Skip to content

trufflehog

v3.95.3 Breaking

This release includes 2 breaking changes for platform teams planning a safe upgrade.

Published 23d Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

credentials security dynamic-analysis precommit scanning secret
+4 more
secrets-management security-tools trufflehog verification

ReleasePort's take

Moderate signal
editorial:auto 13d

The detector API now uses SecretParts instead of AnalysisInfo keys; CI enforces this validation on all detector changes.

Why it matters: Update detectors to set the required SecretParts field before merging, or CI will block builds. Patch and test in dev immediately.

Summary

AI summary

Renamed AnalysisInfo keys to SecretParts across detectors and added strict CI enforcement.

Changes in this release

Breaking Medium

AnalysisInfo field renamed to SecretParts on Result API

AnalysisInfo field renamed to SecretParts on Result API

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Static checks validate detectors set required SecretParts field

Static checks validate detectors set required SecretParts field

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

CI enforces checksecretparts validation for all detector changes

CI enforces checksecretparts validation for all detector changes

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Cloudinary API key detector added for secret detection

Cloudinary API key detector added for secret detection

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Pinecone API key detector added for secret detection

Pinecone API key detector added for secret detection

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Stricter validation for detector Result SecretParts initialization

Stricter validation for detector Result SecretParts initialization

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

customDetector supports customizable successRanges and rotatedRanges

customDetector supports customizable successRanges and rotatedRanges

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

JS CI actions upgraded to Node 24 with CodeQL v4 WIF v3

JS CI actions upgraded to Node 24 with CodeQL v4 WIF v3

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

golangci-lint-action upgraded from v7 to v9 for Node 24

golangci-lint-action upgraded from v7 to v9 for Node 24

Source: llm_adapter@2026-05-21

Confidence: low
Performance Medium

Concurrent credential verification requests deduplicated via singleflight

Concurrent credential verification requests deduplicated via singleflight

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

SecretParts field populated on all existing detector implementations

SecretParts field populated on all existing detector implementations

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Custom detector verification requests default Content-Type to application/json

Custom detector verification requests default Content-Type to application/json

Source: llm_adapter@2026-05-21

Confidence: low
Refactor Medium

AnypointOAuth2 detector AnalysisInfo keys renamed for consistency

AnypointOAuth2 detector AnalysisInfo keys renamed for consistency

Source: llm_adapter@2026-05-21

Confidence: high
Refactor Medium

Non-critical chunk errors logged at Info level instead Error

Non-critical chunk errors logged at Info level instead Error

Source: llm_adapter@2026-05-21

Confidence: low
Refactor Low

Documented SecretParts contract in detector-authoring documentation

Documented SecretParts contract in detector-authoring documentation

Source: granite4.1:30b@2026-05-24-audit

Confidence: high
Refactor Low

Made checksecretparts required in CI pipeline

Made checksecretparts required in CI pipeline

Source: granite4.1:30b@2026-05-24-audit

Confidence: low
Full changelog

What's Changed

  • Renamed AnypointOAuth2 detector's AnalysisInfo keys to make it consistent with its Analyzer by @MuneebUllahKhan222 in https://github.com/trufflesecurity/trufflehog/pull/4906
  • Rename AnalysisInfo field to SecretParts on detectors.Result by @mcastorina in https://github.com/trufflesecurity/trufflehog/pull/4911
  • Document SecretParts contract in detector-authoring docs by @mcastorina in https://github.com/trufflesecurity/trufflehog/pull/4912
  • Add a static check for detectors that don't set SecretParts by @mcastorina in https://github.com/trufflesecurity/trufflehog/pull/4913
  • Populate SecretParts on all detectors by @mcastorina in https://github.com/trufflesecurity/trufflehog/pull/4919
  • Make checksecretparts required in CI by @mcastorina in https://github.com/trufflesecurity/trufflehog/pull/4921
  • Deduplicate concurrent credential verification requests via singleflight by @kashifkhan0771 in https://github.com/trufflesecurity/trufflehog/pull/4314
  • log non-critical chunk errors at V(2).Info instead of Error by @johnelliott in https://github.com/trufflesecurity/trufflehog/pull/4928
  • [INS-320] Cloudinary detector by @MuneebUllahKhan222 in https://github.com/trufflesecurity/trufflehog/pull/4747
  • ci: bump JS actions to Node 24 majors (incl. CodeQL v4 + WIF auth v3) by @bryanbeverly in https://github.com/trufflesecurity/trufflehog/pull/4933
  • chore: bump golangci-lint-action v7 → v9 (Node 24) by @bryanbeverly in https://github.com/trufflesecurity/trufflehog/pull/4936
  • Add default Content-Type: application/json header for custom detector verification request by @MuneebUllahKhan222 in https://github.com/trufflesecurity/trufflehog/pull/4947
  • Make detector Result.SecretParts initialization stricter by @mcastorina in https://github.com/trufflesecurity/trufflehog/pull/4948
  • Add Pinecone API key detector by @dylanTruffle in https://github.com/trufflesecurity/trufflehog/pull/4917
  • adding customizable successRanges and rotatedRanges to customDetector by @jordanTunstill in https://github.com/trufflesecurity/trufflehog/pull/4892

Full Changelog: https://github.com/trufflesecurity/trufflehog/compare/v3.95.2...v3.95.3

Breaking Changes

  • Renamed `AnalysisInfo` keys to `SecretParts` on detector results.
  • `SecretParts` initialization is now stricter and required in CI.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track trufflehog

Get notified when new releases ship.

Sign up free

About trufflehog

Find, verify, and analyze leaked credentials

All releases →

Related context

Beta — feedback welcome: [email protected]