TruffleHog

TruffleHog hunts for leaked credentials: API keys, database passwords, private encryption keys, and more. It looks in a wide range of places, from Git history and filesystems to chats, wikis, logs, object stores, and CI workflows, making it a broad discovery tool rather than just a repo scanner.

What sets it apart is verification. After classifying a finding into one of over 800 secret types, it can actually attempt to log in to confirm whether the secret is still live, separating real present danger from harmless noise. For the most commonly leaked credential types, it goes further and analyzes who created the secret, what it can access, and what permissions it holds.

TruffleHog is open source under the AGPL-3.0 license, with Truffle Security funding the work through an enterprise product. The CLI ships as binaries and a Docker image, with JSON and GitHub Actions output.