Secrets in unexpected places
Detect
Scan the version history of all platforms for hidden secrets. TruffleHog scans beyond code repositories to identify secrets hidden in comments, Docker images, and more.
Analyze
TruffleHog Analyze automatically identifies the resources and permissions associated with API key and other secrets without requiring access to a provider’s UI.
Prevent
Use pre-commit and pre-receive hooks so that developers can prevent leaked keys in the first place. Automatically run security scans before commits, and prevent accidental inclusion of sensitive data.
Remediate
TruffleHog constantly tracks the status of different key types to verify their remediation. You can set up alert reminders on your preferred platform with links to guides on how to rotate and secure keys effectively.
Comprehensive multi-branch analysis
By scanning all branches, not just the main or primary branch, TruffleHog™ ensures a consistent level of security across your entire project. This is particularly useful for larger projects with multiple branches being worked on concurrently.
Credential verification
For every potential credential that is detected, we've painstakingly implemented programmatic verification using it's protocol or API. This verification removes false positives.
Open-source community
Open-source software is transparent and available for inspection. Many developers volunteer their time to audit and improve it. This community verifies and checks each other’s work, so there’s never a need to blindly trust one developer. You can check it out yourself!
Developer spotlight
We are excited to shine the spotlight on Richard Gomez - a dedicated supporter (and truffle hunter) who has made significant contributions to the TruffleHog Community.
@rgmz
Richard Gomez
CONTRIBUTIONS
200+ contributions over the last year including TruffleHog, Gitleaks, and 29 other repos
WHAT DRIVES YOU?
“While my primary motivation is to help projects enhance their security posture, I can’t deny the thrill of discovering secrets — I truly feel like a pig hunting for truffles. Of course, when I run it for my own code or code that I’m reviewing, I’m hoping not to find any secrets!”