Trufflehog scanner

🤖 AI-Generated Content

This documentation was generated with AI assistance and is still being audited. Some, or potentially a lot, of this information may be inaccurate. Learn more.

provide.testkit.quality.security.trufflehog_scanner ¶

TruffleHog deep secret detection scanner implementation.

Classes¶

TruffleHogScanner ¶

TruffleHogScanner(config: dict[str, Any] | None = None)

Deep secret detection scanner using TruffleHog.

Scans codebases for secrets using entropy analysis and pattern matching. Can optionally verify if discovered credentials are still active.

Note: TruffleHog is a Go binary and must be installed separately. Install via: brew install trufflehog (macOS) or download from GitHub releases.

Initialize TruffleHog scanner.

Parameters:

Name	Type	Description	Default
`config`	`dict[str, Any] \| None`	Scanner configuration options. If "config_file" is not specified, will auto-detect .provide/security/trufflehog.yml if it exists.	`None`

Source code in provide/testkit/quality/security/trufflehog_scanner.py

def __init__(self, config: dict[str, Any] | None = None) -> None:
    """Initialize TruffleHog scanner.

    Args:
        config: Scanner configuration options. If "config_file" is not specified,
                will auto-detect .provide/security/trufflehog.yml if it exists.
    """
    if not TRUFFLEHOG_AVAILABLE:
        raise QualityToolError(
            "TruffleHog not available. Install with: brew install trufflehog (macOS) "
            "or download from https://github.com/trufflesecurity/trufflehog/releases",
            tool="trufflehog",
        )

    self.config = config or {}
    self.artifact_dir: Path | None = None

    # Auto-detect config file if not explicitly specified
    if "config_file" not in self.config:
        default_config = self._get_default_config_path()
        if default_config:
            self.config["config_file"] = default_config

Functions¶

analyze ¶

analyze(path: Path, **kwargs: Any) -> QualityResult

Run TruffleHog analysis on the given path.

Parameters:

Name	Type	Description	Default
`path`	`Path`	Path to scan for secrets	required
`**kwargs`	`Any`	Additional options including artifact_dir	`{}`

Returns:

Type	Description
`QualityResult`	QualityResult with secret detection data

Source code in provide/testkit/quality/security/trufflehog_scanner.py

def analyze(self, path: Path, **kwargs: Any) -> QualityResult:
    """Run TruffleHog analysis on the given path.

    Args:
        path: Path to scan for secrets
        **kwargs: Additional options including artifact_dir

    Returns:
        QualityResult with secret detection data
    """
    self.artifact_dir = kwargs.get("artifact_dir", Path(".provide/output/security"))
    start_time = time.time()

    try:
        result = self._run_trufflehog_scan(path)
        result.execution_time = time.time() - start_time
        self._generate_artifacts(result)
        return result

    except Exception as e:
        return QualityResult(
            tool="trufflehog",
            passed=False,
            details={"error": str(e), "error_type": type(e).__name__},
            execution_time=time.time() - start_time,
        )

report ¶

report(
    result: QualityResult, format: str = "terminal"
) -> str

Generate report from QualityResult.

Source code in provide/testkit/quality/security/trufflehog_scanner.py

def report(self, result: QualityResult, format: str = "terminal") -> str:
    """Generate report from QualityResult."""
    if format == "terminal":
        return self._generate_text_report(result)
    elif format == "json":
        return json.dumps(
            {
                "tool": result.tool,
                "passed": result.passed,
                "score": result.score,
                "details": result.details,
            },
            indent=2,
        )
    else:
        return str(result.details)