trufflehog git: Scan a Repo for Verified Secrets
trufflehog git scans a repository history and, with --only-verified, reports only secrets it confirmed are live by calling the provider.
TruffleHog v3 leans on verification: it does not just regex-match, it tries the candidate credential against the API to see if it actually works. That cuts noise dramatically.
What it does
trufflehog git <url-or-path> walks commits and runs detectors. With --only-verified it suppresses any candidate it could not actively verify. By default trufflehog exits 0 even when secrets are found; pass --fail to exit 183 on verified results.
Common usage
trufflehog git file://. --only-verified
# scan a remote repo
trufflehog git https://github.com/acme/app --only-verified --fail
# limit to a commit range in a PR
trufflehog git file://. --since-commit main --branch HEAD --only-verified --failOptions
| Flag | What it does |
|---|---|
| --only-verified | Report only secrets confirmed live by the provider |
| --fail | Exit 183 when results are found (default exit is 0) |
| --since-commit <ref> | Only scan commits after this ref |
| --branch <name> | Limit scanning to one branch |
| --json | Emit one JSON object per finding |
| --no-update | Skip the self-update check (faster in CI) |
| --results=verified,unknown | Select which result categories to report |
In CI
trufflehog does NOT fail the build on its own; add --fail so a verified secret returns exit 183 and breaks the job. Verification makes outbound API calls, so a locked-down runner with no egress will mark everything "unknown" instead of "verified". The official trufflehog GitHub Action wires --fail for you.
Common errors in CI
A green build despite a real leak almost always means --fail was omitted (default exit is 0). "BASE and HEAD are the same. Nothing to scan" appears on the GitHub Action for a push to a single commit; set base/head or scan with git file://.. Everything showing as "unknown" means verification could not reach the provider (no network egress).