Trufflehog is a secrets scanner that searches for leaked credentials, API keys, tokens, and other sensitive strings. It scans Git repositories, filesystems, S3 buckets, container images, CI/CD systems, and more. It uses both pattern matching and entropy analysis to detect secrets, and includes verified detection against live APIs where possible.

• Scans Git repos, filesystems, S3, GCS, container images, and CI systems
• Detects 800+ credential types including AWS, GCP, Azure, GitHub, Slack, and more
• Verifies secrets against live APIs to reduce false positives
• Outputs to table and JSON

No setup required. Run from the shell.

trufflehog filesystem <path>
trufflehog filesystem . --json > /output/trufflehog-results.json

trufflehog git file:///<path-to-repo>
trufflehog git file:///. --since-commit HEAD~10   # last 10 commits only

trufflehog git https://github.com/<org>/<repo>

trufflehog github --org <org-name> --token <github-token>

trufflehog docker --image <image-name>:<tag>

trufflehog s3 --bucket <bucket-name>

trufflehog filesystem . --only-verified

TBC

• GitHub Repo