TruffleHog Now Scans CircleCI Build Logs
TruffleHog Now Scans CircleCI Build Logs
Dylan Ayrey
January 6, 2023
We’re excited to announce a new feature in TruffleHog: the ability to scan CircleCI log outputs for passwords and API keys.
The scanning capabilities are all the features and scanning philosophy you’ve come to expect from TruffleHog Git scanning.
As you may know, CircleCI recently suffered a data breach and requested that their customers rotate any secrets in environment variables. While rotating these secrets is an important step in securing your data, it’s also important to ensure that any previous versions of these secrets are not still present in your log outputs.

With the new log scanning feature in TruffleHog, you can easily search your CircleCI log outputs for any passwords or API keys that may have been accidentally logged. This can help you identify any potential security vulnerabilities and take the necessary steps to secure your data.
To use the log scanning feature, simply run TruffleHog with the following flags:
trufflehog circleci –token
TruffleHog will then enumerate all your CircleCI projects, builds, all your logs for all those builds, search the logs for any passwords or API keys and provide a report of any findings.

We hope this new feature will be a valuable addition to TruffleHog and help our users keep their sensitive information secure. As always, we welcome your feedback and pull requests for future improvements.
There are several ways in which passwords and API keys can be inadvertently logged to STDout in a CI build system. For example, they might be passed as command line arguments to a script that is run as part of the build process, or they might be stored in a configuration file that is printed to the terminal for debugging purposes.
To prevent sensitive information from being logged to STDout in a CI build system and being exposed, it’s important to follow a few best practices:
Restrict build logs to least privilege
No overly permissive log statements, ie logging all environment variables
Remove excessive log statements locally prior to pushing
Rotate any secrets that made their way into logs

We’re excited to announce a new feature in TruffleHog: the ability to scan CircleCI log outputs for passwords and API keys.
The scanning capabilities are all the features and scanning philosophy you’ve come to expect from TruffleHog Git scanning.
As you may know, CircleCI recently suffered a data breach and requested that their customers rotate any secrets in environment variables. While rotating these secrets is an important step in securing your data, it’s also important to ensure that any previous versions of these secrets are not still present in your log outputs.

With the new log scanning feature in TruffleHog, you can easily search your CircleCI log outputs for any passwords or API keys that may have been accidentally logged. This can help you identify any potential security vulnerabilities and take the necessary steps to secure your data.
To use the log scanning feature, simply run TruffleHog with the following flags:
trufflehog circleci –token
TruffleHog will then enumerate all your CircleCI projects, builds, all your logs for all those builds, search the logs for any passwords or API keys and provide a report of any findings.

We hope this new feature will be a valuable addition to TruffleHog and help our users keep their sensitive information secure. As always, we welcome your feedback and pull requests for future improvements.
There are several ways in which passwords and API keys can be inadvertently logged to STDout in a CI build system. For example, they might be passed as command line arguments to a script that is run as part of the build process, or they might be stored in a configuration file that is printed to the terminal for debugging purposes.
To prevent sensitive information from being logged to STDout in a CI build system and being exposed, it’s important to follow a few best practices:
Restrict build logs to least privilege
No overly permissive log statements, ie logging all environment variables
Remove excessive log statements locally prior to pushing
Rotate any secrets that made their way into logs

Thoughts, research findings, reports, and more from Truffle Security Co.
The Dig
Thoughts, research findings, reports, and more from Truffle Security Co.
STAY STRONG
DIG DEEP
DOING IT THE RIGHT WAY
SINCE 2021
© 2025 Truffle Security Co.
STAY STRONG
DIG DEEP
© 2025 Truffle Security Co.