TruffleHog Secret Scanner

TruffleHog is an open-source secret scanning tool that searches through Git repositories, Docker containers, cloud storage, and CI systems to find and verify leaked credentials, API keys, and sensitive data. Developed by Aqua Security (originally by Dylan Ayrey in 2015), with over 18,000 stars as of 2026, TruffleHog is widely used in CI/CD pipelines and security audits. Key features include: multi-source scanning (Git repositories, GitHub organizations, GitLab, Docker images, Amazon S3 buckets, GCS buckets, filesystems, and CI/CD pipelines), credential verification (automatically verifies discovered secrets by making API calls to the corresponding service, confirming whether secrets are active and reducing false positives), over 700 detectors (pre-built detection patterns for AWS, Azure, GCP, GitHub, GitLab, Stripe, Slack, Twilio, SendGrid, Mailgun, database connection strings, private keys, JWT tokens, and hundreds of other service credentials), custom detectors (user-defined regex patterns with optional verification logic for proprietary or internal services), JSON output (structured output for integration with SIEM, Jira, Slack, and custom workflows), deep Git history (scans all commits and branches including unreachable objects via git log and reflog analysis, finding secrets deleted long ago), Docker layer scanning (scans all layers of Docker images for secrets in files, environment variables, and build artifacts), cloud scanning (scan S3, GCS, and cloud metadata for leaked credentials in stored files), pre-commit hooks (integrate into development workflow to prevent secrets from being committed), pipeline integration (GitHub Actions, GitLab CI, Jenkins, and CircleCI integration for automated scanning on every push and pull request), and verification engine (HTTP verification of discovered credentials to determine active vs revoked keys with configurable rate limiting).