项目作者: godaddy

项目描述 :
Searches through git repositories for high entropy strings and secrets, digging deep into commit history
高级语言: Python
项目地址: git://github.com/godaddy/tartufo.git
创建时间: 2019-11-07T18:38:21Z
项目社区:https://github.com/godaddy/tartufo

开源协议:GNU General Public License v2.0

下载


" class="reference-link">tartufo logo

ci
Codecov
PyPI
PyPI - Status
PyPI - Python Version
PyPI - Downloads
Documentation Status
License

tartufo searches through git repositories for secrets, digging deep into
commit history and branches. This is effective at finding secrets accidentally
committed. tartufo also can be used by git pre-commit scripts to screen
changes for secrets before they are committed to the repository.

This tool will go through the entire commit history of each branch, and check
each diff from each commit, and check for secrets. This is both by regex and by
entropy. For entropy checks, tartufo will evaluate the shannon entropy for both
the base64 char set and hexidecimal char set for every blob of text greater
than 20 characters comprised of those character sets in each diff. If at any
point a high entropy string > 20 characters is detected, it will print to the
screen.

Example

Example Issue

Documentation

Our main documentation site is hosted by Read The Docs, at
https://tartufo.readthedocs.io.

Usage

  1. Usage: tartufo [OPTIONS] COMMAND [ARGS]...
  2. Find secrets hidden in the depths of git.
  3. Tartufo will, by default, scan the entire history of a git repository for
  4. any text which looks like a secret, password, credential, etc. It can also
  5. be made to work in pre-commit mode, for scanning blobs of text as a pre-
  6. commit hook.
  7. Options:
  8. --default-regexes / --no-default-regexes
  9. Whether to include the default regex list
  10. when configuring search patterns. Only
  11. applicable if --rules is also specified.
  12. [default: default-regexes]
  13. --entropy / --no-entropy Enable entropy checks. [default: entropy]
  14. --regex / --no-regex Enable high signal regexes checks.
  15. [default: regex]
  16. --scan-filenames / --no-scan-filenames
  17. Check the names of files being scanned as
  18. well as their contents. [default: scan-
  19. filenames]
  20. -of, --output-format [json|compact|text|report]
  21. Specify the format in which the output needs
  22. to be generated `--output-format
  23. json/compact/text/report`. Either `json`,
  24. `compact`, `text` or `report` can be
  25. specified. If not provided (default) the
  26. output will be generated in `text` format.
  27. -od, --output-dir DIRECTORY If specified, all issues will be written out
  28. as individual JSON files to a uniquely named
  29. directory under this one. This will help
  30. with keeping the results of individual runs
  31. of tartufo separated.
  32. -td, --temp-dir DIRECTORY If specified, temporary files will be
  33. written to the specified path
  34. --buffer-size INTEGER Maximum number of issue to buffer in memory
  35. before shifting to temporary file buffering
  36. [default: 10000]
  37. --git-rules-repo TEXT A file path, or git URL, pointing to a git
  38. repository containing regex rules to be used
  39. for scanning. By default, all .json files
  40. will be loaded from the root of that
  41. repository. --git-rules-files can be used to
  42. override this behavior and load specific
  43. files.
  44. --git-rules-files TEXT Used in conjunction with --git-rules-repo,
  45. specify glob-style patterns for files from
  46. which to load the regex rules. Can be
  47. specified multiple times.
  48. --config FILE Read configuration from specified file.
  49. [default: tartufo.toml]
  50. --target-config/--no-target-config
  51. Enable or Disable processing of the config file in the
  52. repository or folder being scanned
  53. i.e. config files like tartufo.toml or pyproject.toml
  54. [default: target-config]
  55. -q, --quiet / --no-quiet Quiet mode. No outputs are reported if the
  56. scan is successful and doesn't find any
  57. issues
  58. -v, --verbose Display more verbose output. Specifying this
  59. option multiple times will incrementally
  60. increase the amount of output.
  61. --log-timestamps / --no-log-timestamps
  62. Enable or disable timestamps in logging
  63. messages. [default: log-timestamps]
  64. --entropy-sensitivity INTEGER RANGE
  65. Modify entropy detection sensitivity. This
  66. is expressed as on a scale of 0 to 100,
  67. where 0 means "totally nonrandom" and 100
  68. means "totally random". Decreasing the
  69. scanner's sensitivity increases the
  70. likelihood that a given string will be
  71. identified as suspicious. [default: 75;
  72. 0<=x<=100]
  73. --color / --no-color Enable or disable terminal color. If not
  74. provided (default), enabled if output is a
  75. terminal (TTY).
  76. -V, --version Show the version and exit.
  77. -h, --help Show this message and exit.
  78. Commands:
  79. pre-commit Scan staged changes in a pre-commit hook.
  80. scan-remote-repo Automatically clone and scan a remote git repository.
  81. scan-folder Scan a folder.
  82. scan-local-repo Scan a repository already cloned to your local system.

Contributing

All contributors and contributions are welcome! Please see our contributing
docs
for more information.

Attributions

This project was inspired by and built off of the work done by Dylan Ayrey on
the truffleHog project.