{"id":14983,"library":"trufflehog","title":"TruffleHog (Python Library)","description":"TruffleHog is an older Python library, version 2.2.1, designed to scan git repositories for sensitive information like high entropy strings and secrets by analyzing commit history. It was last released on PyPI in 2017 (with a re-upload of the same version in 2021) and is largely unmaintained, primarily supporting Python 2 environments. The project's active development shifted to a separate Go-based implementation (TruffleHog v3.x by Truffle Security), which is not this Python library.","status":"abandoned","version":"2.2.1","language":"en","source_language":"en","source_url":"https://github.com/dxa4481/truffleHog","tags":["security","git","secrets","static analysis","deprecated"],"install":[{"cmd":"pip install trufflehog","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Core dependency for interacting with Git repositories.","package":"GitPython","optional":false},{"reason":"Used for GPG key related checks, if enabled.","package":"python-gnupg","optional":true},{"reason":"Potentially used for configuration or output, if enabled.","package":"PyYAML","optional":true}],"imports":[{"note":"The main module itself contains the primary scanning functions.","symbol":"truffleHog","correct":"from truffleHog import truffleHog"}],"quickstart":{"code":"import os\nfrom truffleHog import truffleHog\n\n# NOTE: This Python library (v2.2.1) is largely unmaintained.\n# For active development and modern features, consider the Go-based TruffleHog CLI.\n# This quickstart demonstrates the API for the Python 2.2.1 version.\n\n# Replace with a valid local git repository path or URL\n# For demonstration, we'll use a dummy path. TruffleHog needs a real git repo.\n# In a real scenario, you'd clone a repo or use an existing one, e.g.,\n# repo_path = 'https://github.com/some/repo.git'\nrepo_path = os.environ.get('TRUFFLEHOG_REPO_PATH', '/tmp/trufflehog_test_repo')\n\nif not os.path.exists(repo_path) or not os.path.isdir(os.path.join(repo_path, '.git')):\n    print(f\"Warning: '{repo_path}' is not a valid git repository. Output may be empty.\")\n    print(\"Please provide a path to a cloned git repository or a git URL.\")\n    # Attempt to create a dummy directory to avoid immediate FileNotFoundError\n    os.makedirs(repo_path, exist_ok=True)\n    # A real repo would be cloned like:\n    # import git\n    # git.Repo.clone_from('https://github.com/dxa4481/truffleHog.git', repo_path)\n\nprint(f\"Scanning repository: {repo_path}\")\n\n# The main `find_strings` function initiates the scan.\n# Parameters like `do_print_json`, `entropy_checks_enabled`, `regex_checks_enabled`\n# control the scanning behavior. Many other options exist.\nsecrets = truffleHog.find_strings(\n    repo_path=repo_path,\n    do_print_json=False,  # Set to True to print JSON output to stdout\n    entropy_checks_enabled=True,\n    regex_checks_enabled=True,\n    max_depth=1000000, # Scan all history by default\n    commit_max_depth=1000000,\n    since_commit=None,\n    delta=0,\n    max_filesize=100000 # Max file size to check in bytes\n)\n\nif secrets:\n    print(\"\\nFound potential secrets:\")\n    for secret in secrets:\n        # The `secrets` object is a list of dictionaries with scan results\n        print(secret)\nelse:\n    print(\"\\nNo secrets found (or scanner failed to run without a proper git repo).\")","lang":"python","description":"This quickstart demonstrates how to programmatically use the `truffleHog` Python library to scan a local or remote Git repository for secrets. It calls the `find_strings` function, which is the primary entry point for initiating a scan with various configurable parameters for entropy and regex checks. The provided `repo_path` should be a path to an actual Git repository for meaningful results."},"warnings":[{"fix":"Use a Python 2 environment if strict compatibility is needed, or be prepared to debug Python 3 compatibility issues. For active secret scanning, consider migrating to the actively maintained Go-based TruffleHog CLI tool.","message":"This Python library version (2.2.1) is primarily designed for Python 2, which reached End-of-Life in 2020. While it has some Python 3 compatibility, users may encounter `UnicodeDecodeError` or other compatibility issues in modern Python 3 environments.","severity":"breaking","affected_versions":"2.x.x"},{"fix":"If seeking the modern, actively developed secret scanning tool, refer to the Go-based TruffleHog CLI tool (available via `brew`, `apt`, Docker, or binary releases) rather than this Python package.","message":"This PyPI package `trufflehog` (version 2.2.1, `dxa4481/truffleHog`) is an older, distinct, and largely unmaintained Python library. It should not be confused with the actively developed, Go-based `TruffleHog` (v3.x by `trufflesecurity/trufflehog`), which offers significantly more features, better performance, and ongoing updates.","severity":"gotcha","affected_versions":"2.x.x"},{"fix":"For comprehensive and up-to-date secret detection, including active verification and a wider range of integrated sources and detectors, use the Go-based TruffleHog.","message":"Due to its age and lack of updates, the Python `truffleHog` library has limited functionality compared to the modern Go version. It lacks many current detectors for various secret types, active verification capabilities, and integrations with cloud services or CI/CD pipelines.","severity":"gotcha","affected_versions":"2.x.x"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Install the package using pip: `pip install trufflehog`. Ensure your Python environment's PATH is correctly configured if running scripts directly.","cause":"The `trufflehog` Python package is not installed in the current environment or the Python interpreter cannot locate it.","error":"ModuleNotFoundError: No module named 'truffleHog'"},{"fix":"Ensure your system's locale is set to UTF-8 (e.g., `export LC_ALL=en_US.UTF-8`). For robust handling of diverse character sets, consider using a more modern Python version or the Go-based TruffleHog.","cause":"This error typically occurs in Python 2 environments when `truffleHog` encounters non-ASCII characters in git commit messages, file paths, or content, due to Python 2's default ASCII encoding.","error":"UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position X: ordinal not in range(128)"},{"fix":"Install Git on your operating system and ensure its executable path is included in your system's environment variables. (e.g., `sudo apt-get install git` on Debian/Ubuntu, `brew install git` on macOS).","cause":"TruffleHog (via `GitPython`) relies on the `git` command-line executable being installed and accessible in the system's PATH.","error":"Error: No such file or directory: 'git'"}],"ecosystem":"pypi"}