TruffleHog

TruffleHog

TruffleHog™ is a secrets scanning tool that digs deep into your

code repositories to find secrets, passwords, and sensitive keys.

TruffleHog™ is a secrets scanning tool that digs deep into your

code repositories to find secrets, passwords, and sensitive keys.

$ brew install trufflehog

READ THE DOCS

~ ~ trufflehog github --only-verified --repo https://github.com/trufflesecurity/test_keys ~ trufflehog github --only-verified --repo https://github.com/trufflesecurity/test_keys /test_keys 🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷2024-02-11T09:42:21-08:00info-0trufflehogrunning source{"source_manager_worker_id": "zbZ7o", "with_units": false, "target_count": 0, "source_manager_units_configurable": true}2024-02-11T09:42:21-08:00info-0trufflehogCompleted enumeration{"num_repos": 1, "num_orgs": 0, "num_members": 0}✅ Found verified result 🐷🔑Detector Type: AWSDecoder Type: PLAINRaw result: AKIAQYLPMN5HHHFPZAM2Account: 052310077262User_id: AIDAQYLPMN5HCQD6W5U5WArn: arn:aws:iam::052310077262:user/canarytokens.com@@c20nnjzlioibnaxvt392i9opeCommit: 0416560b1330d8ac42045813251d85c688717eafEmail: counter <[email protected]>File: new_keyLine: 2Link: https://github.com/trufflesecurity/test_keys/blob/0416560b1330d8ac42045813251d85c688717eaf/new_key#L2Repository: https://github.com/trufflesecurity/test_keys.gitTimestamp: 2023-10-19 02:56:37 +0000Raw result: AKIAYVP4CIPPERUVIFXGResource_type: Access keyUser_id: AIDAYVP4CIPPJ5M54LRCYArn: arn:aws:iam::595918472158:user/canarytokens.com@@mirux23ppyky6hx3l6vclmhnjRotation_guide: https://howtorotate.co Rotation_guide: https://howtorotate.com/docs/tutorials/aws/Account: 595918472158Commit: fbc14303ffbf8fb1c2c1914e8dda7d0121633acaEmail: counter <[email protected]>File: keysLine: 4Link: https://github.com/trufflesecurity/test_keys/blob/fbc14303ffbf8fb1c2c1914e8dda7d0121633aca/keys#L4Timestamp: 2022-06-16 17:17:40 +0000Detector Type: URIDecoder Type: BASE64Raw result: https://admin:[email protected]Commit: 77b2a3e56973785a52ba4ae4b8dac61d4bac016fLine: 3Link: https://github.com/trufflesecurity/test_keys/blob/77b2a3e56973785a52ba4ae4b8dac61d4bac016f/keys#L3Timestamp: 2022-06-16 17:27:56 +00002024-02-11T09:42:23-08:00info-0trufflehogfinished scanning{"chunks": 6, "bytes": 3537, "verified_secrets": 3, "unverified_secrets": 0, "scan_duration": "2.36574375s"}~

Secrets in unexpected places

Secrets scattered across your SDLC — from Git repos to ticket systems — pose serious risks. A single leak can trigger security breaches, legal trouble, and reputation damage.

Millions of secrets, including API keys, passwords, and tokens, are frequently leaking from sources like source code, NPM packages, containers and more, underscoring the need for robust secret leak detection.

Secrets scattered across your SDLC — from Git repos to ticket systems — pose serious risks. A single leak can trigger security breaches, legal trouble, and reputation damage.

Millions of secrets, including API keys, passwords, and tokens, are frequently leaking from sources like source code, NPM packages, containers and more, underscoring the need for robust secret leak detection.

How TruffleHog works

How TruffleHog works

Detect

Scan the version history of all platforms for hidden secrets. TruffleHog scans beyond code repositories to identify secrets hidden in comments, Docker images, and more.

Analyze

TruffleHog Analyze automatically identifies the resources and permissions associated with API key and other secrets without requiring access to a provider’s UI.

Prevent

Use pre-commit and pre-receive hooks so that developers can prevent leaked keys in the first place. Automatically run security scans before commits, and prevent accidental inclusion of sensitive data.

Remediate

TruffleHog constantly tracks the status of different key types to verify their remediation. You can set up alert reminders on your preferred platform with links to guides on how to rotate and secure keys effectively.

Why TruffleHog?

Why TruffleHog?

Comprehensive multi-branch analysis

By scanning all branches, not just the main or primary branch, TruffleHog™ ensures a consistent level of security across your entire project. This is particularly useful for larger projects with multiple branches being worked on concurrently.

Credential verification

For every potential credential that is detected, we've painstakingly implemented programmatic verification using it's protocol or API. This verification removes false positives.

Open-source community

Open-source software is transparent and available for inspection. Many developers volunteer their time to audit and improve it. This community verifies and checks each other’s work, so there’s never a need to blindly trust one developer. You can check it out yourself!

Developer spotlight

We are excited to shine the spotlight on Richard Gomez -  a dedicated supporter (and truffle hunter) who has made significant contributions to the TruffleHog Community.

@rgmz

Richard Gomez

CONTRIBUTIONS

200+ contributions over the last year including TruffleHog, Gitleaks, and 29 other repos

WHAT DRIVES YOU?

“While my primary motivation is to help projects enhance their security posture, I can’t deny the thrill of discovering secrets — I truly feel like a pig hunting for truffles. Of course, when I run it for my own code or code that I’m reviewing, I’m hoping not to find any secrets!”