explaingit

trufflesecurity/trufflehog

Analysis updated 2026-06-21

26,064GoAudience · developerComplexity · 2/5Setup · easy

TLDR

TruffleHog is a free security tool that scans your code and Git history for accidentally exposed API keys and credentials, and verifies whether each one is still active so you know which leaks are real emergencies.

Mindmap

mindmap
  root((repo))
    What it does
      Find leaked secrets
      Verify active creds
      Show permissions
    Sources scanned
      Git commit history
      Slack and Jira
      Logs and wikis
    Secret types
      AWS keys
      Stripe tokens
      Database passwords
    Use Cases
      Pre-deploy audit
      CI pipeline check
      Incident response
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a Git repository's full commit history to find any API keys or passwords that were accidentally committed.

USE CASE 2

Run a pre-deployment check to ensure no active credentials are exposed before making a repository public.

USE CASE 3

Set up automatic credential scanning on every code commit as part of a CI/CD pipeline.

USE CASE 4

Determine what permissions a leaked AWS or Stripe key has so you can prioritize your incident response.

What is it built with?

Go

How does it compare?

trufflesecurity/trufflehogyeasy/docker_practicestretchr/testify
Stars26,06426,01425,980
LanguageGoGoGo
Setup difficultyeasyeasyeasy
Complexity2/51/52/5
Audiencedeveloperops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

In plain English

TruffleHog is a security tool that scans your code, repositories, and other data sources to find accidentally exposed credentials, things like API keys, passwords, and private tokens that someone committed to a codebase and shouldn't have. It's the kind of problem that's embarrassingly common: a developer pastes a working API key into their code during testing, forgets to remove it, and pushes it to GitHub where anyone can find it. What makes TruffleHog stand out from simpler credential scanners is that it doesn't just find suspicious-looking strings, it actually attempts to log in and verify whether the credentials are still active. Finding an old rotated key is low-priority, finding an active AWS key with production access is an emergency. TruffleHog tells you the difference, and for the most common credential types it goes further, showing you exactly what permissions that leaked key has and what resources it can access. The tool knows over 800 different types of secrets and can recognize credentials from AWS, Stripe, Cloudflare, GitHub, database passwords, SSL private keys, and hundreds of other services. It can scan Git repositories (including the entire commit history, not just the current state), Jira, Slack, wikis, logs, and more. For founders and developers: this is a practical first line of defense before deploying anything. Running a quick TruffleHog scan before making a repo public, or setting it up as an automatic check on every code commit, can prevent the kind of security incident that makes headlines. It's free and open source, with an enterprise tier for continuous monitoring across an entire organization.

Copy-paste prompts

Prompt 1
Run TruffleHog against my Git repository and show me only active, verified credentials, skip already-rotated keys.
Prompt 2
How do I add TruffleHog to my GitHub Actions workflow to automatically block pull requests that contain leaked secrets?
Prompt 3
TruffleHog found an active Stripe API key in my repo. Walk me through revoking it and checking for unauthorized charges.
Prompt 4
Set up TruffleHog to continuously scan my entire GitHub organization and send alerts when new credentials are discovered.
Prompt 5
How do I configure TruffleHog to scan Slack messages and Jira tickets for leaked API keys, not just Git repositories?

Frequently asked questions

What is trufflehog?

TruffleHog is a free security tool that scans your code and Git history for accidentally exposed API keys and credentials, and verifies whether each one is still active so you know which leaks are real emergencies.

What language is trufflehog written in?

Mainly Go. The stack also includes Go.

How hard is trufflehog to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is trufflehog for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub trufflesecurity on gitmyhub

Verify against the repo before relying on details.