Getting started
Running the scanner

Secrets management

7min

There are three ways to provide the required credentials to TruffleHog:

  1. Config flag with a URI to a secret manager (recommended)
  2. Config flag with a file
  3. Environment variables

Config with URI to a secret manager

You can provide URIs to the scanner to indicate that it should retrieve the local configuration from different sources.

For example,

$ trufflehog scan --config="gsm://my-gcp-project/secret-name"...

AWS Secrets Manager

AWS Secrets Manager secrets are expected to contain the Plaintext yaml config file, and are specified with this schema to the --config flag:

asm://REGION/SECRET_NAME

Check out the AWS Secret Manager documentation for more information on using that product.

GCP Secrets Manager

Google Secrets Manager secrets are expected to contain the yaml config file, and are specified with this schema to the --config flag:

gsm://GCP_PROJECT_NAME/SECRET_NAME

Check out the GCP Secret Manager documentation for more information on using that product.

Azure Key Vault

Azure Key Vault secrets are expected to contain the YAML config file, and are specified with this schema to the --config flag:

akv://AZURE_VAULT_NAME/SECRET_NAME

Check out the Azure Key Vault documentation for more information on using that product.

Config flag with a file

You can specify your configuration directly in a file. Environment variables in the form $VARIABLE and ${VARIABLE} found in the file will be expanded at runtime.

Shell


Environment variables

Using environment variables can provide the bare-minimum configuration so that TruffleHog can connect to the API. If you’d like to use environment variables within a config file, see the above Config flag with a file section

Shell












Updated 14 May 2024
Doc contributor
Doc contributor
Did this page help you?
PREVIOUS
Resource Requirements
NEXT
Terminology
Docs powered by Archbee