Skip to main content
Version: 2.25 (dev)

trufflehog


Trufflehog secrets scanning

Backend: pants.backend.experimental.tools.trufflehog

Config section: [trufflehog]

Basic options

args

--trufflehog-args="[<shell_str>, <shell_str>, ...]"
PANTS_TRUFFLEHOG_ARGS
pants.toml
[trufflehog]
args = [
<shell_str>,
<shell_str>,
...,
]
default:
[
  "--json"
]

Arguments to pass directly to Trufflehog, e.g. --trufflehog-args='--no-json --exclude-detectors detector'.

This includes --json by default to reduce the volume of output.

exclude

--trufflehog-exclude="['<str>', '<str>', ...]"
PANTS_TRUFFLEHOG_EXCLUDE
pants.toml
[trufflehog]
exclude = [
'<str>',
'<str>',
...,
]
default:
[
  "README.md"
]

Exclude paths matching these globs from trufflehog scans.

skip

--[no-]trufflehog-skip
PANTS_TRUFFLEHOG_SKIP
pants.toml
[trufflehog]
skip = <bool>
default: False

If true, don't use Trufflehog when running pants lint.

Advanced options

config_discovery

--[no-]trufflehog-config-discovery
PANTS_TRUFFLEHOG_CONFIG_DISCOVERY
pants.toml
[trufflehog]
config_discovery = <bool>
default: True

If a trufflehog-config.yaml file is found, pass it to the trufflehog --config argument.

known_versions

--trufflehog-known-versions="['<str>', '<str>', ...]"
PANTS_TRUFFLEHOG_KNOWN_VERSIONS
pants.toml
[trufflehog]
known_versions = [
'<str>',
'<str>',
...,
]
default:
[
  "v3.34.0|macos_arm64|19e10e34e95d797cbb924b342b873caa9e71296f9bead28b390d96981f47fbb0|26743363",
  "v3.34.0|macos_x86_64|6a0a425be18ef1b3c0bf5ff88a895e01c1de70892ee48026b9a9ed89ad0398d4|27466237",
  "v3.34.0|linux_arm64|6aeb5a91dbd981a5446312946072b470dc3a706711c85966394f62717cd71111|26021125",
  "v3.34.0|linux_x86_64|2fda581fb26ed5c866045a4532ce73511f873b70f20eaaae01a7279c3b1c2993|27805118"
]

Known versions to verify downloads against.

Each element is a pipe-separated string of version|platform|sha256|length or version|platform|sha256|length|url_override, where:

  • version is the version string
  • platform is one of [linux_arm64,linux_x86_64,macos_arm64,macos_x86_64]
  • sha256 is the 64-character hex representation of the expected sha256 digest of the download file, as emitted by shasum -a 256
  • length is the expected length of the download file in bytes, as emitted by wc -c
  • (Optional) url_override is a specific url to use instead of the normally generated url for this version

E.g., 3.1.2|macos_x86_64|6d0f18cd84b918c7b3edd0203e75569e0c7caecb1367bbbe409b44e28514f5be|42813. and 3.1.2|macos_arm64 |aca5c1da0192e2fd46b7b55ab290a92c5f07309e7b0ebf4e45ba95731ae98291|50926|https://example.mac.org/bin/v3.1.2/mac-aarch64-v3.1.2.tgz.

Values are space-stripped, so pipes can be indented for readability if necessary.

use_unsupported_version

--trufflehog-use-unsupported-version=<UnsupportedVersionUsage>
PANTS_TRUFFLEHOG_USE_UNSUPPORTED_VERSION
pants.toml
[trufflehog]
use_unsupported_version = <UnsupportedVersionUsage>
one of: error, warning
default: error

What action to take in case the requested version of Trufflehog is not supported.

Supported Trufflehog versions: unspecified

version

--trufflehog-version=<str>
PANTS_TRUFFLEHOG_VERSION
pants.toml
[trufflehog]
version = <str>
default: v3.34.0

Use this version of Trufflehog.

Deprecated options

None

None