Trufflehog
Find, verify, and analyze leaked credentials
Install / Use
/learn @trufflesecurity/TrufflehogREADME
<div align="center">
:mag_right: Now Scanning
<div align="center"> <img src="assets/scanning_logos.svg">...and more
To learn more about TruffleHog and its features and capabilities, visit our product page.
</div>:globe_with_meridians: TruffleHog Enterprise
Are you interested in continuously monitoring Git, Jira, Slack, Confluence, Microsoft Teams, Sharepoint (and more) for credentials? We have an enterprise product that can help! Learn more at https://trufflesecurity.com/trufflehog-enterprise.
We take the revenue from the enterprise product to fund more awesome open source projects that the whole community can benefit from.
</div>What is TruffleHog 🐽
TruffleHog is the most powerful secrets Discovery, Classification, Validation, and Analysis tool. In this context, secret refers to a credential a machine uses to authenticate itself to another machine. This includes API keys, database passwords, private encryption keys, and more.
Discovery 🔍
TruffleHog can look for secrets in many places including Git, chats, wikis, logs, API testing platforms, object stores, filesystems and more.
Classification 📁
TruffleHog classifies over 800 secret types, mapping them back to the specific identity they belong to. Is it an AWS secret? Stripe secret? Cloudflare secret? Postgres password? SSL Private key? Sometimes it's hard to tell looking at it, so TruffleHog classifies everything it finds.
Validation ✅
For every secret TruffleHog can classify, it can also log in to confirm if that secret is live or not. This step is critical to know if there’s an active present danger or not.
Analysis 🔬
For the 20 some of the most commonly leaked out credential types, instead of sending one request to check if the secret can log in, TruffleHog can send many requests to learn everything there is to know about the secret. Who created it? What resources can it access? What permissions does it have on those resources?
:loudspeaker: Join Our Community
Have questions? Feedback? Jump into Slack or Discord and hang out with us.
Join our Slack Community
Join the Secret Scanning Discord
:tv: Demo
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
:floppy_disk: Installation
Several options are available for you:
MacOS users
brew install trufflehog
Docker:
<sub><i>Ensure Docker engine is running before executing the following commands:</i></sub>
Unix
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
Windows Command Prompt
docker run --rm -it -v "%cd:/=\%:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
Windows PowerShell
docker run --rm -it -v "${PWD}:/pwd" trufflesecurity/trufflehog github --repo https://github.com/trufflesecurity/test_keys
M1 and M2 Mac
docker run --platform linux/arm64 --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
Binary releases
Download and unpack from https://github.com/trufflesecurity/trufflehog/releases
Compile from source
git clone https://github.com/trufflesecurity/trufflehog.git
cd trufflehog; go install
Using installation script
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
Using installation script, verify checksum signature (requires cosign to be installed)
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -v -b /usr/local/bin
Using installation script to install a specific version
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin <ReleaseTag like v3.56.0>
:closed_lock_with_key: Verifying the artifacts
Checksums are applied to all artifacts, and the resulting checksum file is signed using cosign.
You need the following tool to verify signature:
Verification steps are as follows:
-
Download the artifact files you want, and the following files from the releases page.
- trufflehog_{version}_checksums.txt
- trufflehog_{version}_checksums.txt.pem
- trufflehog_{version}_checksums.txt.sig
-
Verify the signature:
cosign verify-blob <path to trufflehog_{version}_checksums.txt> \ --certificate <path to trufflehog_{version}_checksums.txt.pem> \ --signature <path to trufflehog_{version}_checksums.txt.sig> \ --certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" -
Once the signature is confirmed as valid, you can proceed to validate that the SHA256 sums align with the downloaded artifact:
sha256sum --ignore-missing -c trufflehog_{version}_checksums.txt
Replace {version} with the downloaded files version
Alternatively, if you are using the installation script, pass -v option to perform signature verification.
This requires Cosign binary to be installed prior to running the installation script.
:rocket: Quick Start
1: Scan a repo for only verified secrets
Command:
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified
Expected output:
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
Raw result: AKIAYVP4CIPPERUVIFXG
Line: 4
Commit: fbc14303ffbf8fb1c2c1914e8dda7d0121633aca
File: keys
Email: counter <counter@counters-MacBook-Air.local>
Repository: https://github.com/trufflesecurity/test_keys
Timestamp: 2022-06-16 10:17:40 -0700 PDT
...
2: Scan a GitHub Org for only verified secrets
trufflehog github --org=trufflesecurity --results=verified
3: Scan a GitHub Repo for only verified secrets and get JSON output
Command:
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified --json
Expected output:
{"SourceMetadata":{"Data":{"Git":{"commit":"fbc14303ffbf8fb1c2c1914e8dda7d0121633aca","file":"keys","email":"counter \u003ccounter@counters-MacBook-Air.local\u003e","repository":"https://github.com/trufflesecurity/test_keys","timestamp":"2022-06-16 10:17:40 -0700 PDT","line":4}}},"SourceID":0,"SourceType":16,"SourceName":"trufflehog - git","DetectorType":2,"DetectorName":"AWS","DecoderName":"PLAIN","Verified":true,"Raw":"AKIAYVP4CIPPERUVIFXG","Redacted":"AKIAYVP4CIPPERUVIFXG","ExtraData":{"account":"595918472158","arn":"arn:aws:iam::595918472158:user/canarytokens.com@@mirux23ppyky6hx3l6vclmhnj","user_id":"AIDAYVP4CIPPJ5M54LRCY"},"StructuredData":null}
...
4: Scan a GitHub Repo + its Issues and Pull Requests
trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments
5: Scan an S3 bucket for high-confidence results (verified + unknown)
trufflehog s3 --bucket=<bucket name> --results=verified,unknown
6: Scan S3 buckets using IAM Roles
trufflehog s3 --role-arn=<iam role arn>
7: Scan a Github Repo using SSH authentication in Docker
docker run --rm -v "$HOME/.ssh:/root/.ssh:ro" trufflesecurity/trufflehog:latest git ssh://github.com/trufflesecurity/test_keys
8: Scan individual files or directories
trufflehog filesystem path/to/file1.txt path/to/file2.txt path/to/dir
9: Scan a local git repo
Clone the git repo. For example test keys repo.
git clone git@github.com:trufflesecurity/test_keys.git
Run trufflehog from the parent directory (outside the git repo).
trufflehog git file://test_keys --results=verified,unknown
To guard against malicious git configs in local scanning (see CVE-2025-41390), TruffleHog clones local git repositories to a temporary directory prior to scanning. This follows Git's security best practices. If you want to specify a custom path to clone the repository to (instead of tmp), you can use the --clone-path flag. If you'd like to skip the local cloning process and scan the repository directly (only do this for trusted repos), you can use the --trust-local-git-config flag.
10: Scan GCS buckets for only verified secrets
trufflehog gcs --project-id=<project-ID> --cloud-environment --results=verified
