Expand discovery across more areas of the environment and add detection for additional secret types, ensuring no secrets slip through the cracks.

New Detectors: Google Gemini API Key and OpenAI Admin Key

 
Two new detectors expand credential coverage to Google Gemini API keys and OpenAI Admin keys, strengthening detection of AI-service credentials that are increasingly common in modern environments. 

Support for Multi-Layer Encoding with Configurable Depth

 
Decoders (base64, UTF-16, escaped unicode) now chain iteratively: each decoder's output is fed back through all decoders until no new transformations occur or --max-decode-depth is reached (default: 5). This finds secrets hidden inside layered encodings – for example, a base64 Docker auth blob containing a GCP private key. Performance impact is less than 5% wall time. 

 
The filesystem source now supports following symbolic links with configurable maximum depth, enabling scanning of directory structures that use symlinks to reference sensitive files. 

 
The Tableau detector now includes analysis metadata, enabling richer context about the scope and permissions of detected Tableau credentials. 

 
Custom detector line number reporting now matches the full regex pattern instead of just the capture group, providing more accurate location information for remediation. 

Support for Buildkite Artifact scanning via presigned S3 URLs

 
Buildkite artifacts linked via presigned S3 URLs can now be scanned. 

Features here help teams act faster and more effectively when secrets are found, streamlining investigation, triage, and  collaboration.

 
When a source integration shows an error caused by its associated scanner, the UI now clearly distinguishes between scanner and source errors and provides a direct "View scanner" action for quick navigation to the scanner's detail page. 

 
Long-running scan durations now display in human-readable format using days and weeks (e.g., "2w 3d" instead of "2000h"), making it easier to understand scan progress at a glance. 

 
Slack Continuous sources now support a reinstall/re-authorization flow, allowing users to refresh credentials without recreating the entire source configuration. 

 
Fixed a bug where the LastVerified timestamp reflected the time secrets were ingested into the platform rather than when verification actually occurred, which could cause secrets to appear verified after tokens had already expired. 

2026 March

2026 February

source

2026 January

TruffleHog Docs

Choose your adventure

Configuring a scanner

Hosted Scanner deployment

Creating a scanner

Configuring a self-hosted scanner

Self-Hosted Deployment Guide

Linux Host

Docker

Helm Chart

Kubernetes Manifest

Resource requirements

Configuration file reference

Credential management

Running the scanner

Self-Hosted Scanner deployment

Getting started

Artifactory

AWS S3

Azure Repos (cloud)

Bitbucket

Buildkite

CircleCI

Confluence

Amazon ECR

Filesystem

Gerrit

GitLab

GitHub Real-time

GitHub

Google Cloud Storage (GCS)

Google Drive Domain-Wide Delegation (DWD)

Google Drive

Jenkins

Jira

Microsoft Sharepoint

Microsoft Teams

Postman

Slack

Vector

Reverify secrets

Verification caching

Scan for secrets

Self-discovery analyzers

GCP analyze

Analyze secrets

Email

Multi-project ticket synchronization

Splunk

Stdout

Webhook

Notify results

Shared Secrets

Scanning in CI

Pre-commit hooks

Pre-receive hooks

Block secrets from leaking

Custom detectors

Customizing detection

On-premise verification

Customizing detectors

Customizing TruffleHog

User Enablement Guide

Exported Secrets Column Definitions

Resource Hub

Architecture

Dynamic Role-Based Access Control (RBAC)

Authentication

Compliance

Data flow

How we handle your data

Security and Compliance

Secret Management Best Practices

Terminology

2026 May

2026 April

2025 December

2025 November

2025 October

2025 September

2025 August

2025 July

2025 June

2025 May

TruffleHog Release Notes