Secrets management

there are three ways to provide the required credentials to trufflehog config flag with a uri to a secret manager (recommended) config flag with a file environment variables config with uri to a secret manager you can provide uris to the scanner to indicate that it should retrieve the local configuration from different sources for example, $ trufflehog scan config="gsm //my gcp project/secret name" aws secrets manager aws secrets manager secrets are expected to contain the plaintext yaml config file, and are specified with this schema to the config flag asm //region/secret name check out the aws secret manager documentation for more information on using that product gcp secrets manager google secrets manager secrets are expected to contain the yaml config file, and are specified with this schema to the config flag gsm //gcp project name/secret name check out the gcp secret manager documentation for more information on using that product azure key vault azure key vault secrets are expected to contain the yaml config file, and are specified with this schema to the config flag akv //azure vault name/secret name check out the azure key vault documentation for more information on using that product config flag with a file you can specify your configuration directly in a file environment variables in the form $variable and ${variable} found in the file will be expanded at runtime $ trufflehog scan config="/path/to/config yaml" environment variables using environment variables can provide the bare minimum configuration so that trufflehog can connect to the api if you’d like to use environment variables within a config file, see the above config flag with a file section trufflehog api address=real big chipmunk api c1 prod trufflehog org 8443 trufflehog scanner group=some scanner group trufflehog scanner token=thog agent xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx