Block secrets from leaking
Scanning in CI

4min
You can use TruffleHog in CI to prevent secrets from being merged in Git.
GitHub Actions
TruffleHog can be run as a GitHub Action. Please follow the instructions in the open-source project README.
CircleCI
Adjust the --since-commit value to match your default branch that people merge into.
YAML
# See: https://circleci.com/docs/2.0/configuration-reference
version: 2.1

jobs:
  scan-secrets:
    docker:
      - image: trufflesecurity/trufflehog:latest
    steps:
      - checkout
      - run:
          name: "Scan for secrets"
          # change --since-commit to match your default branch
          command: trufflehog git file://. --since-commit main --branch "$CIRCLE_BRANCH" --fail --only-verified

workflows:
  scan-secrets:
    jobs:
      - scan-secrets
# See: https://circleci.com/docs/2.0/configuration-reference
version: 2.1

jobs:
  scan-secrets:
    docker:
      - image: trufflesecurity/trufflehog:latest
    steps:
      - checkout
      - run:
          name: "Scan for secrets"
          # change --since-commit to match your default branch
          command: trufflehog git file://. --since-commit main --branch "$CIRCLE_BRANCH" --fail --only-verified

workflows:
  scan-secrets:
    jobs:
      - scan-secrets
﻿
General usage
You can run TruffleHog using the binary directly, or with Docker.
The first expected argument is the base reference, typically the main branch that you merge into, such as main or master. The second argument is the HEAD reference. If your branch is already checked out, you can simply use HEAD, otherwise give a branch, tag, or commit reference.
TruffleHog will return a non-zero exit code if there are findings.
You can see the all of the available flags for the trufflehog-launcher git command below:
Launching directly
Bash
$ trufflehog-launcher git --help
usage: TruffleHog git [<flags>] <base> <head> [<workdir>]

Scans a local git repo.

Flags:
      --help                  Show context-sensitive help (also try --help-long and --help-man).
  -v, --debug                 Enable debug mode.
      --trace                 Enable tracing of code line numbers.
      --json                  Enable JSON output.
      --send-error-telemetry  Turns error telemetry off.
      --fail-verified         Only emit failure code for verified findings.
      --quiet                 Only show results.
      --config=CONFIG         Path to configuration file. You can also specify Google Secrets Manager secrets with
                              'gsm://<project_id>/<secret_name>'.

Args:
  <base>       Start scanning from here (usually main branch).
  <head>       Scan commits until here (usually dev branch).
  [<workdir>]  Optional path to the repo to scan.
$ trufflehog-launcher git --help
usage: TruffleHog git [<flags>] <base> <head> [<workdir>]

Scans a local git repo.

Flags:
      --help                  Show context-sensitive help (also try --help-long and --help-man).
  -v, --debug                 Enable debug mode.
      --trace                 Enable tracing of code line numbers.
      --json                  Enable JSON output.
      --send-error-telemetry  Turns error telemetry off.
      --fail-verified         Only emit failure code for verified findings.
      --quiet                 Only show results.
      --config=CONFIG         Path to configuration file. You can also specify Google Secrets Manager secrets with
                              'gsm://<project_id>/<secret_name>'.

Args:
  <base>       Start scanning from here (usually main branch).
  <head>       Scan commits until here (usually dev branch).
  [<workdir>]  Optional path to the repo to scan.
﻿
Launching with Docker
Bash
$ docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git --fail-verified main HEAD /workdir

🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
version:  dev

WARN[0004] found secret                                  commit=unstaged email=unstaged file=aws redacted=AKIAXYZDQCENUFS46CE4 type=AWS verified=true
INFO[0004] scanned 4 commits                            
WARN[0004] found 1 VERIFIED secrets                     
exit status 1
$ docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git --fail-verified main HEAD /workdir

🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
version:  dev

WARN[0004] found secret                                  commit=unstaged email=unstaged file=aws redacted=AKIAXYZDQCENUFS46CE4 type=AWS verified=true
INFO[0004] scanned 4 commits                            
WARN[0004] found 1 VERIFIED secrets                     
exit status 1
﻿
That's all there is to it!
Updated 20 Nov 2024
Did this page help you?
Block secrets from leaking
Pre-commit hooks