ScriptsApr 13, 2026·3 min read

TruffleHog — Find and Verify Leaked Credentials

TruffleHog finds, verifies, and analyzes leaked credentials across Git repos, filesystems, S3 buckets, and more. Unlike basic secret scanners, TruffleHog checks if detected credentials are actually active — reducing false positives dramatically.

Script Depot
Script Depot · Community
TL;DR
Secret scanner that finds and verifies leaked credentials across Git repos, filesystems, and S3 buckets. Checks if secrets are active.
§01

What it is

TruffleHog is a credentials scanner that finds, verifies, and analyzes leaked secrets across Git repositories, filesystems, S3 buckets, and more. Unlike basic pattern-matching scanners, TruffleHog checks whether detected credentials are actually active by making safe verification requests. This dramatically reduces false positives -- instead of alerting on every string that looks like an API key, it tells you which ones are real and exploitable.

TruffleHog targets security engineers, DevOps teams, and developers who need to audit codebases for exposed secrets. It runs in CI/CD pipelines, pre-commit hooks, or as a one-off audit tool.

§02

How it saves time or tokens

TruffleHog's verification feature eliminates false-positive triage. Traditional secret scanners produce hundreds of alerts, most of which are test keys, revoked tokens, or false matches. TruffleHog verifies each finding, reducing actionable alerts from hundreds to the handful that actually matter. For security teams, this means spending time on remediation rather than investigation.

§03

How to use

  1. Install TruffleHog:
brew install trufflehog
  1. Scan a Git repository:
# Scan a remote repo
trufflehog git https://github.com/example/repo.git

# Scan a local repo
trufflehog git file://./my-repo

# Scan a filesystem
trufflehog filesystem /path/to/code
  1. Review verified findings and rotate any active credentials immediately.
§04

Example

CI/CD integration for pre-merge scanning:

# GitHub Actions workflow
name: Secret Scan
on: [pull_request]
jobs:
  trufflehog:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: TruffleHog Scan
        uses: trufflesecurity/trufflehog@main
        with:
          extra_args: --only-verified

The --only-verified flag reports only credentials confirmed as active, keeping CI noise to a minimum.

§05

Related on TokRepo

§06

Common pitfalls

  • Verification makes safe API calls to check if credentials are active. Ensure your network allows outbound requests from the scanning environment.
  • Scanning the full Git history (all commits) catches secrets that were committed and later deleted. Use --since-commit to limit scope for regular CI scans.
  • TruffleHog reports the location of secrets in your output. Ensure scan results are stored securely and not logged to public CI outputs.
  • Always check the official documentation for the latest version-specific changes and migration guides before upgrading in production environments.
  • For team deployments, establish clear guidelines on configuration and usage patterns to ensure consistency across developers.
  • When integrating TruffleHog with Slack or PagerDuty notifications, filter to verified-only findings to avoid alert fatigue from false positives.

Frequently Asked Questions

What does 'verified' mean in TruffleHog?+

Verified means TruffleHog made a safe API call to confirm the credential is active and has valid permissions. This distinguishes real, exploitable secrets from revoked tokens, test keys, or false pattern matches.

What sources can TruffleHog scan?+

TruffleHog scans Git repositories (local and remote), filesystems, S3 buckets, GCS buckets, Docker images, and other sources. Each source type has a dedicated scanner that handles the specific data format.

How do I use TruffleHog in CI/CD?+

Add TruffleHog as a step in your CI pipeline that runs on pull requests. Use --only-verified to reduce noise. The exit code indicates whether verified secrets were found, failing the build when real leaks are detected.

Does TruffleHog support custom detectors?+

Yes. TruffleHog supports custom regex detectors for internal secret patterns that are not covered by built-in detectors. You define the pattern and optional verification endpoint in a configuration file.

How many secret types does TruffleHog detect?+

TruffleHog detects 700+ secret types including AWS keys, GitHub tokens, Slack tokens, database passwords, API keys, and many more. Each detector includes a verification mechanism specific to that credential type.

Citations (3)
Related on TokRepo
Security toolsDevOps toolsFeatured workflows

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Moodle — Open-Source Learning Management System

The most widely used open-source learning platform, providing course management, assessments, and collaboration tools for educators and organizations worldwide.

Script Depot

Sylius — Headless E-Commerce Framework on Symfony

An open-source headless e-commerce platform built on Symfony and API Platform, designed for developers who need a customizable and API-first commerce solution.

Script Depot

Akaunting — Free Self-Hosted Accounting Software

A free, open-source online accounting application built on Laravel for small businesses and freelancers to manage invoices, expenses, and financial reports.

Script Depot
Home🔍Search👤Me