trufflesecurity/trufflehog

TruffleHog is a security tool that scans your code, repositories, and other data sources to find accidentally exposed credentials, things like API keys, passwords, and private tokens that someone committed to a codebase and shouldn't have. It's the kind of problem that's embarrassingly common: a developer pastes a working API key into their code during testing, forgets to remove it, and pushes it to GitHub where anyone can find it. What makes TruffleHog stand out from simpler credential scanners is that it doesn't just find suspicious-looking strings, it actually attempts to log in and verify whether the credentials are still active. Finding an old rotated key is low-priority; finding an active AWS key with production access is an emergency. TruffleHog tells you the difference, and for the most common credential types it goes further, showing you exactly what permissions that leaked key has and what resources it can access. The tool knows over 800 different types of secrets and can recognize credentials from AWS, Stripe, Cloudflare, GitHub, database passwords, SSL private keys, and hundreds of other services. It can scan Git repositories (including the entire commit history, not just the current state), Jira, Slack, wikis, logs, and more. For founders and developers: this is a practical first line of defense before deploying anything. Running a quick TruffleHog scan before making a repo public, or setting it up as an automatic check on every code commit, can prevent the kind of security incident that makes headlines. It's free and open source, with an enterprise tier for continuous monitoring across an entire organization.