Introducing TruffleHog v3

5 years ago I wrote the original TruffleHog tool to detect API keys, passwords and secrets that were committed to Git. This was a great research tool, but fell short many ways.

We’ve since raised millions of dollars to build open source security tooling, starting with the next generation of TruffleHog, which is faster, detects 10x more secrets, and automatically validates 100% of the secrets it supports with dynamic checks.

Key Verification

he most critical piece to our new detection engine is the verification step, which constitutes API calls to the providers for the keys identified. For example if we find an AWS key, we reach out to the GetCallerIdentity API endpoint to validate the AWS key found.

You can see this in action here:

We get creative with some of the checks we do, like with Driftwood for private encryption keys


We also made some significant improvements to the scanner’s runtime speed. Notably, all secret detectors are now preflighted with string comparisons which run quite a bit faster than regular expressions. You can see one example of the string comparisons here:

We also made some git improvements that were heavily inspired by Gitleaks.

Volume of keys

You can browse the 639 key types we now support, and check out how we do verification for all of them here:

We do not know of another secrets scanning engine that supports this many key types, let alone the verification, and the fact they’re all now open source.


If you see a detector we’re missing, or see a way to improve an existing one, one of the most exciting things about open sourcing this engine is we can now all work on it together. Please check out our collaboration docs to see how you can contribute to detectors:

Try it out

Try the new engine out yourself with the following docker command:

docker run --rm -it -v "/tmp:/tmp" -v "$PWD:/pwd" trufflesecurity/trufflehog git

And check it out on GitHub for more details about how to run it and how to contribute

Recent Posts


Protecting Cloud SQL Data with cloudsql-exporter


TruffleHog Now Scans CircleCI Build Logs


Bypass firewalls with of-CORs and typo-squatting

Take control of your secrets with TruffleHog. Contact us to get started on a free 7-day trial.

© 2022 Truffle Security. All Rights Reserved.