loading
loading
Static Code Analysis
Find credentials all over the place.
overview
trufflehog hunts for leaked credentials across the places they hide: git history, GitHub and GitLab orgs, filesystems, Docker images, S3 and GCS buckets, Postman collections, CI logs, and Elasticsearch. It carries hundreds of detectors, each one tuned to a specific provider's key format, so a scan returns AWS keys, API tokens, database passwords, and private keys rather than a wall of high-entropy noise.
Its defining feature is verification. With only-verified set, trufflehog takes each candidate secret and tests it against the issuing service's API, so the output is the set of credentials that still work, not every string that resembles one. That single distinction is what makes its findings worth paging someone over instead of triaging by hand.
On Trickest, trufflehog is a Static Code Analysis node that takes a source (a git URL, a repo, an org, a directory, or a bucket) and writes a file and a folder of findings. Set the mode to pick the source type, emit JSON for structured results, and chain it after a repo or filesystem collector so every place your code lives gets swept for secrets.
use cases
Point trufflehog at a git URL or repo in git mode so it walks every commit, not only the current tree, and recovers secrets that were committed and later deleted.
Pass an org and a token to scan every repository at once, with include and exclude globs to focus the run and include-members to reach member repos.
Enable only-verified so trufflehog tests each candidate against its provider and returns the secrets that still authenticate, cutting false positives to near zero.
Switch the mode to s3, gcs, or docker to scan object storage and container images for embedded keys without cloning anything to disk first.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| mode | STRING | · | Scan mode that sets the source type: git, github, gitlab, filesystem, s3, gcs, docker, postman, elasticsearch, and more. |
| git-url | STRING | · | Git repository URL to scan in git mode (https://, file://, or ssh://). |
| repo | STRING | --repo | GitHub or GitLab repository to scan. |
| org | STRING | --org | GitHub or GitLab organization to scan in bulk. |
| token | STRING | --token | Authentication token for the source being scanned. |
| only-verified | BOOLEAN | --only-verified | Only report secrets that were verified against the live service. |
| json | BOOLEAN | --json | Output findings in JSON format for downstream parsing. |
| exclude-paths | FILE | --exclude-paths | Path to a file of newline-separated regexes for files to skip in the scan. |
Showing key inputs. trufflehog exposes 76 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| key | STRING | --key | S3 key used to authenticate. |
| org | STRING | --org | GitHub/GitLab organization to scan. |
| bare | BOOLEAN | --bare | Scan bare repository (e.g. useful while using in pre-receive hooks) |
| file | FILE | · | Path to file to scan (must use the `filesystem` mode) |
| json | BOOLEAN | --json | Output in JSON format. |
| mode | STRING | · | Scan mode (available options: git, github, gitlab, filesystem, s3, gcs, circleci, docker, travisci, postman, elasticsearch, jenkins) |
| repo | STRING | --repo | GitHub/GitLab repository to scan. |
| debug | BOOLEAN | --debug | Run in debug mode. |
| image | STRING | --image | Docker image to scan. Image registry is assumed. |
| nodes | STRING | --nodes | Elasticsearch nodes |
| token | STRING | --token | Authentication token |
| trace | BOOLEAN | --trace | Run in trace mode. |
| branch | STRING | --branch | Branch to scan. |
| bucket | STRING | --bucket | Name of S3 bucket to scan. |
| config | FILE | --config | Path to configuration file. |
| secret | STRING | --secret | S3 secret used to authenticate. |
| api-key | BOOLEAN | --api-key | Elasticsearch API key. |
| git-url | STRING | · | Git repository URL. https://, file://, or ssh:// schema expected (must use the `git` mode) |
| cloud-id | BOOLEAN | --cloud-id | Elasticsearch cloud ID. |
| endpoint | STRING | --endpoint | GitHub/GitLab endpoint |
| password | BOOLEAN | --password | Authentication password |
| role-arn | STRING | --role-arn | Specify the ARN of an IAM role to assume for scanning. |
| username | BOOLEAN | --username | Authentication username |
| verifier | STRING | --verifier | Set custom verification endpoints. |
| directory | FOLDER | · | Path to directory to scan (must use the `filesystem` mode) |
| max-depth | STRING | --max-depth | Maximum depth of commits to scan. |
| no-update | BOOLEAN | --no-update | Don't check for updates. |
| project-id | BOOLEAN | --project-id | GCS project ID used to authenticate. Can NOT be used with unauth scan. |
| query-json | BOOLEAN | --query-json | Filters the documents to search |
| concurrency | STRING | --concurrency | Number of concurrent workers (default: 1). |
| environment | STRING | --environment | Postman environment to scan. You can repeat this flag. |
| json-legacy | BOOLEAN | --json-legacy | Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources. |
| pr-comments | BOOLEAN | --pr-comments | Include pull request descriptions and comments in scan. |
| since-commit | STRING | --since-commit | Commit to start scan from. |
| without-auth | BOOLEAN | --without-auth | Scan GCS buckets without authentication. This will only work for public buckets |
| workspace-id | STRING | --workspace-id | Postman workspace ID to scan. You can repeat this flag. |
| collection-id | STRING | --collection-id | Postman collection ID to scan. You can repeat this flag. |
| exclude-globs | STRING | --exclude-globs | Comma separated list of globs to exclude in scan. This option filters at the `git log` level, resulting in faster scans. |
| exclude-paths | FILE | --exclude-paths | Path to file with newline separated regexes for files to exclude in scan. |
| exclude-repos | STRING | --exclude-repos | Repositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: "trufflesecurity/trufflehog", "trufflesecurity/t*" |
| gist-comments | BOOLEAN | --gist-comments | Include gist comments in scan. |
| include-forks | BOOLEAN | --include-forks | Include forks in scan. |
| include-paths | FILE | --include-paths | Path to file with newline separated regexes for files to include in scan. |
| include-repos | STRING | --include-repos | Repositories to include in an org scan. This can also be a glob pattern. Must use Github repo full name. Example: "trufflesecurity/trufflehog", "trufflesecurity/t*" |
| index-pattern | BOOLEAN | --index-pattern | Filters the indices to search |
| only-verified | BOOLEAN | --only-verified | Only output verified results. |
| service-token | BOOLEAN | --service-token | Elasticsearch service token. |
| session-token | STRING | --session-token | S3 session token used to authenticate temporary credentials. |
| filter-entropy | STRING | --filter-entropy | Filter unverified results with Shannon entropy. Start with 3.0. |
| github-actions | BOOLEAN | --github-actions | Output in GitHub Actions format. |
| issue-comments | BOOLEAN | --issue-comments | Include issue descriptions and comments in scan. |
| archive-timeout | STRING | --archive-timeout | Maximum time to spend extracting an archive. |
| exclude-buckets | STRING | --exclude-buckets | Buckets to exclude from scan. Comma separated list of buckets. Globs are supported |
| exclude-objects | STRING | --exclude-objects | Objects to exclude from scan. Comma separated list of buckets. Globs are supported |
| include-buckets | STRING | --include-buckets | Buckets to scan. Comma separated list of buckets. Globs are supported |
| include-members | BOOLEAN | --include-members | Include organization member repositories in scan. |
| include-objects | STRING | --include-objects | Objects to scan. Comma separated list of buckets. Globs are supported |
| max-object-size | STRING | --max-object-size | Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB) |
| no-verification | BOOLEAN | --no-verification | Don't verify the results |
| service-account | FILE | --service-account | Path to GCS service account JSON file. |
| since-timestamp | BOOLEAN | --since-timestamp | Scan git commits more recent than the given timestamp. |
| workspace-paths | FILE | --workspace-paths | Path to Postman workspaces. |
| archive-max-size | STRING | --archive-max-size | Maximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB) |
| best-effort-scan | BOOLEAN | --best-effort-scan | Attempts to continuously scan a cluster |
| collection-paths | FILE | --collection-paths | Path to Postman collections. |
| archive-max-depth | STRING | --archive-max-depth | Maximum depth of archive to scan. |
| cloud-environment | BOOLEAN | --cloud-environment | Use default IAM credentials in cloud environment. |
| environment-paths | FILE | --environment-paths | Path to Postman environments. |
| exclude-detectors | STRING | --exclude-detectors | Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list. |
| filter-unverified | BOOLEAN | --filter-unverified | Only output first unverified result per chunk per detector if there are more than one results. |
| include-detectors | STRING | --include-detectors | Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges. |
| exclude-environments | STRING | --exclude-environments | Environment to exclude from scan. You can repeat this flag. |
| include-environments | STRING | --include-environments | Environment to include in scan. You can repeat this flag. |
| exclude-collection-id | STRING | --exclude-collection-id | Collection ID to exclude from scan. You can repeat this flag. |
| include-collection-id | STRING | --include-collection-id | Collection ID to include in scan. You can repeat this flag. |
| print-avg-detector-time | BOOLEAN | --print-avg-detector-time | Print the average time spent on each detector. |
example
# scan a repo's full history, verify secrets, skip vendored pathstrufflehog git https://github.com/example-org/example-repo --exclude-paths exclude.txt --only-verified --json🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷Found verified result 🐷🔑Detector Type: AWSDecoder Type: PLAINRaw result: AKIAIOSFODNN7EXAMPLELine: 42File: config/deploy.ymlCommit: 3f8c9a1e2b7d4c6f0a1b2c3d4e5f6a7b8c9d0e1fRepository: https://github.com/example-org/example-repoguidance
Reach for trufflehog when you need to know whether real, working secrets are exposed in your code, history, or storage. Its verification step sets it apart: it tells you which leaked keys still authenticate. For a faster git-only diff scan use gitleaks; for broad multi-source coverage with verification, trufflehog is the deeper tool.
Fast regex-based git scanner. No verification, so expect more false positives than trufflehog.
High-speed scanner built for huge codebases. trufflehog covers more source types and verifies findings.
Finds keys in JavaScript files specifically. trufflehog scans repos, history, and storage far more broadly.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
A repository URL feeds trufflehog, which scans its full git history, verifies each candidate against the issuing service, and writes the working secrets as a queryable output.
Facts on this page come from the live Trickest tool library.