Secrets, or more generally credentials, are the data that is scanned for. Examples of secrets include: access keys/tokens, API keys, passwords, etc.

: The secret was never verified as active.

: The secret was verified as live at one point, and has since been verified as not live.

: The secret is marked invalid by the user. This could be for any reason. For example, the secret is wrong.

: The secret was marked as resolved by the user. Useful for when the secret was removed before TruffleHog could verify that it is no longer active.

: The secret was marked as will not fix by the user. Common reasons are risk acceptance and canary tokens.

: Integrations that provide data to be scanned. They are configured via a local configuration file, or in the web UI. Examples of sources include: Slack, JIRA, Github, S3, etc. See the 

 part of the documentation for more information.

: Integrations for sending notifications for found secrets. Examples of notifiers include: Email, Slack message, JIRA ticket, or a webhook. See the 

 The component that scan for secrets and verify them. Metadata of the secret is sent to the configured notifiers and to your hosted web UI. See the rest of the 

 documentation for creating and configuring a scanner.

 scanner group. The Hosted scanner group is run for you in Truffle Security infrastructure in your own isolated environment. Additionally, scanners can be setup to run on your own hardware. These scanners will be placed in an individually created scanner group.

: Used to manage multiple scanners. You configure scanner groups in the web UI. A scanner group can run more than one scanner instance, and scan jobs will run across those instances.

 that TruffleHog uses to find secrets, credentials, and other sensitive data across source code, logs, configs, containers, cloud resources, and more. Each detector focuses on a particular kind of secret. To customize detection see the 

Secrets management

Terminology

source

Artifactory

AWS S3

Azure Repos (cloud)

Bitbucket

Buildkite

CircleCI

Confluence

Docker

Filesystem

Gerrit

GitLab

GitHub

Google Cloud Storage (GCS)

Google Drive

Jenkins

Jira

Microsoft Sharepoint

Microsoft Teams

Postman

Slack

Vector

Scan data for secrets

TruffleHog Docs

Choose your adventure

Creating a scanner

Configuration file reference

Configuring a scanner

Resource Requirements

Running the scanner

Getting started

Self-discovery analyzers

GCP analyze

Analyze secrets

Email

Multi-project ticket synchronization

Splunk

Stdout

Webhook

Notify results

Shared Secrets

Reverify secrets

Verification caching

Scanning in CI

Pre-commit hooks

Pre-receive hooks

Block secrets from leaking

Systemd

Helm Chart

Kubernetes manifest

Deployment

Custom detectors

Customizing detection

On-premise verification

Customizing detectors

Customizing TruffleHog

Data flow

How we handle your data

Secret Management Best Practices

Dynamic Role-Based Access Control (RBAC)

Authentication

Architecture

Compliance

Security and Compliance

2025 September

2025 August

2025 July

2025 June

2025 May

TruffleHog Release Notes