TruffleHog detects secrets, credentials, API keys, tokens, and sensitive strings hidden anywhere in a codebase, including commit history, branches, tags, and even improper encodings. It identifies both high-entropy values and verified secrets through provider-specific detectors. TruffleHog is a powerful defensive tool for preventing credential leaks, securing repositories, and enforcing strict secrets hygiene.

Why TruffleHog Matters

Secrets often leak through:

• Git commits
• PRs and merges
• Config files
• Logs
• Debug statements
• Test data
• Hardcoded values
• Old commit history

Attackers frequently scan GitHub for leaked secrets to compromise systems. TruffleHog detects exposed secrets instantly, even those buried deep in git history. With provider verification (AWS, GitHub, GCP, Azure, Stripe, Slack, etc.), it distinguishes real secrets from false positives, improving accuracy.

TruffleHog becomes an essential tool for secret hygiene across development, CI/CD, and operational workflows.

How TruffleHog Works

High Entropy Scanning

Detects random-looking strings (API keys, tokens, private keys).

Regex-Based Scanning

Matches known secret patterns (AWS keys, JWTs, OAuth tokens).

Verified Secrets

Validates exposed secrets against provider APIs to confirm if they are real.

Git History Scanning

Inspects all commits, branches, tags, and deleted files.

API Key Detection

Supports dozens of providers.

File System Scanning

Scans directories for secrets in plain files.

Container and Image Scanning

Scans Docker images for secrets.

Installing TruffleHog

Install via pip:

pip install trufflehog

Or use Docker:

docker run --rm -v $(pwd):/src trufflesecurity/trufflehog filesystem /src

Or Go binary:

go install github.com/trufflesecurity/trufflehog@latest

Basic Commands

Scan local folder:

trufflehog filesystem .

Scan a git repository:

trufflehog git .

Scan remote repo:

trufflehog git https://github.com/user/repo.git

Scan with provider verification:

trufflehog git --verify .

Output formats:

--json
--no-update
--only-verified

What TruffleHog Detects

Confirmed Provider Secrets

• AWS Access Keys
• GitHub Tokens
• Slack Tokens
• Google Cloud Keys
• Azure Keys
• Stripe Secrets
• Twilio Tokens
• Firebase Keys
• Discord Tokens

High Entropy Secrets

• JWT tokens
• OAuth secrets
• SSH private keys
• Database URLs
• Encryption keys
• Random tokens
• Certificates

Config Leaks

• .env files
• Credentials in code
• Hardcoded DB credentials
• API keys in frontend JS files

Commit-Level Leaks

• Secrets committed accidentally
• Secrets deleted later (still in history)
• Secrets in patches, diffs, or merges

TruffleHog covers both static and historic attack surface.

Deep Scanning Modes

1. Filesystem Mode

Scans current local directory for secrets.

trufflehog filesystem .

2. Git Mode

Scans entire commit history.

trufflehog git .

3. Verified Mode

Verifies if found secrets are valid.

trufflehog git --verify .

4. GitHub Repo Scanning

Scan public repo:

trufflehog git https://github.com/user/repo

Managing False Positives

Use:

--only-verified

Or suppression file:

• Ignore folder paths
• Ignore patterns
• Ignore entropy ranges

Example:

trufflehog filesystem . --exclude-path secrets/testdata

Best Practices With TruffleHog

• Run TruffleHog before committing code
• Scan full repo before adding CI/CD
• Scan all branches, not only main
• Scan PRs automatically
• Use verify mode for accuracy
• Rotate all found secrets immediately
• Add secrets scanning to CI pipelines
• Treat exposed secrets as compromised

Full-Length Practical Section

Deep, hands-on practicals for mastering TruffleHog.

Practical 1: Install TruffleHog and Scan Local Code

Install:

pip install trufflehog

Run first scan:

trufflehog filesystem .

Observe:

• entropy findings
• regex-based matches
• suspected secrets

Practical 2: Scan Git History for Hidden Secrets

Run:

trufflehog git .

Inspect:

• file path
• commit hash
• timestamp
• redacted secret

This reveals secrets buried years deep.

Practical 3: Scan a Public GitHub Repository

trufflehog git https://github.com/some/project.git

Find:

• AWS tokens
• Slack credentials
• DB connection strings

Practical 4: Verified Secrets Scanning

Run:

trufflehog git --verify .

Look for:

• Verified: true
• Provider: AWS/Github/etc

Treat these as real-world compromises.

Practical 5: Scan Docker Images

trufflehog docker --image myapp:latest

Detect secrets stored inside:

• build layers
• ENV variables
• leftover config files

Practical 6: Scan CI/CD Configurations

trufflehog filesystem .github/workflows

Detect accidental token commits.

Practical 7: Scan Kubernetes Manifests

trufflehog filesystem k8s/

Look for plaintext secrets.

Practical 8: Add TruffleHog to Pre-Commit Hooks

Install pre-commit:

pip install pre-commit

Config:

repos:
  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.0.0
    hooks:
      - id: trufflehog

Run:

pre-commit install

Try committing a secret and watch hook block it.

Practical 9: Integrate TruffleHog Into GitHub Actions

Create:

.github/workflows/secret-scan.yml

Add:

- name: Scan for secrets
  uses: trufflesecurity/trufflehog-actions-scan@v1

Push commit.
GitHub Action detects leaks automatically.

Practical 10: Integrate Into GitLab CI

secret_scan:
  script:
    - trufflehog git .

Pipeline fails if secrets found.

Practical 11: Scan Entire Organization Repositories

GitHub CLI:

gh repo list ORG --limit 300 | awk '{print $1}' | xargs -I{} trufflehog git https://github.com/{}

Scan all org repos at once.

Practical 12: Export Results as JSON

trufflehog git . --json > report.json

Integrate into dashboards.

Practical 13: Detect Secrets Inside Archived Files

Extract zip/tar files and scan:

trufflehog filesystem archive/

Secrets often get hidden inside legacy backups.

Practical 14: Build a Suppression List

Create file exclude.txt listing ignored paths:

testdata/
mock/
samples/

Run:

trufflehog filesystem . --exclude-path exclude.txt

Remove noise from results.

Practical 15: Detect Base64-Encoded Secrets

TruffleHog flags encoded secrets like:

dG9rZW49YWRtaW4xMjM=

Decode manually to verify.
Rotate if sensitive.

Practical 16: Scan for PEM Keys

TruffleHog flags:

• RSA PRIVATE KEY
• EC PRIVATE KEY
• SSH PRIVATE KEY

Test by adding a dummy key and scanning.

Practical 17: Trigger PR Scan

Open pull request with hidden credential.
TruffleHog GitHub Action comments findings.

Practical 18: Rotate All Compromised Secrets

Identify:

• AWS keys
• Slack tokens
• GitHub PATs
• Firebase credentials

Rotate in providers.
Remove hardcoded values from code.

Practical 19: Build Full Secrets Governance Workflow

Steps:

Scan pre-commit
Scan on PR
Scan main branch nightly
Rotate secrets
Maintain suppression lists
Produce weekly reports

Practical 20: Complete TruffleHog Security Architecture

Architecture includes:

• CLI
• Pre-commit hooks
• GitHub Action workflows
• Verified scanning
• Docker scanning
• IaC scanning
• Organization-wide scanning
• Automated rotation workflows

This provides full protection across entire code lifecycle.

Intel Dump

• TruffleHog detects secrets via entropy, regex, and provider verification
• Scans filesystem, git history, remote repos, containers, and IaC
• Verified mode identifies truly active leaked credentials
• Integrates with pre-commit, GitHub Actions, GitLab CI, and full DevSecOps pipelines
• Practicals include installation, git scans, Docker scans, CI integration, suppression rules, org-wide scanning, key rotation, and complete secrets governance architecture