Skip to content
Home SAST Tools TruffleHog
TR

TruffleHog

Category: SAST
License: Free (Open-Source, AGPL-3.0) + Commercial Plans
GitHub (24500★)
0 Comments
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 12, 2026
3 min read
0 Comments

TruffleHog is an open-source secret scanning engine developed by Truffle Security. With 24,500 GitHub stars and over 250,000 daily scans, it’s used by security teams to find and verify leaked credentials across their entire technology stack.

TruffleHog’s secret verification capability sets it apart from other SAST tools. The scanner doesn’t just find potential secrets—it logs in to confirm whether credentials are still active.

What is TruffleHog?

TruffleHog discovers secrets in git repositories, Slack workspaces, wikis, S3 buckets, Docker images, filesystems, and dozens of other data sources. The tool classifies over 800 credential types including AWS keys, GitHub tokens, database passwords, API keys, and service account credentials.

For every secret TruffleHog identifies, it attempts verification by logging into the associated service. This distinguishes between active threats (credentials that still work) and historical leaks (revoked credentials). Security teams can prioritize remediation based on which secrets pose immediate risk.

TruffleHog maps each discovered secret to the specific identity or account it belongs to. This context helps you understand the scope of exposure and determine if an attacker could access sensitive resources.

Multi-Source Scanning
Scan Git repos, GitHub orgs, GitLab, S3, GCS, Docker images, Slack, wikis, Circle CI, Travis CI, and filesystem directories
Live Verification
Automatically test discovered secrets by logging in to verify if credentials are still active and pose immediate risk
800+ Secret Types
Detect and classify credentials for AWS, GitHub, Google Cloud, databases, SaaS platforms, and hundreds of other services

Key features

Feature Details
Secret types 800+ credential detectors with classification
Verification Live credential testing for 20+ common credential types
Scan sources Git, GitHub, GitLab, S3, GCS, Docker, Jenkins, Elasticsearch, Postman, filesystem
Output JSON structured output, human-readable text
CI integration --results=verified filter, --fail exit code (183), --since-commit for incremental scans
Installation Homebrew, Docker, binary releases, from source (Go)
License AGPL-3.0 (open-source), commercial plans available
Binary verification cosign signature verification for releases

GitHub organization scanning

TruffleHog scans entire GitHub organizations including member repositories, GitHub Wikis, issue comments, gist comments, and pull request comments. Use --issue-comments and --pr-comments flags to include these often-overlooked sources.

The tool handles GitHub API rate limits automatically and scans both public and private repositories with appropriate authentication. For AWS-hosted infrastructure, pass --role-arn to authenticate via IAM roles.

Active credential verification

After finding potential secrets, TruffleHog attempts authentication using those credentials. If it finds an AWS access key, it makes an API call to AWS to verify the key works. For 20+ common credential types, the tool goes further with deep analysis that maps permissions and access scope.

Filter output to only verified (active) credentials with --results=verified. This separates active security incidents from historical artifacts that have already been revoked.

Multi-source scanning

TruffleHog goes well beyond Git. It scans S3 buckets, Google Cloud Storage, Docker images, Jenkins servers, Elasticsearch clusters, and Postman workspaces. Docker scanning extracts image layers and analyzes filesystem contents, catching secrets baked into container builds.

Identity mapping

Each discovered secret gets mapped to a specific user account, service account, or API key. This context shows who owns the credential, what permissions it has, and which systems it can access. Security teams use this to assess blast radius and contact credential owners.

Getting started

1
Install — Run brew install trufflehog on macOS, or pull the Docker image. Binary releases with cosign signature verification are available on GitHub.
2
Scan a repository — Run trufflehog git https://github.com/your-org/your-repo to scan git history. Add --results=verified to see only live credentials.
3
Scan a GitHub organization — Run trufflehog github --org=your-org --token=$GITHUB_TOKEN to scan all repositories, wikis, issues, and gists in your org.
4
Integrate with CI — Use --fail to exit with code 183 when credentials are found. Combine with --since-commit to scan only new commits in pull requests.

When to use TruffleHog

TruffleHog is the right tool when you need to scan beyond git repositories. If your secrets could be in Slack, S3 buckets, Docker images, or CI/CD logs, TruffleHog covers those sources.

The verification feature is what sets it apart. Instead of a list of potential secrets, you get a list of confirmed active credentials ranked by risk. This saves significant triage time on large scans.

For git-only scanning where speed matters most, Gitleaks is lighter and faster. For enterprise environments with legacy codebases, detect-secrets offers a baseline approach that lets you adopt scanning without fixing everything upfront.

Best for
Security teams managing complex infrastructure who need to scan multiple platforms beyond Git and verify whether discovered secrets pose active risk.

Frequently Asked Questions

What is TruffleHog?
TruffleHog is an open-source secret scanning engine developed by Truffle Security with 24.5k GitHub stars. It detects, classifies, and verifies over 800 types of credentials across Git, Slack, S3, Docker, and other platforms. Its key differentiator is live credential verification — it tests whether discovered secrets are still active.
What makes TruffleHog different from Gitleaks?
TruffleHog scans far beyond Git repositories—it covers Slack, wikis, S3 buckets, Docker images, and other platforms. Its key differentiator is live credential verification: it actively tests discovered secrets to confirm if they’re still valid. Gitleaks is faster for Git-only scanning but doesn’t verify credentials.
Does TruffleHog slow down CI pipelines?
TruffleHog runs 250,000+ scans daily across production environments, demonstrating its performance at scale. Scan times vary based on repository size and verification settings. You can disable verification or scan only changed files in pull requests to optimize CI performance.
Is TruffleHog free for commercial use?
The open-source version is available under AGPL-3.0 and can be used in commercial environments. Truffle Security also offers commercial plans with additional features like centralized dashboards, team management, and priority support.
How we review tools Suggest an edit

Other SAST Tools

detect-secrets
detect-secrets

Baseline secret management

 GI
Gitleaks

Git secret scanner

 Graudit
Graudit

Grep-Based Code Auditing

 SO
SonarLint

Real-time IDE analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

Checkmarx SCA
Checkmarx SCA

Three-Pronged Analysis

 Contrast SCA
Contrast SCA

Runtime Library Prioritization

See all SCA tools

Learn More

AI-Generated Code Security API Security Testing Application Security Checklist AppSec Compliance Mapping

Comments

Powered by Giscus — comments are stored in GitHub Discussions.