Automic VaultAutomic Vault

brew

Install tartufo with Homebrew, Nix

Searches through git repositories for high entropy strings and secrets. Version 6.0.0 via Homebrew; verified 2026-05-09.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install tartufo

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#tartufo

nixpkgs package indexes · pkgs/by-name/ta/tartufo/package.nix · source: api.github.com

overview

Package summary

Searches through git repositories for high entropy strings and secrets

Commands and aliases

  • tartufo

history

Project history and usage

tartufo is a Git secret-scanning CLI from GoDaddy. Its documentation describes scanning repository history and branches for likely secrets using regular expressions and entropy checks, with both local/remote repository scans and pre-commit use.

Project history

The official documentation says tartufo was inspired by and built from Dylan Ayrey's truffleHog project. The public changelog begins with v0.0.1 and v0.0.2 on 2019-10-23, followed by v1.0.x releases in November 2019.

The project was substantially reworked for the 2.x line: the changelog describes v2.0.0-era work as a documentation refresh and v2.0.0 alpha as a full restructuring, retesting, rebuilding, and remake that split functionality into subcommands such as pre-commit, scan-local-repo, and scan-remote-repo.

Adoption history

The source facts list tartufo in Homebrew and Nix, while the official quick start documents pip and Docker installation. That combination places it in the common security-tool path of Python package, container image, and package-manager install surfaces.

How it is used

The core CLI use is scanning Git repositories for secrets across history and branches. Official examples show scan-remote-repo, scan-local-repo, and Docker-based scans, and the README notes pre-commit usage for screening changes before commit.

Configuration is TOML-based. Official docs show settings under [tool.tartufo], exclusion signatures, include/exclude path patterns, and custom rule patterns.

Why package nerds care

Package maintainers care about tartufo because it operationalizes a common repository hygiene task: finding accidentally committed credentials before publishing or while auditing history. Its truffleHog lineage and pre-commit mode make it part of the broader CLI culture around secret scanning in development workflows.

Timeline

  • 2019-10-23: v0.0.1 and v0.0.2 appear in the official project history.
  • 2019-11-19: v1.0.0/v1.0.2 releases appear in the official project history.
  • 2020-10-09: v2.0.0 documents a refreshed 2.0 usage model.
  • 2021-02-04: v2.3.0 switches the primary development branch from master to main.
  • 2022-01-05: v3.0.0 stable release.
  • 2023-01-17: v4.0.0 drops deprecated flags and Python 3.6 support while adding Python 3.11 support.

Related projects

  • truffleHog is named by the official documentation as the project that inspired tartufo.
  • BFG appears in tartufo's changelog as a referenced secret-cleanup tool.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for tartufo. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 1 platform targets.
  • Installs with 2 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
tartufo.tomlpyproject.tomlfiles specified with --config

executables

Installed executables

CommandKindExposureNote
tartufocliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version6.0.0
manager updated2026-05-09
local dataok
upstreamcurrent
latest detectedv6.0.0

https://github.com/godaddy/tartufo

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:tartufo
Version6.0.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/tartufo
Homepagehttps://tartufo.readthedocs.io/en/stable/
Repositoryhttps://github.com/godaddy/tartufo
Upstream docshttps://tartufo.readthedocs.io/en/stable
LicenseGPL-2.0-only
Source archivehttps://github.com/godaddy/tartufo/archive/refs/tags/v6.0.0.tar.gz
Last updated2026-05-09T11:00:31Z
Pulseupdated
Dependenciespygit2, python@3.14
Uses from macOSlibffi
Bottleavailable (on all)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nametartufo
Version Scheme0
Revision2
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

tartufo

nix profile install nixpkgs#tartufo
  • normalized package name match
  • Matched by: Tartufo
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ta/tartufo/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment