Markdown output format

dasmfm · dasmfm · commit 550fbc2fe517 · 2026-01-08T17:19:29.000+03:00
diff --git a/README.md b/README.md
@@ -212,14 +212,20 @@ Timestamp: 2022-06-16 10:17:40 -0700 PDT
 trufflehog github --org=trufflesecurity --results=verified
 ```
 
-## 3: Scan a GitHub Repo for only verified secrets and get JSON output
+## 3: Scan a GitHub Repo for only verified secrets and get structured output
 
-Command:
+JSON:
 
 ```bash
 trufflehog git https://github.com/trufflesecurity/test_keys --results=verified --json
 ```
 
+Or Markdown report that you can drop into documentation or ticketing system:
+
+```bash
+trufflehog git https://github.com/trufflesecurity/test_keys --results=verified --markdown > findings.md
+```
+
 Expected output:
 
 ```
@@ -448,6 +454,7 @@ Flags:
       --log-level=0         Logging verbosity on a scale of 0 (info) to 5 (trace). Can be disabled with "-1".
       --profile             Enables profiling and sets a pprof and fgprof server on :18066.
   -j, --json                Output in JSON format.
+      --markdown            Output in Markdown format.
       --json-legacy         Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.
       --github-actions      Output in GitHub Actions format.
       --concurrency=20           Number of concurrent workers.
diff --git a/examples/README.md b/examples/README.md
@@ -11,4 +11,7 @@ trufflehog filesystem --config=$PWD/generic.yml $PWD
 
 # to filter so that _only_ generic credentials are logged:
 trufflehog filesystem --config=$PWD/generic.yml --json --no-verification $PWD | awk '/generic-api-key/{print $0}'
+
+# capture a Markdown report:
+trufflehog filesystem --config=$PWD/generic.yml --markdown --no-verification $PWD > findings.md
 ```
diff --git a/main.go b/main.go
@@ -53,6 +53,7 @@ var (
 	profile             = cli.Flag("profile", "Enables profiling and sets a pprof and fgprof server on :18066.").Bool()
 	localDev            = cli.Flag("local-dev", "Hidden feature to disable overseer for local dev.").Hidden().Bool()
 	jsonOut             = cli.Flag("json", "Output in JSON format.").Short('j').Bool()
+	markdownOut         = cli.Flag("markdown", "Output in Markdown format.").Bool()
 	jsonLegacy          = cli.Flag("json-legacy", "Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.").Bool()
 	gitHubActionsFormat = cli.Flag("github-actions", "Output in GitHub Actions format.").Bool()
 	concurrency         = cli.Flag("concurrency", "Number of concurrent workers.").Default(strconv.Itoa(runtime.NumCPU())).Int()
@@ -508,13 +509,15 @@ func run(state overseer.State) {
 		printer = new(output.LegacyJSONPrinter)
 	case *jsonOut:
 		printer = new(output.JSONPrinter)
+	case *markdownOut:
+		printer = output.NewMarkdownPrinter(nil)
 	case *gitHubActionsFormat:
 		printer = new(output.GitHubActionsPrinter)
 	default:
 		printer = new(output.PlainPrinter)
 	}
 
-	if !*jsonLegacy && !*jsonOut {
+	if !*jsonLegacy && !*jsonOut && !*markdownOut {
 		fmt.Fprintf(os.Stderr, "🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷\n\n")
 	}
 
@@ -571,13 +574,19 @@ func run(state overseer.State) {
 		if err := compareScans(ctx, cmd, engConf); err != nil {
 			logFatal(err, "error comparing detection strategies")
 		}
+		if err := closePrinter(printer); err != nil {
+			logFatal(err, "failed to close printer")
+		}
 		return
 	}
 
 	metrics, err := runSingleScan(ctx, cmd, engConf)
 	if err != nil {
 		logFatal(err, "error running scan")
 	}
+	if err := closePrinter(printer); err != nil {
+		logFatal(err, "failed to close printer")
+	}
 
 	verificationCacheMetricsSnapshot := struct {
 		Hits                    int32
@@ -1172,6 +1181,13 @@ func commaSeparatedToSlice(s []string) []string {
 	return result
 }
 
+func closePrinter(printer engine.Printer) error {
+	if closer, ok := printer.(interface{ Close() error }); ok {
+		return closer.Close()
+	}
+	return nil
+}
+
 func printAverageDetectorTime(e *engine.Engine) {
 	fmt.Fprintln(
 		os.Stderr,
diff --git a/pkg/output/markdown.go b/pkg/output/markdown.go
@@ -0,0 +1,143 @@
+package output
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"sort"
+	"strings"
+	"sync"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+)
+
+// MarkdownPrinter renders TruffleHog findings into a Markdown document with
+// dedicated tables for verified and unverified secrets. It buffers the rows
+// while scanning and flushes the final report when Close is invoked.
+type MarkdownPrinter struct {
+	mu         sync.Mutex
+	out        io.Writer
+	verified   []markdownRow
+	unverified []markdownRow
+}
+
+// markdownRow represents a single table entry in the Markdown report.
+type markdownRow struct {
+	Detector string
+	File     string
+	Line     string
+	Redacted string
+}
+
+// NewMarkdownPrinter builds a MarkdownPrinter that writes to out. When out is
+// nil, stdout is used.
+func NewMarkdownPrinter(out io.Writer) *MarkdownPrinter {
+	if out == nil {
+		out = os.Stdout
+	}
+	return &MarkdownPrinter{out: out}
+}
+
+// Print collects each result so the final Markdown doc can include per-section
+// counts and tables before the buffered results are rendered in Close.
+func (p *MarkdownPrinter) Print(_ context.Context, r *detectors.ResultWithMetadata) error {
+	file := "n/a"
+	line := "n/a"
+
+	meta, err := structToMap(r.SourceMetadata.Data)
+	if err != nil {
+		return fmt.Errorf("could not marshal result: %w", err)
+	}
+
+	for _, data := range meta {
+		for k, v := range data {
+			if k == "line" {
+				if l, ok := v.(float64); ok {
+					line = fmt.Sprintf("%d", int64(l))
+				}
+			}
+			if k == "file" {
+				if filename, ok := v.(string); ok {
+					file = filename
+				}
+			}
+		}
+	}
+
+	row := markdownRow{
+		Detector: r.DetectorType.String(),
+		File:     file,
+		Line:     line,
+		Redacted: sanitize(r.Redacted),
+	}
+
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if r.Verified {
+		p.verified = append(p.verified, row)
+	} else {
+		p.unverified = append(p.unverified, row)
+	}
+	return nil
+}
+
+// Close renders the buffered findings to Markdown. Close should be invoked by
+// the output manager once scanning finishes.
+func (p *MarkdownPrinter) Close() error {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	doc := renderMarkdown(p.verified, p.unverified)
+	if doc == "" {
+		return nil
+	}
+	if _, err := fmt.Fprint(p.out, doc); err != nil {
+		return fmt.Errorf("write markdown: %w", err)
+	}
+	return nil
+}
+
+// renderMarkdown mirrors templates/trufflehog_report.py by emitting a title,
+// optional sections for verified/unverified findings, and per-section counts.
+func renderMarkdown(verified, unverified []markdownRow) string {
+	if len(verified) == 0 && len(unverified) == 0 {
+		return ""
+	}
+
+	var buf bytes.Buffer
+	buf.WriteString("# TruffleHog Findings\n\n")
+	writeSection := func(title string, rows []markdownRow) {
+		if len(rows) == 0 {
+			return
+		}
+		sort.SliceStable(rows, func(i, j int) bool {
+			if rows[i].Detector != rows[j].Detector {
+				return rows[i].Detector < rows[j].Detector
+			}
+			if rows[i].File != rows[j].File {
+				return rows[i].File < rows[j].File
+			}
+			return rows[i].Line < rows[j].Line
+		})
+
+		fmt.Fprintf(&buf, "## %s (%d)\n", title, len(rows))
+		buf.WriteString("| Detector | File | Line | Redacted |\n")
+		buf.WriteString("| --- | --- | --- | --- |\n")
+		for _, row := range rows {
+			fmt.Fprintf(&buf, "| %s | %s | %s | %s |\n", row.Detector, row.File, row.Line, row.Redacted)
+		}
+		buf.WriteString("\n")
+	}
+
+	writeSection("Verified Findings", append([]markdownRow(nil), verified...))
+	writeSection("Unverified Findings", append([]markdownRow(nil), unverified...))
+
+	return strings.TrimRight(buf.String(), "\n") + "\n"
+}
+
+var sanitizer = strings.NewReplacer("\r", " ", "\n", " ", "|", "\\|")
+
+func sanitize(value string) string { return sanitizer.Replace(value) }
diff --git a/pkg/tui/pages/source_configure/trufflehog_configure.go b/pkg/tui/pages/source_configure/trufflehog_configure.go
@@ -37,6 +37,14 @@ func GetTrufflehogConfiguration() truffleCmdModel {
 		Placeholder: "false",
 	}
 
+	markdownOutput := textinputs.InputConfig{
+		Label:       "Markdown output",
+		Key:         "markdown",
+		Required:    false,
+		Help:        "Output results to Markdown",
+		Placeholder: "false",
+	}
+
 	excludeDetectors := textinputs.InputConfig{
 		Label:       "Exclude detectors",
 		Key:         "exclude_detectors",
@@ -53,13 +61,17 @@ func GetTrufflehogConfiguration() truffleCmdModel {
 		Placeholder: strconv.Itoa(runtime.NumCPU()),
 	}
 
-	return truffleCmdModel{textinputs.New([]textinputs.InputConfig{jsonOutput, verification, verifiedResults, excludeDetectors, concurrency}).SetSkip(true)}
+	return truffleCmdModel{textinputs.New([]textinputs.InputConfig{jsonOutput, markdownOutput, verification, verifiedResults, excludeDetectors, concurrency}).SetSkip(true)}
 }
 
 func (m truffleCmdModel) Cmd() string {
 	var command []string
 	inputs := m.GetInputs()
 
+	if isTrue(inputs["markdown"].Value) {
+		command = append(command, "--markdown")
+	} 
+	
 	if isTrue(inputs["json"].Value) {
 		command = append(command, "--json")
 	}
@@ -86,7 +98,7 @@ func (m truffleCmdModel) Cmd() string {
 
 func (m truffleCmdModel) Summary() string {
 	summary := strings.Builder{}
-	keys := []string{"no-verification", "only-verified", "json", "exclude_detectors", "concurrency"}
+	keys := []string{"no-verification", "only-verified", "json", "markdown", "exclude_detectors", "concurrency"}
 
 	inputs := m.GetInputs()
 	labels := m.GetLabels()
