does trufflehog verify the detected secrets by sending them to API endpoints for local filesystem run?

[yang0369]

Hi, I am exploring TruffleHog's secret detection and verification process for local filesystem scans. After reading about TruffleHog's ability to verify secrets via API calls referring to how-trufflehog-verifies-secrets , I conducted an experiment:

1. ran TruffleHog on a local file:
trufflehog --no-update --local-dev --json --config trufflehog_generic.yaml filesystem test.py

2. The output I received (partially shown) indicated a detection based on a custom regex rule, but it wasn't verified: e.g. one of the detected output: {"SourceMetadata":{"Data":{"Filesystem":{"file":"secret.py","line":5}}},"SourceID":1,"SourceType":15,"SourceName":"trufflehog - filesystem","DetectorType":904,"DetectorName":"CustomRegex","DecoderName":"PLAIN","Verified":false,"Raw":"secret is identified as positive.\"\n","RawV2":"","Redacted":"","ExtraData":{"name":"generic-api-key"},"StructuredData":null}

3. I also noticed that TruffleHog's detections were solely based on the regex rules in trufflehog_generic.yaml file. When I removed all regex from this file, no secrets were detected anymore.

Given these observations, I am wondering:

1. How can I enable truffleHog to verify the detected secrets?
2. how can I enable the live API verification feature in my scans?


Thanks.