Bug fixes:
- #360 - Fix ANSI escape sequences being written to files on redirection
Bug fixes:
- #352 - Fix tartufo ignoring new files added to a Git repo
- #351 - Make pre-commit check staged changes instead of entire working directory
Misc:
Bug fixes:
- #329 - Entropy exclusions(exclude-entropy-patterns) ignored when using scan-local-repo
- #343 - Entropy exclusions(exclude-entropy-patterns) ignored when using scan-remote-repo
Bug fixes:
- #339 - Fix
clickcompatibility issues. Specifically:- Pin to < 8.1.0 for Python 3.6, as support for that version was dropped
- Pin to >= 8.1.0 for Python 3.7+, and change
resultcallbackusage toresult_callback - Upgraded to the latest version of
black
Bug fixes:
- #336 -
_issue_filewas not defined by default, causing all scans to fail
Features:
- #328 - Buffer issues beyond --buffer-size to a temporary file
Bug fixes:
- #330 - Allow newer versions of pygit2 for newer versions of Python
Version 3.0.0. Stable Release.
Bug fixes:
- #301 - Parse new-style option values correctly, avoid duplicate processing of global options, and don't generate spurious deprecation warnings for these options.
- #303 - Include or exclude git submodules only if we're not working with a mirror clone.
Bug fixes:
- #296, #297 - Fix our Docker image so that it actually builds, and the tartufo command works
- #298 - Fix how we determine whether we are scanning a shallow clone, so that it is more bulletproof.
Bug fixes:
- #284 - Fix handling of first commit during local scans; an exception was raised instead of processing the commit.
Misc:
- #282 - Remove old style config for
exclude-entropy-patterns - #292 - Use the latest
clickto provide better output on boolean flag defaults
Features:
- #270 - When no refs/branches are found locally, tartufo will now scan the repo HEAD as a single commit, effectively scanning the entire codebase at once.
- #265 - Adds new
--entropy-sensitivityoption which provides a friendlier way to adjust entropy detection sensitivity. This replaces--b64-entropy-scoreand--hex-entropy-score, which now are marked as deprecated. - #273 - Entropy checking support routines have been rewritten to utilize library abstractions and operate more efficiently while returning identical results.
- #177 - base64url encodings are now recognized and scanned for entropy.
- #268 - Adds a new
--recurse / --no-recurseflag which allows users to recursively scan the entire directory or just the root directory - #256 - Deprecated
--rulesin favor of a newrule-patternsconfig option. This is the final piece of config that was still stored in an external file. - #202 - Supports new format of exclusions in config file with the ability to specify the reason along with exclusion
- #257 - Supports new format of include-path-patterns and exclude-path-patterns in config file with the ability to specify the reason along with the path-patterns.
Bug fixes:
- #247 - The
--branchqualifier now works again when usingscan-remote-repo.
Features:
- #227 - Report findings incrementally as scan progresses instead of holding all of them until it has completed. This is a re-implementation of #108; thanks to @dclayton-godaddy for showing the way.
- #244 - Drops support for
--fetch/--no-fetchoption for local scans - #253 - Drops support for
--jsonand--compactand consolidates the two options into one---output-format json/compact/text - #259 - Adds a new
--scan-filenames/--no-scan-filenamesflag which allows users to enable or disable file name scanning. - #254 - Changes the default value of
--regex/--no-regexto True.
Misc:
- #255 - Removed deprecated flags --include-paths and --exclude-paths
Bug fixes:
- #309 Fixes an issue where verbose output display would error out if the new-style entropy exclusion pattern was used
Bug fixes:
- #247 All versions of tartufo from
v2.2.0 through v2.9.0 inclusive mishandle
scan-remote-repo. Only the repository's default branch was scanned, and secrets present in other branches would not be discovered. Additionally, the--branch branch-nameoption did not operate correctly for remote repositories. Some versions would scan nothing and report no errors, and other versions aborted immediately, claiming the branch did not exist (even if it did). v2.10.0 corrects these problems and may detect secrets that were not reported by previous versions.
Features:
- #231 Change toml parsing library to use tomlkit
Other changes:
- #251 Document update to use --no-fetch flag to all scan-local-repo
Bug fixes:
- Reverted #222 -- users had been relying on the previously implemented behavior, causing this change to break their pipelines.
Features:
- Behavior introduced in #222 is
now opt-in via an updated config specification for
exclude-entropy-patterns. This is now done via a TOML table, rather than a specifically patterned string. Users who have the old style configuration will now receive aDeprecationWarningstating that the old behavior will go away with v3.0. - Fixed up warning handling so that we can display
DeprecationWarningsto users more easily. - #223 New flags
(
-b64/--b64-entropy-scoreand-hex/--hex-entropy-score) allow for user tuning of the entropy reporting sensitivity. They default to 4.5 and 3.0, respectively.
Bug fixes:
- #222 - Allow exclude-entropy-patterns to match lines containing partial matches -- thanks to @kbartholomew-godaddy for the work on this one!
Features:
- #83 - New
scan-foldercommand to scan files without viewing as a git repository.
Bug fixes:
- #220 - Display an explicit error message when a requested branch is not found, as opposed to failing silently.
Misc:
- #219 - Incremental optimizations;
using
__slots__for theIssueclass to improve memory consumption, and a small logic speed-up in when we generate the diff between commits. Both of these should help at least some when it comes to scanning very large repositories.
Bug fixes:
- #211 - Attempt to fix a case where output encoding could be set to cp1252 on Windows, which would cause a crash if unicode characters were printed. Now issues are output as utf-8 encoded bytestreams instead.
Features:
- #96 - Explicitly handle
submodules. Basically, always ignore them by default. There is also a new
option to toggle this functionality:
--include-submodules - Add
exclude_entropy_patternsto output
Features:
- #194 - Half bugfix, half feature. Now when an excluded signature in your config file is found as an entropy match, tartufo will realize that and no longer report it as an issue.
- #5 - Remove the dependency on
truffleHogRegexes. This enables us to take full control of the default set of regex checks.
Bug fixes:
- #179 - Iterate over commits in topological order, instead of date order.
Features:
- #145 - Adds
--exclude-path-patternsand--include-path-patternsto simplify config in a single .toml file - #87 - Adds
--exclude-entropy-patternsto allow for regex-based exclusions
Bug fixes:
- Write debug log entries when binary files are encountered
- Pinned all linting tools to specific versions and set all tox envs to use poetry
- Disabled codecov due to security breach
Features:
- #76 - Added logging! You can now use the
-v/--verboseoption to increase the amount of output from tartufo. Specifying multiple times will incrementally increase what is output. - Added a
--log-timestamps/--no-log-timestampsoption (default: True) so that timestamps can be hidden in log messages. This could be helpful when, for example, comparing the output from multiple runs. - #107 - Added a
--compact/--no-compactoption for abbreviated output on found issues, to avoid unintentionally spamming yourself. (Thanks to @dclayton-godaddy for his work on this one)
Bug fixes:
- #158 - The
--branchoption was broken and would not actually scan anything
Bug fixes:
- Added rust toolchain to allow for building of latest cryptography
Other changes:
- Added no-fetch to code snippets and note about what it does
Features:
- #42 - Report output on clean or successful scan. Add new
-q/--quietoption to suppress output - #43 - Report out of the list of exclusions. Add new
-v/--verboseoption to print exclusions - #159 - Switched our primary development branch from
master->main - Updated BFG refs from 1.13.0 to 1.13.2
Bugfixes:
- Rev build and release versions to match
Features:
- #119 - Added a new
--fetch/--no-fetchoption for local scans, controlling whether the local clone is refreshed before scan. (Thanks @jgowdy!) - #125 - Implement CODEOWNERS and auto-assignment to maintainers on PRs
Bugfixes:
- #115 - Strange behavior can manifest with invalid sub-commands
- #117 - Ignore whitespace-only lines in exclusion files
- #118 - Local scans fetch remote origin
- #121 - Match rules specified with --git-rules-repo were not included in scans
- #140 - Ensure a valid output folder name in Windows
Other changes:
- #95 - Run CI across Linux, Windows, and MacOS
- #130 - Added references to Tartufo GoogleGroups mailing list to docs
- Fixed testing in Pypy3 and explicitly added Python 3.9 support
- #134 - Documented the release process
- #143 - Updated GitHub Action hashes to newest rev to address https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ where possible
- Fix the Docker build & deploy
- #74, #75 - Rewrote and refreshed the documentation for the new 2.0 usage (via #111)
This bugfix release is to take care of a handful of issues discovered during the initial alpha release for 2.0.
- #68 - Added consistent documentation through the codebase for classes, methods, and all other API elements (via #92)
- #90 - Presenting a friendlier error message when there is an error interacting with git (via #93)
- #94 - Fix tests that were failing on MacOS (via #97)
- #86 - Treat
tartufo.tomlpreferentially overpyproject.tomlwhen loading config (via #101) - #91 - Load config from scanned repositories. This functionality previously existed in 1.x, but was missed during the rebuild for v2.0. This also resulted in a bit of an overall rewrite of config file discovery to eliminate some duplicated logic. (via #103)
This is a whole brand new tartufo! It's been entirely restructured, rewritten, retested, rebuilt, and remade! It's now more extensible, readable, testable, and usable.
New features include:
- #2 - Verified/approved exclusions are now handled by way of hash signatures.
- These hashes are created on a combination of the matched string and filename
where the match was found. They are generated using the
BLAKE2hashing algorithm. (via #61)
- These hashes are created on a combination of the matched string and filename
where the match was found. They are generated using the
- #7 - A working directory can now be specified to clone to when scanning a remote repository. (via #81)
- #11 - Removed the
--cleanupoption and added a--output-dirin its place. Issues are now written to disk only when specifically requested by providing an output directory. (via #82) - #39 - The functionality is now split into sub-commands (via #78) Available
sub-commands are, for now:
- pre-commit
- scan-local-repo
- scan-remote-repo
- The entire library has been refactored and nearly all logic has been put into its most appropriate place. It should now be possible to use this whole tool as a library, and not just a CLI application. (via #29, #65, #67, #70)
Bug fixes include:
- #55 - The tests no longer iterate over this repository's history; everything has been sufficiently split out to make it more testable without needing to look at an actual git history. (via #70)
- #72 - Specifying a non-git path no longer causes an error (via #80)
Other changes:
- Issues found during the scan are now represented by a class, instead of some
amorphous dictionary (via #29)
- Further, since a single
Issueis instantiated per match, the output key for the matches has changed fromstrings_foundtomatched_string.
- Further, since a single
- #25 - Set up full documentation on Read The Docs (via #38)
- #30 - Support for Python 2 has been dropped (via #31)
- #58 - CI is now handled by GitHub Actions (via #59)
- #48 (Backport of #45 & #46)
- Documented Docker usage
- Small fixes to Docker to allow SSH clones and avoid scanning tartufo itself
- Docs have been backported from the
masterbranch.
- Fix the docs and pre-commit hook to use hyphens in CLI arguments, as opposed to underscores.
- Support reading config from
tartufo.tomlfor non-Python projects - #17 - A separate repository can be used for storing rules files
- #18 - Read the
pyproject.tomlortartufo.tomlfrom the repo being scanned
This release is essentially the same as the v1.0.0 release, but with a new number. Unfortunately, we had historical releases versioned as v1.0.0 and v1.0.1. Due to limitations in PyPI (https://pypi.org/help/#file-name-reuse), even if a previous release has been deleted, the version number may not be reused.
Version 1.0.0! Initial stable release!
- Finished the "hard fork" process, so that our project is now independent of
truffleHog. - #13 - Tests are now split into multiple files/classes
- #14 -
tartufois now configurable viapyproject.toml - #15 - Code is fully type annotated
- #16 - Fully fleshed out "Community Health" files
- #20 - Code is now fully formatted by
black
Automated Docker builds!
- Docker images are built and pushed automatically to https://hub.docker.com/r/godaddy/tartufo
- The version of these images has been synchronized with the Python version via the VERSION file
- Gave the Python package a more verbose long description for PyPi, straight from the README.
This is the first public release of tartufo, which has been forked off from truffleHog.
The primary new features/bugfixes include:
- Renamed everything to
tartufo - #1 - Additive whitelist/blacklist support
- #4 -
--pre_commitsupport - #6 - Documented the
--cleanupswitch which cleans up files in/tmp - #10 - Running
tartufowith no arguments would produce an error - Added support for https://pre-commit.com/ style hooks