Secrets management
There are three ways to provide the required credentials to TruffleHog:
- Config flag with a URI to a secret manager (recommended)
- Config flag with a file
- Environment variables
Config with URI to a secret manager
You can provide URIs to the scanner to indicate that it should retrieve the local configuration from different sources.
For example,
$ trufflehog scan --config="gsm://my-gcp-project/secret-name"
...
AWS Secrets Manager
AWS Secrets Manager secrets are expected to contain the Plaintext
yaml config file, and are specified with this schema to the --config
flag:
asm://REGION/SECRET_NAME
Check out the AWS Secret Manager documentation for more information on using that product.
GCP Secrets Manager
Google Secrets Manager secrets are expected to contain the yaml config file, and are specified with this schema to the --config
flag:
gsm://GCP_PROJECT_NAME/SECRET_NAME
Check out the GCP Secret Manager documentation for more information on using that product.
Azure Key Vault
Azure Key Vault secrets are expected to contain the yaml config file, and are specified with this schema to the --config
flag:
akv://AZURE_VAULT_NAME/SECRET_NAME
Check out the Azure Key Vault documentation for more information on using that product.
Config with a file
You can specify your configuration directly in a file. Environment variables in the form $VARIABLE
and ${VARIABLE}
found in the file will be expanded at runtime.
$ trufflehog scan --config="/path/to/config.yaml"
...
Environment variables
Using environment variables can provide the bare-minimum configuration so that TruffleHog can connect to the API. If you’d like to use environment variables within a config file, see Config with a file.
TRUFFLEHOG_API_ADDRESS=real-big-chipmunk.api.c1.prod.trufflehog.org:8443
TRUFFLEHOG_SCANNER_GROUP=Some scanner group
TRUFFLEHOG_SCANNER_TOKEN=thog-agent-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX