Added how to scan a local git repo (#3593)

za · web-flow · commit c033f2295500 · 2024-12-02T13:43:41.000-06:00
Issue #1864 because it's not written in README yet.
diff --git a/README.md b/README.md
@@ -257,43 +257,55 @@ docker run --rm -v "$HOME/.ssh:/root/.ssh:ro" trufflesecurity/trufflehog:latest
 trufflehog filesystem path/to/file1.txt path/to/file2.txt path/to/dir
 ```
 
-## 9: Scan GCS buckets for verified secrets
+## 9: Scan a local git repo
+
+Clone the git repo. For example [test keys](git@github.com:trufflesecurity/test_keys.git) repo.
+```bash
+$ git clone git@github.com:trufflesecurity/test_keys.git
+```
+
+Run trufflehog from the parent directory (outside the git repo).
+```bash
+$ trufflehog git file://test_keys --only-verified
+```
+
+## 10: Scan GCS buckets for verified secrets
 
 ```bash
 trufflehog gcs --project-id=<project-ID> --cloud-environment --only-verified
 ```
 
-## 10: Scan a Docker image for verified secrets
+## 11: Scan a Docker image for verified secrets
 
 Use the `--image` flag multiple times to scan multiple images.
 
 ```bash
 trufflehog docker --image trufflesecurity/secrets --only-verified
 ```
 
-## 11: Scan in CI
+## 12: Scan in CI
 
 Set the `--since-commit` flag to your default branch that people merge into (ex: "main"). Set the `--branch` flag to your PR's branch name (ex: "feature-1"). Depending on the CI/CD platform you use, this value can be pulled in dynamically (ex: [CIRCLE_BRANCH in Circle CI](https://circleci.com/docs/variables/) and [TRAVIS_PULL_REQUEST_BRANCH in Travis CI](https://docs.travis-ci.com/user/environment-variables/)). If the repo is cloned and the target branch is already checked out during the CI/CD workflow, then `--branch HEAD` should be sufficient. The `--fail` flag will return an 183 error code if valid credentials are found.
 
 ```bash
 trufflehog git file://. --since-commit main --branch feature-1 --only-verified --fail
 ```
 
-## 12: Scan a Postman workspace
+## 13: Scan a Postman workspace
 
 Use the `--workspace-id`, `--collection-id`, `--environment` flags multiple times to scan multiple targets.
 
 ```bash
 trufflehog postman --token=<postman api token> --workspace-id=<workspace id>
 ```
 
-## 13: Scan a Jenkins server
+## 14: Scan a Jenkins server
 
 ```bash
 trufflehog jenkins --url https://jenkins.example.com --username admin --password admin
 ```
 
-## 14: Scan an Elasticsearch server
+## 15: Scan an Elasticsearch server
 
 ### Scan a Local Cluster
 
@@ -321,7 +333,7 @@ trufflehog elasticsearch \
   --api-key 'MlVtVjBZ...ZSYlduYnF1djh3NG5FQQ=='
 ```
 
-## 15. Scan a GitHub Repository for Cross Fork Object References and Deleted Commits
+## 16. Scan a GitHub Repository for Cross Fork Object References and Deleted Commits
 
 The following command will enumerate deleted and hidden commits on a GitHub repository and then scan them for secrets. This is an alpha release feature.
 
@@ -335,7 +347,7 @@ In addition to the normal TruffleHog output, the `--object-discovery` flag creat
 
 For more information on Cross Fork Object References, please [read our blog post](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
 
-## 16. Scan Hugging Face
+## 17. Scan Hugging Face
 
 ### Scan a Hugging Face Model, Dataset or Space
 
