TruffleHog tutorial: install, scan, and verify live secrets
TruffleHog is a free, open-source secret scanner that calls provider APIs to confirm whether a found credential is still live. Install it with brew, Docker, the install script, or go install, then scan a git repo, GitHub org, filesystem, or Docker image, and add --results=verified to surface only confirmed active leaks.
Independent SEO consultant & AI practitioner who builds and tests these tools.
TruffleHog tutorial: install, scan, and verify live secrets
TruffleHog is a free, open-source secret scanner whose standout feature is live verification: after finding a candidate credential, it calls the provider’s API to confirm whether the key is still active. Install it with brew, Docker, the install script, or go install, then scan a git repo, GitHub org, filesystem, or Docker image, and add --results=verified to surface only confirmed live leaks. This tutorial walks the real commands from the TruffleHog repo.
TL;DR:
- Install:
brew install trufflehog, a Docker image, the official install script, orgo installfrom source. - Scan:
trufflehog git,trufflehog github,trufflehog filesystem, andtrufflehog dockercover most needs; more subcommands reach S3, GCS, Postman, and CI systems. - Verify:
--results=verifiedoutputs only credentials TruffleHog confirmed are still live, cutting false positives. - Automate: add a pre-commit hook and a GitHub Action so leaks are caught before and after they reach the remote.
- New to the tradeoffs? Read gitleaks vs TruffleHog first, then browse the tools directory.
How do you install TruffleHog?
There are four common routes. Pick whichever suits your environment:
- Homebrew (macOS) is the simplest:
brew install trufflehog. - Docker avoids a local install entirely. Mount your working directory and run the image, for example
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys. - Install script drops a binary into a path of your choice:
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin. Pre-built binaries are also on the releases page. - Go install builds from source:
git clone https://github.com/trufflesecurity/trufflehog.git, thencd trufflehog; go install.
Confirm the install with trufflehog --help, which lists every available subcommand.
How do you scan different sources?
TruffleHog uses one subcommand per source type. Here are the four you will reach for most, exactly as documented.
Scanning a git repository
Point it at a remote or local repo and it walks the full history across commits:
trufflehog git https://github.com/trufflesecurity/test_keysFor a local checkout, use the file:// form. You can scope the scan to recent work with --since-commit and --branch, and fail the run on findings with --fail:
trufflehog git file://. --since-commit main --branch feature-1 --results=verified,unknown --failScanning GitHub
The github subcommand scans across an organisation or a single repository:
trufflehog github --org=trufflesecurityScanning a filesystem
Use filesystem to scan local files and directories, which is handy for build artefacts, config folders, and unpacked archives:
trufflehog filesystem path/to/file1.txtScanning a Docker image
The docker subcommand inspects image layers for baked-in credentials, a frequent leak source:
trufflehog docker --image trufflesecurity/secretsBeyond these, the scanner ships gitlab, s3, gcs, postman, jenkins, elasticsearch, and stdin subcommands, so secrets that escaped the repo into cloud buckets or SaaS tools are still in reach.
What does live verification do?
This is the feature that sets TruffleHog apart. When it detects a candidate secret, it can attempt to authenticate against the matching provider to prove the key still works. Per the TruffleHog documentation, the --results flag controls what you see: verified means confirmed valid by the provider API, unknown means verification failed due to an error, and unverified means detected but not checked.
To surface only confirmed live leaks, add --results=verified:
trufflehog git https://github.com/trufflesecurity/test_keys --results=verifiedA verified hit looks like this in the output:
Found verified result 🐷🔑
Detector Type: AWS
Raw result: AKIAYVP4CIPPERUVIFXG
Verified: trueThe Detector Type tells you which provider matched, and Verified: true confirms the credential authenticated successfully. That single line is the difference between a pattern that looks like a key and a key an attacker could use right now, so treat any verified result as an active incident. If you want detections plus failed-verification cases, use --results=verified,unknown.
How do you add a pre-commit hook?
Stopping a secret before it ever leaves your machine is far cheaper than scrubbing history later. Using the pre-commit.com framework, add this to .pre-commit-config.yaml:
repos:
- repo: local
hooks:
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c 'trufflehog git file://.'
language: system
stages: ["pre-commit", "pre-push"]Per the documentation, TruffleHog auto-detects when it runs under the pre-commit.com framework and applies optimal settings, so no extra configuration is needed. If you prefer a plain git hook, a minimal script works too:
#!/bin/sh
export TRUFFLEHOG_PRE_COMMIT=1
trufflehog git file://.For a wider look at where these hooks fit, see secret scanning in pre-commit hooks.
How do you run TruffleHog in CI?
A pre-commit hook is opt-in, so back it with a server-side gate. The official GitHub Action scans on push and pull request:
on:
push:
branches:
- main
pull_request:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Secret Scanning
uses: trufflesecurity/trufflehog@main
with:
extra_args: --results=verified,unknownThe fetch-depth: 0 line is important: it fetches full history so the scan covers every commit in the pull request, not just the tip. Pass scanner flags through extra_args. To fail the build only on confirmed live leaks, narrow it to --results=verified.
Where to go next
TruffleHog’s open-source release is under the AGPL-3.0 licence, worth checking against your distribution model before embedding it. Scanning is detection, not remediation: a found key must be rotated, because git history means a committed secret is effectively public. If a scan flags something, follow the response steps in committed a secret to GitHub, then compare scanners in gitleaks vs TruffleHog and browse more write-ups in the guides library.
Frequently asked questions
What makes TruffleHog different from a regex scanner?
Live verification. After detecting a candidate secret, TruffleHog attempts to authenticate with the matching provider, such as AWS or Stripe, to confirm the key still works. A verified result is a real, active leak rather than a string that merely looks like a credential.
How do I show only verified secrets?
Add --results=verified to your command. Per the TruffleHog documentation this outputs only credentials confirmed valid by the provider API, which sharply cuts triage noise. Use --results=verified,unknown if you also want detections where verification could not complete.
Can TruffleHog scan more than git repositories?
Yes. Alongside the git subcommand it ships github, gitlab, filesystem, docker, s3, gcs, postman, jenkins, elasticsearch, and stdin subcommands, so you can sweep cloud storage, container images, and SaaS tools where secrets may have spread outside version control.
Is TruffleHog free to use?
The open-source scanner is free under the AGPL-3.0 licence. Truffle Security also sells a separate commercial enterprise product. Check AGPL-3.0 against your own distribution model before embedding the scanner in a commercial codebase.
Does TruffleHog work as a pre-commit hook?
Yes. It integrates with the pre-commit.com framework and auto-detects that environment to apply sensible defaults. You can also wire it in as a plain git pre-commit script that runs trufflehog git file://. before each commit.