allowVerificationOverlap=cli.Flag("allow-verification-overlap","Allow verification of similar credentials across detectors").Bool()
filterUnverified=cli.Flag("filter-unverified","Only output first unverified result per chunk per detector if there are more than one results.").Bool()
filterEntropy=cli.Flag("filter-entropy","Filter unverified results with Shannon entropy. Start with 3.0.").Float64()
scanEntireChunk=cli.Flag("scan-entire-chunk","Scan the entire chunk for secrets.").Hidden().Default("false").Bool()
compareDetectionStrategies=cli.Flag("compare-detection-strategies","Compare different detection strategies for matching spans").Hidden().Default("false").Bool()
configFilename=cli.Flag("config","Path to configuration file.").ExistingFile()
includeDetectors=cli.Flag("include-detectors","Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.").Default("all").String()
excludeDetectors=cli.Flag("exclude-detectors","Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.").String()
gitScanExcludeGlobs=gitScan.Flag("exclude-globs","Comma separated list of globs to exclude in scan. This option filters at the `git log` level, resulting in faster scans.").String()
githubScanRepos=githubScan.Flag("repo",`GitHub repository to scan. You can repeat this flag. Example: "https://github.com/dustin-decker/secretsandstuff"`).Strings()
githubScanOrgs=githubScan.Flag("org",`GitHub organization to scan. You can repeat this flag. Example: "trufflesecurity"`).Strings()
githubScanToken=githubScan.Flag("token","GitHub token. Can be provided with environment variable GITHUB_TOKEN.").Envar("GITHUB_TOKEN").String()
githubIncludeForks=githubScan.Flag("include-forks","Include forks in scan.").Bool()
githubIncludeMembers=githubScan.Flag("include-members","Include organization member repositories in scan.").Bool()
githubIncludeRepos=githubScan.Flag("include-repos",`Repositories to include in an org scan. This can also be a glob pattern. You can repeat this flag. Must use Github repo full name. Example: "trufflesecurity/trufflehog", "trufflesecurity/t*"`).Strings()
githubExcludeRepos=githubScan.Flag("exclude-repos",`Repositories to exclude in an org scan. This can also be a glob pattern. You can repeat this flag. Must use Github repo full name. Example: "trufflesecurity/driftwood", "trufflesecurity/d*"`).Strings()
githubScanIncludePaths=githubScan.Flag("include-paths","Path to file with newline separated regexes for files to include in scan.").Short('i').String()
githubScanExcludePaths=githubScan.Flag("exclude-paths","Path to file with newline separated regexes for files to exclude in scan.").Short('x').String()
githubExperimentalScan=cli.Command("github-experimental","Run an experimental GitHub scan. Must specify at least one experimental sub-module to run: object-discovery.")
// GitHub Experimental SubModules
githubExperimentalObjectDiscovery=githubExperimentalScan.Flag("object-discovery","Discover hidden data objects in GitHub repositories.").Bool()
// GitHub Experimental Options
githubExperimentalToken=githubExperimentalScan.Flag("token","GitHub token. Can be provided with environment variable GITHUB_TOKEN.").Envar("GITHUB_TOKEN").String()
githubExperimentalRepo=githubExperimentalScan.Flag("repo","GitHub repository to scan. Example: https://github.com/<user>/<repo>.git").Required().String()
githubExperimentalCollisionThreshold=githubExperimentalScan.Flag("collision-threshold","Threshold for short-sha collisions in object-discovery submodule. Default is 1.").Default("1").Int()
githubExperimentalDeleteCache=githubExperimentalScan.Flag("delete-cached-data","Delete cached data after object-discovery secret scanning.").Bool()
gitlabScanRepos=gitlabScan.Flag("repo","GitLab repo url. You can repeat this flag. Leave empty to scan all repos accessible with provided credential. Example: https://gitlab.com/org/repo.git").Strings()
gitlabScanToken=gitlabScan.Flag("token","GitLab token. Can be provided with environment variable GITLAB_TOKEN.").Envar("GITLAB_TOKEN").Required().String()
gitlabScanIncludePaths=gitlabScan.Flag("include-paths","Path to file with newline separated regexes for files to include in scan.").Short('i').String()
gitlabScanExcludePaths=gitlabScan.Flag("exclude-paths","Path to file with newline separated regexes for files to exclude in scan.").Short('x').String()
filesystemScanIncludePaths=filesystemScan.Flag("include-paths","Path to file with newline separated regexes for files to include in scan.").Short('i').String()
filesystemScanExcludePaths=filesystemScan.Flag("exclude-paths","Path to file with newline separated regexes for files to exclude in scan.").Short('x').String()
s3Scan=cli.Command("s3","Find credentials in S3 buckets.")
s3ScanKey=s3Scan.Flag("key","S3 key used to authenticate. Can be provided with environment variable AWS_ACCESS_KEY_ID.").Envar("AWS_ACCESS_KEY_ID").String()
s3ScanRoleArns=s3Scan.Flag("role-arn","Specify the ARN of an IAM role to assume for scanning. You can repeat this flag.").Strings()
s3ScanSecret=s3Scan.Flag("secret","S3 secret used to authenticate. Can be provided with environment variable AWS_SECRET_ACCESS_KEY.").Envar("AWS_SECRET_ACCESS_KEY").String()
s3ScanSessionToken=s3Scan.Flag("session-token","S3 session token used to authenticate temporary credentials. Can be provided with environment variable AWS_SESSION_TOKEN.").Envar("AWS_SESSION_TOKEN").String()
s3ScanMaxObjectSize=s3Scan.Flag("max-object-size","Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)").Default("250MB").Bytes()
gcsProjectID=gcsScan.Flag("project-id","GCS project ID used to authenticate. Can NOT be used with unauth scan. Can be provided with environment variable GOOGLE_CLOUD_PROJECT.").Envar("GOOGLE_CLOUD_PROJECT").String()
gcsCloudEnv=gcsScan.Flag("cloud-environment","Use Application Default Credentials, IAM credentials to authenticate.").Bool()
gcsServiceAccount=gcsScan.Flag("service-account","Path to GCS service account JSON file.").ExistingFile()
gcsWithoutAuth=gcsScan.Flag("without-auth","Scan GCS buckets without authentication. This will only work for public buckets").Bool()
gcsAPIKey=gcsScan.Flag("api-key","GCS API key used to authenticate. Can be provided with environment variable GOOGLE_API_KEY.").Envar("GOOGLE_API_KEY").String()
gcsIncludeBuckets=gcsScan.Flag("include-buckets","Buckets to scan. Comma separated list of buckets. You can repeat this flag. Globs are supported").Short('I').Strings()
gcsExcludeBuckets=gcsScan.Flag("exclude-buckets","Buckets to exclude from scan. Comma separated list of buckets. Globs are supported").Short('X').Strings()
gcsIncludeObjects=gcsScan.Flag("include-objects","Objects to scan. Comma separated list of objects. you can repeat this flag. Globs are supported").Short('i').Strings()
gcsExcludeObjects=gcsScan.Flag("exclude-objects","Objects to exclude from scan. Comma separated list of objects. You can repeat this flag. Globs are supported").Short('x').Strings()
gcsMaxObjectSize=gcsScan.Flag("max-object-size","Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)").Default("10MB").Bytes()
circleCiScanToken=circleCiScan.Flag("token","CircleCI token. Can also be provided with environment variable").Envar("CIRCLECI_TOKEN").Required().String()
dockerScanImages=dockerScan.Flag("image","Docker image to scan. Use the file:// prefix to point to a local tarball, otherwise a image registry is assumed.").Required().Strings()
travisCiScanToken=travisCiScan.Flag("token","TravisCI token. Can also be provided with environment variable").Envar("TRAVISCI_TOKEN").Required().String()
postmanToken=postmanScan.Flag("token","Postman token. Can also be provided with environment variable").Envar("POSTMAN_TOKEN").String()
postmanWorkspaces=postmanScan.Flag("workspace","Postman workspace to scan. You can repeat this flag. Deprecated flag.").Hidden().Strings()
postmanWorkspaceIDs=postmanScan.Flag("workspace-id","Postman workspace ID to scan. You can repeat this flag.").Strings()
postmanCollections=postmanScan.Flag("collection","Postman collection to scan. You can repeat this flag. Deprecated flag.").Hidden().Strings()
postmanCollectionIDs=postmanScan.Flag("collection-id","Postman collection ID to scan. You can repeat this flag.").Strings()
postmanEnvironments=postmanScan.Flag("environment","Postman environment to scan. You can repeat this flag.").Strings()
postmanIncludeCollections=postmanScan.Flag("include-collections","Collections to include in scan. You can repeat this flag. Deprecated flag.").Hidden().Strings()
postmanIncludeCollectionIDs=postmanScan.Flag("include-collection-id","Collection ID to include in scan. You can repeat this flag.").Strings()
postmanExcludeCollections=postmanScan.Flag("exclude-collections","Collections to exclude from scan. You can repeat this flag. Deprecated flag.").Hidden().Strings()
postmanExcludeCollectionIDs=postmanScan.Flag("exclude-collection-id","Collection ID to exclude from scan. You can repeat this flag.").Strings()
elasticsearchServiceToken=elasticsearchScan.Flag("service-token","Elasticsearch service token").Envar("ELASTICSEARCH_SERVICE_TOKEN").String()
elasticsearchCloudId=elasticsearchScan.Flag("cloud-id","Elasticsearch cloud ID. Can also be provided with environment variable").Envar("ELASTICSEARCH_CLOUD_ID").String()
elasticsearchAPIKey=elasticsearchScan.Flag("api-key","Elasticsearch API key. Can also be provided with environment variable").Envar("ELASTICSEARCH_API_KEY").String()
elasticsearchIndexPattern=elasticsearchScan.Flag("index-pattern","Filters the indices to search").Default("*").Envar("ELASTICSEARCH_INDEX_PATTERN").String()
elasticsearchQueryJSON=elasticsearchScan.Flag("query-json","Filters the documents to search").Envar("ELASTICSEARCH_QUERY_JSON").String()
elasticsearchSinceTimestamp=elasticsearchScan.Flag("since-timestamp","Filters the documents to search to those created since this timestamp; overrides any timestamp from --query-json").Envar("ELASTICSEARCH_SINCE_TIMESTAMP").String()
elasticsearchBestEffortScan=elasticsearchScan.Flag("best-effort-scan","Attempts to continuously scan a cluster").Envar("ELASTICSEARCH_BEST_EFFORT_SCAN").Bool()
huggingfaceModels=huggingfaceScan.Flag("model","HuggingFace model to scan. You can repeat this flag. Example: 'username/model'").Strings()
huggingfaceSpaces=huggingfaceScan.Flag("space","HuggingFace space to scan. You can repeat this flag. Example: 'username/space'").Strings()
huggingfaceDatasets=huggingfaceScan.Flag("dataset","HuggingFace dataset to scan. You can repeat this flag. Example: 'username/dataset'").Strings()
huggingfaceOrgs=huggingfaceScan.Flag("org",`HuggingFace organization to scan. You can repeat this flag. Example: "trufflesecurity"`).Strings()
huggingfaceUsers=huggingfaceScan.Flag("user",`HuggingFace user to scan. You can repeat this flag. Example: "trufflesecurity"`).Strings()
huggingfaceToken=huggingfaceScan.Flag("token","HuggingFace token. Can be provided with environment variable HUGGINGFACE_TOKEN.").Envar("HUGGINGFACE_TOKEN").String()
huggingfaceIncludeModels=huggingfaceScan.Flag("include-models","Models to include in scan. You can repeat this flag. Must use HuggingFace model full name. Example: 'username/model' (Only used with --user or --org)").Strings()
huggingfaceIncludeSpaces=huggingfaceScan.Flag("include-spaces","Spaces to include in scan. You can repeat this flag. Must use HuggingFace space full name. Example: 'username/space' (Only used with --user or --org)").Strings()
huggingfaceIncludeDatasets=huggingfaceScan.Flag("include-datasets","Datasets to include in scan. You can repeat this flag. Must use HuggingFace dataset full name. Example: 'username/dataset' (Only used with --user or --org)").Strings()
huggingfaceIgnoreModels=huggingfaceScan.Flag("ignore-models","Models to ignore in scan. You can repeat this flag. Must use HuggingFace model full name. Example: 'username/model' (Only used with --user or --org)").Strings()
huggingfaceIgnoreSpaces=huggingfaceScan.Flag("ignore-spaces","Spaces to ignore in scan. You can repeat this flag. Must use HuggingFace space full name. Example: 'username/space' (Only used with --user or --org)").Strings()
huggingfaceIgnoreDatasets=huggingfaceScan.Flag("ignore-datasets","Datasets to ignore in scan. You can repeat this flag. Must use HuggingFace dataset full name. Example: 'username/dataset' (Only used with --user or --org)").Strings()
huggingfaceSkipAllModels=huggingfaceScan.Flag("skip-all-models","Skip all model scans. (Only used with --user or --org)").Bool()
huggingfaceSkipAllSpaces=huggingfaceScan.Flag("skip-all-spaces","Skip all space scans. (Only used with --user or --org)").Bool()
huggingfaceSkipAllDatasets=huggingfaceScan.Flag("skip-all-datasets","Skip all dataset scans. (Only used with --user or --org)").Bool()
huggingfaceIncludeDiscussions=huggingfaceScan.Flag("include-discussions","Include discussions in scan.").Bool()
huggingfaceIncludePrs=huggingfaceScan.Flag("include-prs","Include pull requests in scan.").Bool()
