Skip to content

trufflehog

Vulnerability Scanning

A secrets discovery, classification, validation, and analysis tool that finds leaked credentials in code repositories, chats, wikis, logs, and more.

Track releases GitHub Website
Go Latest v3.95.5 · 1d ago Security brief →

Features

  • Discovers secrets across Git repos, chats (Slack), wikis (Confluence), logs, object stores, filesystems, etc.
  • Classifies over 800 secret types and maps them to their originating service (AWS, Stripe, Cloudflare, Postgres, SSL keys, …).
  • Validates discovered secrets by attempting authentication to confirm if they are active.
  • Performs in‑depth analysis for the most common credential types, revealing creator info, accessible resources, and permissions.

Recent releases

View all 20 releases →
Review required
v3.95.5 Mixed
Dependencies

GitLab OAuth + Box + AppSync + Twilio fix

Open
Review required
v3.95.4 Mixed
Auth

GitHub cache + Twilio fix + DB extra data

Open
No immediate action
v3.95.3 Breaking risk

SecretParts rename

Open
v3.95.1 Bug fix

Minor fixes and improvements.

Full changelog

What's Changed

  • [INS-444] Fix verification logic in Mesibo detector by @mustansir14 in https://github.com/trufflesecurity/trufflehog/pull/4884

Full Changelog: https://github.com/trufflesecurity/trufflehog/compare/v3.95.0...v3.95.1

View release on GitHub
v3.95.0 Mixed
Notable features
  • Bitbucket Data Center PAT detector
  • Jira Data Center PAT detector
  • Confluence Data Center PAT detector
Full changelog

What's Changed

  • Upgrade golangci-lint in CI runner and Makefile by @amanfcp in https://github.com/trufflesecurity/trufflehog/pull/4861
  • Deprecate SquareUp Detector by @nabeelalam in https://github.com/trufflesecurity/trufflehog/pull/4855
  • [INS-397] Fix git version parser panic on non-numeric patch versions by @shahzadhaider1 in https://github.com/trufflesecurity/trufflehog/pull/4882
  • Fix Bitbucket line highlighting URLs by @shahzadhaider1 in https://github.com/trufflesecurity/trufflehog/pull/4854
  • [INS-403] Support Custom endpoint config in hashicorpvaultauth Detector by @MuneebUllahKhan222 in https://github.com/trufflesecurity/trufflehog/pull/4825
  • [INS-398] Added tests to ensure that custom endpoint configuration works in artifactory detectors by @MuneebUllahKhan222 in https://github.com/trufflesecurity/trufflehog/pull/4832
  • Host ldap-verify library in trufflesecurity by @trufflesteeeve in https://github.com/trufflesecurity/trufflehog/pull/4859
  • Add AnalysisError type and wrap all analyzer error paths by @johnelliott in https://github.com/trufflesecurity/trufflehog/pull/4779
  • dep-updates: Go 1.25 and dependency refreshes by @dustin-decker in https://github.com/trufflesecurity/trufflehog/pull/4888
  • Fix nil pointer panics in GitHub analyzer gist/repo binding functions by @shahzadhaider1 in https://github.com/trufflesecurity/trufflehog/pull/4864
  • [INS-399] Added Bitbucket data center(on prem) PAT detector by @MuneebUllahKhan222 in https://github.com/trufflesecurity/trufflehog/pull/4883
  • [INS-402] Add Jira Data Center PAT Detector by @mustansir14 in https://github.com/trufflesecurity/trufflehog/pull/4872
  • Add man page generation for trufflehog by @bryanbeverly in https://github.com/trufflesecurity/trufflehog/pull/4894
  • Add Confluence Data Center PAT detector by @amanfcp in https://github.com/trufflesecurity/trufflehog/pull/4886

Full Changelog: https://github.com/trufflesecurity/trufflehog/compare/v3.94.3...v3.95.0

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
26,610
Forks
2,432
Languages
Go Shell Python
View on GitHub Homepage

Install & Platforms

Install via
brew docker shell-script binary go
Platforms
linux macos arm64

Community & Support

Slack

Similar tools

Hindsight
Clark-Browser
Shhh
Tanstack Compromise Checker

Beta — feedback welcome: [email protected]