Question 1

How to ignore false positives in TruffleHog?

Accepted Answer

Add a `trufflehog:ignore` comment on the line containing the secret if the source supports line numbers. This tells TruffleHog to skip that specific detection during scans, as mentioned in the FAQ section.

Question 2

TruffleHog vs GitLeaks: which should I use?

Accepted Answer

TruffleHog offers active verification against live APIs, reducing false positives, while GitLeaks is simpler and faster for basic regex-based scanning. Choose TruffleHog for thorough validation, but expect longer scan times and more configuration.

Question 3

How to set up TruffleHog in a GitHub Actions workflow?

Accepted Answer

Use the `trufflesecurity/trufflehog@main` action in your workflow file with `extra_args` like `--results=verified,unknown`. The README provides examples for scanning pushes and pull requests, including shallow cloning for efficiency.

Question 4

Can TruffleHog scan private GitHub repositories?

Accepted Answer

Yes, but you need to provide a personal access token using the `--token` flag to authenticate and avoid rate limits. Unauthenticated scans have restrictions, as noted in the FAQ about scan times.

Question 5

How to add custom secret detectors in TruffleHog?

Accepted Answer

Custom regex detectors are an alpha feature. Define them in a configuration file with regular expressions and webhook endpoints for verification, as described in the 'Custom Regex Detector' section of the README.

Question 6

Why does TruffleHog take so long to scan my GitHub organization?

Accepted Answer

Unauthenticated scans are rate-limited by GitHub. To speed it up, use the `--token` flag with a personal access token, which increases the rate limits and reduces scan time, as explained in the troubleshooting FAQ.

truffleHog

What is truffleHog?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions