trufflehog

--keyS3 key used to authenticate.

--orgGitHub/GitLab organization to scan.

--bareScan bare repository (e.g. useful while using in pre-receive hooks)

Path to file to scan (must use the `filesystem` mode)

--jsonOutput in JSON format.

Scan mode (available options: git, github, gitlab, filesystem, s3, gcs, circleci, docker, travisci, postman, elasticsearch, jenkins)

--repoGitHub/GitLab repository to scan.

--debugRun in debug mode.

--imageDocker image to scan. Image registry is assumed.

--nodesElasticsearch nodes

--tokenAuthentication token

--traceRun in trace mode.

--branchBranch to scan.

--bucketName of S3 bucket to scan.

--configPath to configuration file.

--secretS3 secret used to authenticate.

--api-keyElasticsearch API key.

Git repository URL. https://, file://, or ssh:// schema expected (must use the `git` mode)

--cloud-idElasticsearch cloud ID.

--endpointGitHub/GitLab endpoint

--passwordAuthentication password

--role-arnSpecify the ARN of an IAM role to assume for scanning.

--usernameAuthentication username

--verifierSet custom verification endpoints.

Path to directory to scan (must use the `filesystem` mode)

--max-depthMaximum depth of commits to scan.

--no-updateDon't check for updates.

--project-idGCS project ID used to authenticate. Can NOT be used with unauth scan.

--query-jsonFilters the documents to search

--concurrencyNumber of concurrent workers (default: 1).

--environmentPostman environment to scan. You can repeat this flag.

--json-legacyUse the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.

--pr-commentsInclude pull request descriptions and comments in scan.

--since-commitCommit to start scan from.

--without-authScan GCS buckets without authentication. This will only work for public buckets

--workspace-idPostman workspace ID to scan. You can repeat this flag.

--collection-idPostman collection ID to scan. You can repeat this flag.

--exclude-globsComma separated list of globs to exclude in scan. This option filters at the `git log` level, resulting in faster scans.

--exclude-pathsPath to file with newline separated regexes for files to exclude in scan.

--exclude-reposRepositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: trufflesecurity/trufflehog, trufflesecurity/t*

--gist-commentsInclude gist comments in scan.

--include-forksInclude forks in scan.

--include-pathsPath to file with newline separated regexes for files to include in scan.

--include-reposRepositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: trufflesecurity/trufflehog, trufflesecurity/t*

--index-patternFilters the indices to search

--only-verifiedOnly output verified results.

--service-tokenElasticsearch service token.

--session-tokenS3 session token used to authenticate temporary credentials.

--filter-entropyFilter unverified results with Shannon entropy. Start with 3.0.

--github-actionsOutput in GitHub Actions format.

--issue-commentsInclude issue descriptions and comments in scan.

--archive-timeoutMaximum time to spend extracting an archive.

--exclude-bucketsBuckets to exclude from scan. Comma separated list of buckets. Globs are supported

--exclude-objectsObjects to exclude from scan. Comma separated list of buckets. Globs are supported

--include-bucketsBuckets to scan. Comma separated list of buckets. Globs are supported

--include-membersInclude organization member repositories in scan.

--include-objectsObjects to scan. Comma separated list of buckets. Globs are supported

--max-object-sizeMaximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)

--no-verificationDon't verify the results

--service-accountPath to GCS service account JSON file.

--since-timestamp--since-timestamp

--workspace-pathsPath to Postman workspaces.

--archive-max-sizeMaximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB)

--best-effort-scanAttempts to continuously scan a cluster

--collection-pathsPath to Postman collections.

--archive-max-depthMaximum depth of archive to scan.

--cloud-environmentUse default IAM credentials in cloud environment.

--environment-pathsPath to Postman environments.

--exclude-detectorsComma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.

--filter-unverifiedOnly output first unverified result per chunk per detector if there are more than one results.

--include-detectorsComma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.

--exclude-environmentsEnvironment to exclude from scan. You can repeat this flag.

--include-environmentsEnvironment to include in scan. You can repeat this flag.

--exclude-collection-idCollection ID to exclude from scan. You can repeat this flag.

--include-collection-idCollection ID to include in scan. You can repeat this flag.

--print-avg-detector-timePrint the average time spent on each detector.