
- If youβve uploaded the configuration to a secrets management solution (recommended), run the scanner with the secret provided as a
See Secrets managementο»Ώ for more information on loading configuration from your secret manager.
