TruffleHog

Scan Git repositories and filesystems for leaked secrets, credentials, and API keys

Cloud & Assets12 commands

#secrets#credentials#git#leaks#scanning

Installation

1Install using Go

2Install using pip

3Download binary

4Verify installation

# Using Go
go install github.com/trufflesecurity/trufflehog/v3@latest

# Using pip
pip install trufflehog

# Using Docker
docker run --rm -it trufflesecurity/trufflehog:latest

# Verify
trufflehog --version

Basic Usage

Detect exposed secrets in Git repos, filesystems, and S3 buckets

# Scan a GitHub repo
trufflehog git https://github.com/user/repo

# Scan a GitLab repo
trufflehog git https://gitlab.com/user/repo --since-commit HEAD~10

# Scan filesystem recursively
trufflehog filesystem /path/to/directory

# Scan S3 bucket
trufflehog s3 --bucket=my-bucket

# Scan with JSON output
trufflehog git https://github.com/user/repo --json

# Scan for specific entropy level
trufflehog git https://github.com/user/repo --only-verified

Command Reference

12 commands

1Scan a Git repository

git

2Scan local filesystem

filesystem

3Scan AWS S3 buckets

s3

4Scan GitHub repos and orgs

github

5Scan GitLab repos

gitlab

6JSON output format

--json

7Show only verified secrets

--only-verified

8Number of concurrent workers

--concurrency

9Scan from specific commit

--since-commit

10Scan specific branch

--branch

11File with paths to exclude

--exclude-paths

12Skip secret verification

--no-verification

When to Use

Scanning organization repos for leaked credentials

CI/CD pipeline integration for secret detection

Post-compromise assessment of exposed secrets

Third-party vendor security review

Bug bounty recon for leaked API keys

Notes & Tips

Uses entropy detection and pattern matching for finding secrets

Can verify discovered secrets by attempting API calls

Integrates with GitHub Actions, GitLab CI, and Jenkins

Scans all commit history, not just the latest version

Common Errors & Solutions

Too many false positives

Use --only-verified to show only confirmed secrets

Rate limited by GitHub

Reduce concurrency with --concurrency flag or use a token

# Using Go go install github.com/trufflesecurity/trufflehog/v3@latest # Using pip pip install trufflehog # Using Docker docker run --rm -it trufflesecurity/trufflehog:latest # Verify trufflehog --version

# Scan a GitHub repo trufflehog git https://github.com/user/repo # Scan a GitLab repo trufflehog git https://gitlab.com/user/repo --since-commit HEAD~10 # Scan filesystem recursively trufflehog filesystem /path/to/directory # Scan S3 bucket trufflehog s3 --bucket=my-bucket # Scan with JSON output trufflehog git https://github.com/user/repo --json # Scan for specific entropy level trufflehog git https://github.com/user/repo --only-verified