Skip to content
Latchkey

TruffleHog "found verified result" fails the scan in CI

TruffleHog did not just pattern-match a secret, it called the credential's provider and confirmed it is live. With --fail, a verified result exits non-zero and stops the build.

What this error means

TruffleHog prints "found verified result" (or "Found verified result") with the detector name and exits 183 (or non-zero with --fail). The credential is active and must be rotated.

trufflehog
Found verified result
Detector Type: AWS
Decoder Type: PLAIN
Raw result: AKIA...redacted...
Repository: https://github.com/acme/app
2 verified, 0 unverified

Common causes

A live credential is committed to the repo

TruffleHog verified the secret against the provider (AWS, GitHub, Slack) and it responded as valid, so it is a real, active leak.

A shared key that is still enabled

An old key intended to be retired still authenticates, so verification succeeds even if you thought it was dead.

How to fix it

Rotate the credential immediately

  1. Treat the verified secret as compromised and revoke it at the provider now.
  2. Remove it from the code and load it from a secret store instead.
  3. Purge it from history if it was committed, then re-run the scan.
Terminal
trufflehog git file://. --only-verified --fail

Scan only verified results to cut noise

Use --only-verified so the gate fails on confirmed-live secrets and skips unverified pattern matches.

.github/workflows/ci.yml
- uses: trufflesecurity/trufflehog@main
  with:
    extra_args: --only-verified --fail

How to prevent it

  • Rotate any credential TruffleHog verifies, do not allowlist it.
  • Gate on --only-verified to focus on live secrets.
  • Scan in a pre-commit hook so live keys never reach CI.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →