tartufo是一个用于扫描git存储库的机密/密码/高熵数据的工具
tartufo的Python项目详细描述
tartufo
在git存储库中搜索秘密,深入挖掘
提交历史和分支。这对偶然发现秘密很有效
坚信的。tartufo
也可以由git将脚本预提交到屏幕
在将机密提交到存储库之前对其进行更改。在
此工具将遍历每个分支的整个提交历史记录,并检查 从每个不同的地方提交秘密。这是通过正则表达式和 熵。对于熵检查,塔图福将评估两者的香农熵 每一个较大的文本块的base64字符集和十六进制字符集 超过20个字符组成的这些字符集在每个差异。如果有的话 点一个高熵字符串>;20个字符,它将打印到 屏幕。在
示例
文件
我们的主要文档站点由Read The Docs托管,网址为 https://tartufo.readthedocs.io。在
使用
Usage: tartufo [OPTIONS] COMMAND [ARGS]... Find secrets hidden in the depths of git. Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre- commit hook. Options: --json / --no-json Output in JSON format. --rules FILENAME Path(s) to regex rules json list file(s). --default-regexes / --no-default-regexes Whether to include the default regex list when configuring search patterns. Only applicable if --rules is also specified. [default: True] --entropy / --no-entropy Enable entropy checks. [default: True] --regex / --no-regex Enable high signal regexes checks. [default: False] -i, --include-paths FILENAME File with regular expressions (one per line), at least one of which must match a Git object path in order for it to be scanned; lines starting with '#' are treated as comments and are ignored. If empty or not provided (default), all Git object paths are included unless otherwise excluded via the --exclude-paths option. -x, --exclude-paths FILENAME File with regular expressions (one per line), none of which may match a Git object path in order for it to be scanned; lines starting with '#' are treated as comments and are ignored. If empty or not provided (default), no Git object paths are excluded unless effectively excluded via the --include-paths option. -e, --exclude-signatures TEXT Specify signatures of matches that you explicitly want to exclude from the scan, and mark as okay. These signatures are generated during the scan process, and reported out with each individual match. This option can be specified multiple times, to exclude as many signatures as you would like. -od, --output-dir DIRECTORY If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated. --git-rules-repo TEXT A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning. By default, all .json files will be loaded from the root of that repository. --git-rules-files can be used to override this behavior and load specific files. --git-rules-files TEXT Used in conjunction with --git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times. --config FILE Read configuration from specified file. [default: pyproject.toml] -V, --version Show the version and exit. -h, --help Show this message and exit. Commands: pre-commit Scan staged changes in a pre-commit hook. scan-remote-repo Automatically clone and scan a remote git repository. scan-local-repo Scan a repository already cloned to your local system.
贡献
欢迎所有投稿人和投稿人!有关详细信息,请参见our contributing docs。在
归属
这个项目的灵感来源于迪伦·艾瑞·安所做的工作 truffleHog项目。在
- 项目
标签: