gitwtfhub

wtf is trufflehog?

trufflesecurity/trufflehog — explained in plain English

Analysis updated 2026-06-21

26,064GoAudience · developerComplexity · 2/5Setup · easy

TL;DR

TruffleHog is a free security tool that scans your code and Git history for accidentally exposed API keys and credentials, and verifies whether each one is still active so you know which leaks are real emergencies.

Mindmap

mindmap
  root((repo))
    What it does
      Find leaked secrets
      Verify active creds
      Show permissions
    Sources scanned
      Git commit history
      Slack and Jira
      Logs and wikis
    Secret types
      AWS keys
      Stripe tokens
      Database passwords
    Use Cases
      Pre-deploy audit
      CI pipeline check
      Incident response

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Scan a Git repository's full commit history to find any API keys or passwords that were accidentally committed.

REASON 2

Run a pre-deployment check to ensure no active credentials are exposed before making a repository public.

REASON 3

Set up automatic credential scanning on every code commit as part of a CI/CD pipeline.

REASON 4

Determine what permissions a leaked AWS or Stripe key has so you can prioritize your incident response.

What's in the stack?

Go

How it stacks up

trufflesecurity/trufflehogyeasy/docker_practicestretchr/testify
Stars26,06426,01425,980
LanguageGoGoGo
Setup difficultyeasyeasyeasy
Complexity2/51/52/5
Audiencedeveloperops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · easy Time to first run · 5min

Wtf does this do

TruffleHog is a security tool that scans your code, repositories, and other data sources to find accidentally exposed credentials, things like API keys, passwords, and private tokens that someone committed to a codebase and shouldn't have. It's the kind of problem that's embarrassingly common: a developer pastes a working API key into their code during testing, forgets to remove it, and pushes it to GitHub where anyone can find it. What makes TruffleHog stand out from simpler credential scanners is that it doesn't just find suspicious-looking strings, it actually attempts to log in and verify whether the credentials are still active. Finding an old rotated key is low-priority, finding an active AWS key with production access is an emergency. TruffleHog tells you the difference, and for the most common credential types it goes further, showing you exactly what permissions that leaked key has and what resources it can access. The tool knows over 800 different types of secrets and can recognize credentials from AWS, Stripe, Cloudflare, GitHub, database passwords, SSL private keys, and hundreds of other services. It can scan Git repositories (including the entire commit history, not just the current state), Jira, Slack, wikis, logs, and more. For founders and developers: this is a practical first line of defense before deploying anything. Running a quick TruffleHog scan before making a repo public, or setting it up as an automatic check on every code commit, can prevent the kind of security incident that makes headlines. It's free and open source, with an enterprise tier for continuous monitoring across an entire organization.

Yoink these prompts

Prompt 1
Run TruffleHog against my Git repository and show me only active, verified credentials, skip already-rotated keys.
Prompt 2
How do I add TruffleHog to my GitHub Actions workflow to automatically block pull requests that contain leaked secrets?
Prompt 3
TruffleHog found an active Stripe API key in my repo. Walk me through revoking it and checking for unauthorized charges.
Prompt 4
Set up TruffleHog to continuously scan my entire GitHub organization and send alerts when new credentials are discovered.
Prompt 5
How do I configure TruffleHog to scan Slack messages and Jira tickets for leaked API keys, not just Git repositories?

Frequently asked questions

wtf is trufflehog?

TruffleHog is a free security tool that scans your code and Git history for accidentally exposed API keys and credentials, and verifies whether each one is still active so you know which leaks are real emergencies.

What language is trufflehog written in?

Mainly Go. The stack also includes Go.

How hard is trufflehog to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is trufflehog for?

Mainly developer.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.