• Stars
    star
    457
  • Rank 95,775 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 5 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Searches through git repositories for high entropy strings and secrets, digging deep into commit history

tartufo logo

ci Codecov PyPI PyPI - Status PyPI - Python Version PyPI - Downloads Documentation Status License

tartufo searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed. tartufo also can be used by git pre-commit scripts to screen changes for secrets before they are committed to the repository.

This tool will go through the entire commit history of each branch, and check each diff from each commit, and check for secrets. This is both by regex and by entropy. For entropy checks, tartufo will evaluate the shannon entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string > 20 characters is detected, it will print to the screen.

Example

Example Issue

Documentation

Our main documentation site is hosted by Read The Docs, at https://tartufo.readthedocs.io.

Usage

Usage: tartufo [OPTIONS] COMMAND [ARGS]...

  Find secrets hidden in the depths of git.

  Tartufo will, by default, scan the entire history of a git repository for
  any text which looks like a secret, password, credential, etc. It can also
  be made to work in pre-commit mode, for scanning blobs of text as a pre-
  commit hook.

Options:
  --default-regexes / --no-default-regexes
                                  Whether to include the default regex list
                                  when configuring search patterns. Only
                                  applicable if --rules is also specified.
                                  [default: default-regexes]
  --entropy / --no-entropy        Enable entropy checks.  [default: entropy]
  --regex / --no-regex            Enable high signal regexes checks.
                                  [default: regex]
  --scan-filenames / --no-scan-filenames
                                  Check the names of files being scanned as
                                  well as their contents.  [default: scan-
                                  filenames]
  -of, --output-format [json|compact|text|report]
                                  Specify the format in which the output needs
                                  to be generated `--output-format
                                  json/compact/text/report`. Either `json`,
                                  `compact`, `text` or `report` can be
                                  specified. If not provided (default) the
                                  output will be generated in `text` format.
  -od, --output-dir DIRECTORY     If specified, all issues will be written out
                                  as individual JSON files to a uniquely named
                                  directory under this one. This will help
                                  with keeping the results of individual runs
                                  of tartufo separated.
  -td, --temp-dir DIRECTORY       If specified, temporary files will be
                                  written to the specified path
  --buffer-size INTEGER           Maximum number of issue to buffer in memory
                                  before shifting to temporary file buffering
                                  [default: 10000]
  --git-rules-repo TEXT           A file path, or git URL, pointing to a git
                                  repository containing regex rules to be used
                                  for scanning. By default, all .json files
                                  will be loaded from the root of that
                                  repository. --git-rules-files can be used to
                                  override this behavior and load specific
                                  files.
  --git-rules-files TEXT          Used in conjunction with --git-rules-repo,
                                  specify glob-style patterns for files from
                                  which to load the regex rules. Can be
                                  specified multiple times.
  --config FILE                   Read configuration from specified file.
                                  [default: tartufo.toml]
  --target-config/--no-target-config
                                  Enable or Disable processing of the config file in the
                                  repository or folder being scanned
                                  i.e. config files like tartufo.toml or pyproject.toml
                                  [default: target-config]
  -q, --quiet / --no-quiet        Quiet mode. No outputs are reported if the
                                  scan is successful and doesn't find any
                                  issues
  -v, --verbose                   Display more verbose output. Specifying this
                                  option multiple times will incrementally
                                  increase the amount of output.
  --log-timestamps / --no-log-timestamps
                                  Enable or disable timestamps in logging
                                  messages.  [default: log-timestamps]
  --entropy-sensitivity INTEGER RANGE
                                  Modify entropy detection sensitivity. This
                                  is expressed as on a scale of 0 to 100,
                                  where 0 means "totally nonrandom" and 100
                                  means "totally random". Decreasing the
                                  scanner's sensitivity increases the
                                  likelihood that a given string will be
                                  identified as suspicious.  [default: 75;
                                  0<=x<=100]
  --color / --no-color            Enable or disable terminal color. If not
                                  provided (default), enabled if output is a
                                  terminal (TTY).
  -V, --version                   Show the version and exit.
  -h, --help                      Show this message and exit.

Commands:
  pre-commit        Scan staged changes in a pre-commit hook.
  scan-remote-repo  Automatically clone and scan a remote git repository.
  scan-folder       Scan a folder.
  scan-local-repo   Scan a repository already cloned to your local system.

Contributing

All contributors and contributions are welcome! Please see our contributing docs for more information.

Attributions

This project was inspired by and built off of the work done by Dylan Ayrey on the truffleHog project.

More Repositories

1

terminus

Graceful shutdown and Kubernetes readiness / liveness checks for any Node.js HTTP applications
JavaScript
1,831
star
2

kubernetes-client

Simplified Kubernetes API client for Node.js.
JavaScript
961
star
3

procfilter

A YARA-integrated process denial framework for Windows
C++
397
star
4

compose-color-picker

Jetpack Compose Android Color Picker 🎨
Kotlin
375
star
5

svgs

svgs is a compatiblity layer between svg and react-native-svg
JavaScript
191
star
6

eslint-plugin-i18n-json

Fully extendable eslint plugin for JSON i18n translation files.
JavaScript
177
star
7

node-cluster-service

Turn your single process code into a fault-resilient, multi-process service with built-in REST & CLI support. Restart or hot upgrade your web servers with zero downtime or impact to clients.
JavaScript
166
star
8

godaddy.github.io

Deprecated version of GoDaddy blog. See https://github.com/godaddy/engineering.
HTML
163
star
9

smart-private-npm

An intelligent routing proxy for npm with support for: private, whitelisted, and blacklisted packaged
JavaScript
139
star
10

ekke

Ekke is a test runner for React-Native, it allows you to execute your test code directly on the device enabling you to test in the same environment as your production users.
JavaScript
133
star
11

gasket

Framework Maker for JavaScript Applications
JavaScript
130
star
12

kubernetes-gated-deployments

Kubernetes Gated Deployments
JavaScript
123
star
13

activerecord-delay_touching

Batch up your ActiveRecord "touch" operations for better performance. ActiveRecord::Base.delay_touching do ... end. When "end" is reached, all accumulated "touch" calls will be consolidated into as few database round trips as possible.
Ruby
111
star
14

engineering

Jekyll website and blog showcasing open source projects by GoDaddy employees
HTML
84
star
15

yara-rules

YARA rules for use with ProcFilter
83
star
16

aws-okta-processor

Okta credential processor for AWS CLI
Python
82
star
17

warehouse.ai

A storage and developer workflow engine for enforcing arbitrary checks on ontologies of npm packages.
JavaScript
82
star
18

javascript

The official GoDaddy JavaScript styleguide.
JavaScript
76
star
19

asherah

Asherah is a multi-language, cross-platform application encryption SDK
C#
75
star
20

wp-reseller-store

Resell hosting, domains, and more right from your WordPress site.
PHP
62
star
21

react-img-carousel

A flexible image carousel built with React.js
JavaScript
60
star
22

jiractl

A command-line tool for managing Jira
JavaScript
56
star
23

lighthouse4u

LH4U provides Google Lighthouse as a service, surfaced by both a friendly UI+API, and backed by various storage clients (S3, ElasticSearch, etc) for all your query and visualization needs
EJS
56
star
24

slay

Rock-solid structured application layout for building APIs and web apps in Node.js.
JavaScript
49
star
25

next-rum

RUM Component for Next.js
JavaScript
48
star
26

timings

NodeJS/Express API to assert performance results during functional testing
JavaScript
45
star
27

addhoc

Handy little helper to create proper React HOC functions complete with hoisted statics and forwarded refs
JavaScript
41
star
28

datastar

A robust and feature rich ODM for Cassandra.
JavaScript
40
star
29

openstack-logstash

Logstash and Kibana configs for OpenStack Havana
JavaScript
37
star
30

node-openstack-wrapper

An OpenStack client for Node.js
JavaScript
33
star
31

gdapi-php

A PHP client for Go Daddy® REST APIs
PHP
31
star
32

opa-lambda-extension-plugin

A plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.
Go
28
star
33

reduxful

Manage request data in Redux state by generating actions, reducers, and selectors automatically.
JavaScript
27
star
34

lazy-social-buttons

A JavaScript plugin to place social buttons on a page on user interaction (mouseover) to spare the initial page load from the 300kb+ download requests for social APIs.
JavaScript
25
star
35

serverless-aws-servicecatalog

An AWS Service Catalog enabling plugin for the popular Serverless project
JavaScript
24
star
36

react-safe-src-doc-iframe

A component which applies guards to srcdoc iframes in order to provide a predictable and safe experience to the user. Complements the sandbox native iframe attribute.
JavaScript
23
star
37

react-markdown-github

React component that renders Markdown similarly to Github's formatting
JavaScript
22
star
38

node-flipr

Feature flipping and configuration using yaml files.
JavaScript
21
star
39

domain-search

React-based domain search widget used for designing and building custom GoDaddy reseller storefronts
JavaScript
21
star
40

pullie

A GitHub bot that makes your PRs better
JavaScript
20
star
41

asset-system

asset-system is a cross platform SVG based asset system for React and React-Native. This mono-repo is the home for all asset-* packages.
JavaScript
20
star
42

docker-machine-godaddy

A Docker Machine driver plugin for GoDaddy Cloud Servers.
Go
19
star
43

carpenterd

Build and compile npm packages to run in the browser.
JavaScript
19
star
44

node-priam

A simple Cassandra driver for NodeJS. It wraps node-cassandra-cql with additional error/retry handling, external .cql file support, and connection option resolution from an external source.
JavaScript
19
star
45

external

Fitting for load React components from an external BigPipe server.
JavaScript
18
star
46

kibana4-backup

JavaScript
17
star
47

django-snow

ServiceNow Ticket Management App for Django based projects
Python
16
star
48

node-redis-ha

Redis high-availability client library for node
JavaScript
15
star
49

sample-size

This python project is a helper package that uses power analysis to calculate required sample size for any experiment
Python
14
star
50

node-config-shield

Safe and easy way for storing and retrieving sensitive data
JavaScript
13
star
51

bucket-service

A service to tag your tests to enable/disable without a code change
JavaScript
10
star
52

breakdancer

A breakpoint tracking utility
JavaScript
10
star
53

centos7-upgrade-scripts

Ansible playbook and supporting scripts for upgrading OpenStack compute/hypervisor hosts from CentOS 6 to 7
Shell
10
star
54

openstack-traffic-shaping

Python
9
star
55

tartufo-action

Searches through git repositories for high entropy strings and secrets, digging deep into commit history
Python
9
star
56

radpack

JavaScript
8
star
57

appetizer-bundle

Creates an uploadable bundle of your React-Native application so it can run on the appetize.io platform.
JavaScript
8
star
58

docker-node

Debian Docker images for Node.js with best practices in mind
Dockerfile
8
star
59

GDRouting

Objective-C
8
star
60

gdapi-python

A Python client for Go Daddy® REST APIs
Python
8
star
61

netmet

NetMet is networking tool that allows you to track and analyze network uptime of multi data centers installations
Python
7
star
62

godaddy-test-tools

gulp tools for testing node libraries with mocha and istanbul as well as linting using godaddy-style.
JavaScript
7
star
63

react-validation-context

Components for providing validation via React context.
JavaScript
7
star
64

openstack-ansible

Ansible playbooks for managing OpenStack infrastructure
7
star
65

out-of-band-cache

A generic cache for API clients with out-of-band refreshing
JavaScript
7
star
66

node-redirect-rules

JavaScript
7
star
67

exemplar

Deprecated: storybook rocket fuel to launch structured examples of React & React Native components
JavaScript
7
star
68

asherah-cobhan

Cobhan bindings for Asherah
Go
7
star
69

vault-cert-finder

Finds, parse and output X509 certificates stored in Hashicorp Vault
TypeScript
7
star
70

eslint-plugin-react-intl

Validation of locale ids used with react-intl functions/components like <FormattedMessage />, formatMessage and defineMessages.
JavaScript
7
star
71

gdapi-csharp

A C# client for Go Daddy® REST APIs
C#
6
star
72

tartufo-node

npm package shim for https://github.com/godaddy/tartufo
JavaScript
6
star
73

aws-liveness

AWS Liveness tools.
JavaScript
6
star
74

cobhan-go

Cobhan FFI is a system for enabling shared code to be written in Rust or Go and consumed from all major languages/platforms in a safe and effective way.
Go
6
star
75

cijtemplate

A template for continuous integration with Jenkins
Shell
6
star
76

lighthouse4u-lambda

Running Lighthouse4u in AWS Lambda
JavaScript
6
star
77

asherah-ruby

Application-layer encryption SDK
Ruby
6
star
78

node-http-cache

An extensible caching interface for HTTP traffic.
JavaScript
6
star
79

abstract-npm-registry

An test suite and interface for you can use to test various functional areas of an npm registry
JavaScript
6
star
80

asherah-python

Python
5
star
81

appetizer

A Node.js REST based API client for Appetize.io.
JavaScript
5
star
82

transform-url

Build URLs by transforming a template with params.
JavaScript
5
star
83

cobhan-python

Python wrapper library for the Cobhan FFI system
Python
5
star
84

node-connect-qos

Connect middleware that helps maintain a high quality of service during heavy traffic
TypeScript
5
star
85

timings-client-py

Python client for the timings API
Python
5
star
86

http-interception

Dumps requests and responses as newline delimited JSON that a browser performs when visiting a web page.
JavaScript
4
star
87

feedsme

Triggers appropriate rebuilds in the warehouse.ai system
JavaScript
4
star
88

mssql-pool-party

Extension of node mssql client providing failover, retry, stats, and more
JavaScript
4
star
89

cobhan-rust

Cobhan FFI is a system for enabling shared code to be written in Rust and consumed from all major languages/platforms in a safe and effective way.
Rust
4
star
90

short-css-vars

Optimize CSS variable names
JavaScript
4
star
91

spree_weight_based_shipping_calculator

Spree extension for weight-based shipping calculation
Ruby
4
star
92

joi-of-cql

Create cql type definitions from joi schema validations
JavaScript
4
star
93

hostwriter

API and CLI for querying and manipulating host files.
JavaScript
4
star
94

orglinter

A GitHub organization linting tool
JavaScript
3
star
95

gdapi-ui

An in-browser client for Go Daddy® REST APIs
JavaScript
3
star
96

carpenterd-worker

the worker process for carpenterd
JavaScript
3
star
97

node-gd-assets

CSS, JS, and Handlebars combiner, compressor, and server
JavaScript
3
star
98

node-http-cache-cassandra

A Cassandra provider for the extensible HTTP caching library http-cache.
JavaScript
3
star
99

cobhan-ruby

Ruby wrapper library for the Cobhan FFI system
Ruby
3
star
100

.github

Default community health files for GoDaddy Open Source
3
star