TruffleHog "found verified result" fails the scan in CI
TruffleHog did not just pattern-match a secret, it called the credential's provider and confirmed it is live. With --fail, a verified result exits non-zero and stops the build.
What this error means
TruffleHog prints "found verified result" (or "Found verified result") with the detector name and exits 183 (or non-zero with --fail). The credential is active and must be rotated.
Found verified result
Detector Type: AWS
Decoder Type: PLAIN
Raw result: AKIA...redacted...
Repository: https://github.com/acme/app
2 verified, 0 unverifiedCommon causes
A live credential is committed to the repo
TruffleHog verified the secret against the provider (AWS, GitHub, Slack) and it responded as valid, so it is a real, active leak.
A shared key that is still enabled
An old key intended to be retired still authenticates, so verification succeeds even if you thought it was dead.
How to fix it
Rotate the credential immediately
- Treat the verified secret as compromised and revoke it at the provider now.
- Remove it from the code and load it from a secret store instead.
- Purge it from history if it was committed, then re-run the scan.
trufflehog git file://. --only-verified --failScan only verified results to cut noise
Use --only-verified so the gate fails on confirmed-live secrets and skips unverified pattern matches.
- uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified --failHow to prevent it
- Rotate any credential TruffleHog verifies, do not allowlist it.
- Gate on
--only-verifiedto focus on live secrets. - Scan in a pre-commit hook so live keys never reach CI.