The Docker integration scans Docker images for credentials and other sensitive data.

The Docker integration is configured via a local configuration file. Web configuration in TruffleHog is not available for this source.

Local configuration supports four authentication methods:

 — for public images that don't require authentication.

 — uses credentials from your local Docker login (docker login).

 — uses a registry username and password.

Images can be specified with or without a tag. If no tag is provided, latest is assumed.

Use this for public images that don't require registry authentication.

sources:
  - connection:
      "@type": type.googleapis.com/sources.Docker
      images:
        - trufflesecurity/secrets
      unauthenticated: {}
    name: Docker
    scanPeriod: 12h
    type: SOURCE_TYPE_DOCKER
    verify: true

Use this when you've already authenticated to your registry locally with docker login. The scanner will use credentials from the Docker keychain.

sources:
  - connection:
      "@type": type.googleapis.com/sources.Docker
      dockerKeychain: true
      images:
        - trufflesecurity/secrets
    name: Docker
    scanPeriod: 12h
    type: SOURCE_TYPE_DOCKER
    verify: true

Use this for registries that accept username and password credentials.

sources:
  - connection:
      "@type": type.googleapis.com/sources.Docker
      basicAuth:
        username: user
        password: XXXXXXXXXXXXXXXXXXXXXXXXXX
      images:
        - trufflesecurity/secrets
    name: Docker
    scanPeriod: 12h
    type: SOURCE_TYPE_DOCKER
    verify: true

Use this for registries that accept bearer tokens.

sources:
  - connection:
      "@type": type.googleapis.com/sources.Docker
      bearerToken: XXXXXXXX
      images:
        - trufflesecurity/secrets
    name: Docker
    scanPeriod: 12h
    type: SOURCE_TYPE_DOCKER
    verify: true

Images must be listed explicitly in the images field. Image enumeration (e.g., scanning all images in a registry or organization) is not supported.

Only images built for the linux/amd64 platform are scanned. Images built for other architectures (such as linux/arm64 or windows/amd64) are not supported.

Learn about the local configuration options for Docker integration. Discover how to enable unauthenticated scans, Docker keychain authentication, basic authentication, and bearer token authentication. Explore YAML code examples.

Confluence

Docker

source

Filesystem

TruffleHog Docs

Choose your adventure

Configuring a scanner

Hosted Scanner deployment

Creating a scanner

Configuring a self-hosted scanner

Self-Hosted Deployment Guide

Linux Host

Helm Chart

Kubernetes Manifest

Resource requirements

Configuration file reference

Credential management

Running the scanner

Self-Hosted Scanner deployment

TruffleHog Enterprise - Getting started

Artifactory

AWS S3

Azure Repos (cloud)

Bitbucket

Buildkite

CircleCI

Gerrit

GitLab

GitHub Real-time

GitHub

Google Cloud Storage (GCS)

Google Drive Domain-Wide Delegation (DWD)

Google Drive

Jenkins

Jira

Microsoft Sharepoint

Microsoft Teams

Postman

Slack

Vector

Reverify secrets

Verification caching

Scan for secrets

Self-discovery analyzers

GCP analyze

Analyze secrets

Email

Multi-project ticket synchronization

Splunk

Stdout

Webhook

Notify results

Shared Secrets

Scanning in CI

Pre-commit hooks

Pre-receive hooks

Block secrets from leaking

Custom detectors

Customizing detection

On-premise verification

Customizing detectors

Customizing TruffleHog

User Enablement Guide

Exported Secrets Column Definitions

Resource Hub

Architecture

Dynamic Role-Based Access Control (RBAC)

Authentication

Compliance

Data flow

How we handle your data

Security and Compliance

Secret Management Best Practices

Terminology

2026 April

2026 March

2026 January

2025 December

2025 November

2025 October

2025 September

2025 August

2025 July

2025 June

2025 May

TruffleHog Release Notes