TruffleHog is a secret scanning tool designed to identify leaked credentials and API keys across version control systems, cloud storage, and filesystems. It functions as a git secret detector that enumerates hidden commits and a cloud storage security auditor for inspecting container images and storage buckets.
The project is distinguished by a credential verification engine that tests discovered secrets against service APIs to confirm they are active, which eliminates false positive alerts. It further analyzes these verified credentials to determine the specific access levels and resources they control.
The tool covers a broad discovery surface, including the scanning of Elastic clusters, Postman workspaces, and Hugging Face resources. It provides capabilities for binary and document scanning, secret type classification, and the creation of custom detection rules using regular expressions and entropy filters.
Automation is supported through CI/CD security scanning and pre-commit hooks to block credentials from entering a codebase before they are merged.
