TruffleHog is an open source secret-scanning engine that helps resolve exposed secrets across your company’s entire tech stack.


# MacOS users
brew install trufflesecurity/trufflehog/trufflehog

# Docker
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo

# Docker for M1 and M2 Mac
docker run --platform linux/arm64 --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo

# Binary releases
Download and unpack from

# Compile from source
git clone
cd trufflehog; go install


TruffleHog [<flags>] <command> [<args> ...]


      --help                     Show context-sensitive help (also try --help-long and --help-man).
      --debug                    Run in debug mode.
      --trace                    Run in trace mode.
      --profile                  Enables profiling and sets a pprof and fgprof server on :18066.
  -j, --json                     Output in JSON format.
      --json-legacy              Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.
      --github-actions           Output in GitHub Actions format.
      --concurrency=8            Number of concurrent workers.
      --no-verification          Don't verify the results.
      --only-verified            Only output verified results.
      --filter-unverified        Only output first unverified result per chunk per detector if there are more than one results.
      --config=CONFIG            Path to configuration file.
      --print-avg-detector-time  Print the average time spent on each detector.
      --no-update                Don't check for updates.
      --fail                     Exit with code 183 if results are found.
      --verifier=VERIFIER ...    Set custom verification endpoints.
                                 Maximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB)
                                 Maximum depth of archive to scan.
                                 Maximum time to spend extracting an archive.
      --include-detectors="all"  Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.
                                 Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.
      --version                  Show application version.

  help [<command>...]
    Show help.

  git [<flags>] <uri>
    Find credentials in git repositories.

  github [<flags>]
    Find credentials in GitHub repositories.

  gitlab --token=TOKEN [<flags>]
    Find credentials in GitLab repositories.

  filesystem [<flags>] [<path>...]
    Find credentials in a filesystem.

  s3 [<flags>]
    Find credentials in S3 buckets.

  gcs [<flags>]
    Find credentials in GCS buckets.

  syslog [<flags>]
    Scan syslog

  circleci --token=TOKEN
    Scan CircleCI


trufflehog git --only-verified

Expected output:

πŸ·πŸ”‘πŸ·  TruffleHog. Unearth your secrets. πŸ·πŸ”‘πŸ·

Found verified result πŸ·πŸ”‘
Detector Type: AWS
Decoder Type: PLAIN
Line: 4
Commit: fbc14303ffbf8fb1c2c1914e8dda7d0121633aca
File: keys
Email: counter <[email protected]>
Timestamp: 2022-06-16 10:17:40 -0700 PDT

2: Scan a GitHub Org for only verified secrets

trufflehog github --org=trufflesecurity --only-verified

3: Scan a GitHub Repo for only verified keys and get JSON output


trufflehog git --only-verified --json

Expected output:

{"SourceMetadata":{"Data":{"Git":{"commit":"fbc14303ffbf8fb1c2c1914e8dda7d0121633aca","file":"keys","email":"counter \[email protected]\u003e","repository":"","timestamp":"2022-06-16 10:17:40 -0700 PDT","line":4}}},"SourceID":0,"SourceType":16,"SourceName":"trufflehog - git","DetectorType":2,"DetectorName":"AWS","DecoderName":"PLAIN","Verified":true,"Raw":"AKIAYVP4CIPPERUVIFXG","Redacted":"AKIAYVP4CIPPERUVIFXG","ExtraData":{"account":"595918472158","arn":"arn:aws:iam::595918472158:user/","user_id":"AIDAYVP4CIPPJ5M54LRCY"},"StructuredData":null}

4: Scan an S3 bucket for verified keys

trufflehog s3 --bucket=<bucket name> --only-verified

5: Scan a Github Repo using SSH authentication in docker

docker run --rm -v "$HOME/.ssh:/root/.ssh:ro" trufflesecurity/trufflehog:latest git ssh://

6: Scan individual files or directories

trufflehog filesystem path/to/file1.txt path/to/file2.txt path/to/dir

7: Scan GCS buckets for verified secrets

trufflehog gcs --project-id=<project-ID> --cloud-environment --only-verified

URL list