Dylan Ayrey

The Dig

January 6, 2023

TruffleHog Now Scans CircleCI Build Logs

TruffleHog Now Scans CircleCI Build Logs

Dylan Ayrey

January 6, 2023

We’re excited to announce a new feature in TruffleHog: the ability to scan CircleCI log outputs for passwords and API keys.

The scanning capabilities are all the features and scanning philosophy you’ve come to expect from TruffleHog Git scanning.

As you may know, CircleCI recently suffered a data breach and requested that their customers rotate any secrets in environment variables. While rotating these secrets is an important step in securing your data, it’s also important to ensure that any previous versions of these secrets are not still present in your log outputs.



With the new log scanning feature in TruffleHog, you can easily search your CircleCI log outputs for any passwords or API keys that may have been accidentally logged. This can help you identify any potential security vulnerabilities and take the necessary steps to secure your data.

To use the log scanning feature, simply run TruffleHog with the following flags:


trufflehog circleci –token


TruffleHog will then enumerate all your CircleCI projects, builds, all your logs for all those builds, search the logs for any passwords or API keys and provide a report of any findings.



We hope this new feature will be a valuable addition to TruffleHog and help our users keep their sensitive information secure. As always, we welcome your feedback and pull requests for future improvements.

There are several ways in which passwords and API keys can be inadvertently logged to STDout in a CI build system. For example, they might be passed as command line arguments to a script that is run as part of the build process, or they might be stored in a configuration file that is printed to the terminal for debugging purposes.

To prevent sensitive information from being logged to STDout in a CI build system and being exposed, it’s important to follow a few best practices:

  • Restrict build logs to least privilege

  • No overly permissive log statements, ie logging all environment variables

  • Remove excessive log statements locally prior to pushing

  • Rotate any secrets that made their way into logs