Getting Started Guide
How to Install and Use TruffleHog
This guide covers installing TruffleHog and scanning git repos, filesystems, S3 buckets, and more for verified secrets and credentials.
Prerequisites
- -Go (for go install) or download binary
Install TruffleHog
Install TruffleHog from Homebrew, pip, or download the binary.
macOS
brew install trufflehogpip
pip install trufflehogVerify
trufflehog --versionScan a Git Repository
Scan a repo's entire commit history for secrets. TruffleHog's key differentiator is that it verifies found secrets against the actual service to confirm they're live.
Local repo
trufflehog git file://./Remote repo
trufflehog git https://github.com/owner/repoOnly verified (live) secrets
trufflehog git https://github.com/owner/repo --only-verifiedNote: The --only-verified flag is powerful - it actually tests found credentials against AWS, GitHub, Slack, etc. to confirm they work. This dramatically reduces false positives.
Scan a Filesystem
Scan a directory for secrets without git history.
Scan current directory
trufflehog filesystem .Scan specific path
trufflehog filesystem /path/to/projectScan GitHub Organizations
Scan all repositories in a GitHub organization. Requires a GitHub token.
Scan entire org
trufflehog github --org=your-org --token=ghp_yourtokenInclude members' repos
trufflehog github --org=your-org --token=ghp_yourtoken --include-membersNote: Scanning an entire org is one of the most valuable things you can do for an organization's security posture. Many breaches start with leaked credentials in repos.
JSON Output and CI Integration
Output results in JSON for automation and CI/CD pipelines.
JSON output
trufflehog git file://./ --json > results.jsonFail CI on findings
trufflehog git file://./ --fail --only-verifiedNote: Use --fail with --only-verified in CI to block deployments only when actually live secrets are found. This avoids blocking on historical or revoked credentials.