TruffleHog

Advanced secrets scanner that validates detected secrets are actually live credentials. TruffleHog v3 scans git repos, S3 buckets, Docker images, CI/CD systems (GitHub Actions, CircleCI, etc.) for secrets — and uniquely verifies discovered secrets against the actual API to confirm they are valid and exploitable, reducing false positives. From Truffle Security, the company behind many high-profile secret disclosure research findings.

Evaluated Mar 07, 2026 (0d ago) v3.x
Homepage ↗ Repo ↗ Security secrets security git s3 docker ci devsecops credentials golang verification
⚙ Agent Friendliness
63
/ 100
Can an agent use this?
🔒 Security
91
/ 100
Is it safe for agents?
⚡ Reliability
81
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
82
Error Messages
80
Auth Simplicity
92
Rate Limits
85

🔒 Security

TLS Enforcement
100
Auth Strength
90
Scope Granularity
85
Dep. Hygiene
88
Secret Handling
90

Verification sends secret values to external APIs — this is necessary to confirm validity but means secrets leave the local environment during verification. AGPL-3.0 licensed core.

⚡ Reliability

Uptime/SLA
88
Version Stability
80
Breaking Changes
75
Error Recovery
80
AF Security Reliability

Best When

You want verified secret detection (reducing false positives by confirming secrets are live), need to scan beyond git repos (Docker images, S3, CI), or want enterprise-grade secret detection.

Avoid When

You need a lightweight, fast git hook scanner — Gitleaks is simpler and faster for basic git history scanning.

Use Cases

  • Scan git repositories, Docker images, and S3 buckets for valid secrets using TruffleHog's multi-source scanning capabilities
  • Verify discovered secrets are actually valid by TruffleHog's built-in verification against 700+ credential detectors before alerting
  • Run secrets scanning in CI/CD pipelines with GitHub Actions integration to scan pull requests for accidentally committed credentials
  • Perform security audits of container images to find secrets embedded in Docker image layers and build history
  • Scan enterprise infrastructure (S3, CI/CD, Confluence, Jira) for secrets sprawl across all platforms from a single tool

Not For

  • Real-time secret injection prevention — TruffleHog scans for existing secrets; use Vault or AWS Secrets Manager for secret management
  • Compliance reporting at scale — TruffleHog Enterprise or GitGuardian offer enterprise dashboards for organization-wide management
  • Simple git repo scanning where Gitleaks' speed and simplicity are sufficient — TruffleHog is more powerful but heavier

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Local CLI tool — no authentication for basic use. GitHub token needed for private repository scanning. TruffleHog Enterprise has account-based management.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

TruffleHog OSS is AGPL-3.0 — free for open source use but requires copyleft compliance for commercial use. TruffleHog Enterprise is commercial. Many commercial users use the OSS version for CI pipelines.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • AGPL-3.0 license requires open-sourcing modifications in some commercial contexts — verify license compliance before embedding TruffleHog in commercial products
  • Secret verification makes network requests to external APIs — in CI environments with network restrictions, verification may fail or time out; use --no-verification flag for air-gapped environments
  • TruffleHog scans are slower than Gitleaks because of verification step — full repo scans with verification can take significantly longer for large repos
  • Docker image scanning requires Docker daemon access — TruffleHog pulls and scans all image layers including build history, which can be large for complex images
  • TruffleHog v3 has a completely different CLI interface from v2 — older documentation and tutorials for v2 commands do not work with v3
  • Scanning private GitHub repositories requires either a GitHub token or the GitHub Actions native integration — local scans of private repos without auth only see public history

Alternatives

gitleaks-api gitguardian-api

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for TruffleHog.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-07.

6470
Packages Evaluated
26150
Need Evaluation
173
Need Re-evaluation
Community Powered