When a Google Cloud Platform Secret Leaks - What is Really at Risk? Register for the webinar and find out.

TRUFFLEHOG

CUSTOMERS

COMPANY

RESOURCES

LOG IN

Contact Us

When a Google Cloud Platform Secret Leaks - What is Really at Risk? Register for the webinar and find out.

Dylan Ayrey

The Dig

January 6, 2023

TruffleHog Now Scans CircleCI Build Logs

TruffleHog Now Scans CircleCI Build Logs

Dylan Ayrey

January 6, 2023

We’re excited to announce a new feature in TruffleHog: the ability to scan CircleCI log outputs for passwords and API keys.

The scanning capabilities are all the features and scanning philosophy you’ve come to expect from TruffleHog Git scanning.

As you may know, CircleCI recently suffered a data breach and requested that their customers rotate any secrets in environment variables. While rotating these secrets is an important step in securing your data, it’s also important to ensure that any previous versions of these secrets are not still present in your log outputs.



With the new log scanning feature in TruffleHog, you can easily search your CircleCI log outputs for any passwords or API keys that may have been accidentally logged. This can help you identify any potential security vulnerabilities and take the necessary steps to secure your data.

To use the log scanning feature, simply run TruffleHog with the following flags:


trufflehog circleci –token


TruffleHog will then enumerate all your CircleCI projects, builds, all your logs for all those builds, search the logs for any passwords or API keys and provide a report of any findings.



We hope this new feature will be a valuable addition to TruffleHog and help our users keep their sensitive information secure. As always, we welcome your feedback and pull requests for future improvements.

There are several ways in which passwords and API keys can be inadvertently logged to STDout in a CI build system. For example, they might be passed as command line arguments to a script that is run as part of the build process, or they might be stored in a configuration file that is printed to the terminal for debugging purposes.

To prevent sensitive information from being logged to STDout in a CI build system and being exposed, it’s important to follow a few best practices:

  • Restrict build logs to least privilege

  • No overly permissive log statements, ie logging all environment variables

  • Remove excessive log statements locally prior to pushing

  • Rotate any secrets that made their way into logs


We’re excited to announce a new feature in TruffleHog: the ability to scan CircleCI log outputs for passwords and API keys.

The scanning capabilities are all the features and scanning philosophy you’ve come to expect from TruffleHog Git scanning.

As you may know, CircleCI recently suffered a data breach and requested that their customers rotate any secrets in environment variables. While rotating these secrets is an important step in securing your data, it’s also important to ensure that any previous versions of these secrets are not still present in your log outputs.



With the new log scanning feature in TruffleHog, you can easily search your CircleCI log outputs for any passwords or API keys that may have been accidentally logged. This can help you identify any potential security vulnerabilities and take the necessary steps to secure your data.

To use the log scanning feature, simply run TruffleHog with the following flags:


trufflehog circleci –token


TruffleHog will then enumerate all your CircleCI projects, builds, all your logs for all those builds, search the logs for any passwords or API keys and provide a report of any findings.



We hope this new feature will be a valuable addition to TruffleHog and help our users keep their sensitive information secure. As always, we welcome your feedback and pull requests for future improvements.

There are several ways in which passwords and API keys can be inadvertently logged to STDout in a CI build system. For example, they might be passed as command line arguments to a script that is run as part of the build process, or they might be stored in a configuration file that is printed to the terminal for debugging purposes.

To prevent sensitive information from being logged to STDout in a CI build system and being exposed, it’s important to follow a few best practices:

  • Restrict build logs to least privilege

  • No overly permissive log statements, ie logging all environment variables

  • Remove excessive log statements locally prior to pushing

  • Rotate any secrets that made their way into logs


More from THE DIG

Thoughts, research findings, reports, and more from Truffle Security Co.

Oct 17, 2025

Contributor Spotlight: Adam Reiser of Cisco Talos

Sep 17, 2025

TruffleHog in Your Logs?

Sep 10, 2025

Detecting Exposed Secrets in Salesforce with TruffleHog

The Dig

Thoughts, research findings, reports, and more from Truffle Security Co.

Oct 17, 2025

Contributor Spotlight: Adam Reiser of Cisco Talos

Sep 17, 2025

TruffleHog in Your Logs?

STAY STRONG

DIG DEEP

TRUFFLEHOG

Open-source

Enterprise

Analyze

NEW!

Forager

Security

Integrations

Pricing

CUSTOMERS

COMPANY

About

Careers

Press

FAQ

Contact us

RESOURCES

Blog

Newsletter

Library

Events

Videos

GitHub

Enterprise docs

Open-source docs

How to rotate

Brand assets

NEW!

DOING IT THE RIGHT WAY

SINCE 2021

#trufflehog-community

#Secret Scanning

© 2025 Truffle Security Co.

Privacy policy

Terms and conditions

Data processing agreement

Acceptable use policy

STAY STRONG

DIG DEEP

#trufflehog-community

#Secret Scanning

© 2025 Truffle Security Co.

Privacy policy

Terms and conditions

Data processing agreement

Acceptable use policy