TruffleHog
FeaturedAGPL-3.0馃攷 General OSINT 路 Go
TruffleHog scans for leaked credentials and secrets in Git repositories, S3 buckets, filesystems, and more. It uses both regex patterns and entropy analysis to detect API keys, passwords, tokens, and other sensitive data that may have been accidentally committed. TruffleHog supports over 800 credential detectors and can verify discovered credentials against the actual services to confirm they are still active.
Installation
brew (macOS)
$ brew install trufflehogdocker
$ docker pull trufflesecurity/trufflehogfrom source
$ git clone https://github.com/trufflesecurity/trufflehog.git && cd trufflehog && go installUse Cases
- Scanning Git history for leaked secrets
- CI/CD pipeline secret detection
- S3 bucket credential scanning
- Active credential verification
- Compliance and security auditing
Tags
Details
- Category
- 馃攷 General OSINT
- Language
- Go
- Repository
- trufflesecurity/trufflehog
- License
- AGPL-3.0
- Platforms
- 馃惂linux馃崕macos馃獰windows
Links
Used in 1 Workflow
Community Reviews
Alternatives & Comparisons
Gitleaks
GoScan Git repos for hardcoded secrets like passwords, API keys, and tokens. CI/CD ready.
Compare TruffleHog vs GitleaksMore in General OSINT
theHarvester
PythonGathers emails, names, subdomains, IPs, and URLs from multiple public sources for passive recon.
SpiderFoot
PythonAutomated OSINT with 200+ modules. Web UI for scanning IPs, domains, emails, names, and more.
Maltego CE
JavaVisual link analysis tool for OSINT. Maps relationships between people, companies, domains, and infrastructure.
Holehe
PythonCheck if an email is registered on 120+ sites. Uses password recovery mechanisms to verify without logging in.
ExifTool
PerlRead, write, and edit metadata in files. Supports EXIF, GPS, IPTC, XMP, and more across dozens of formats.
PhoneInfoga
GoAdvanced phone number OSINT. Scans phone numbers using free resources to gather standard and disposable info.