One Command Scans Your Entire Git History for Live API Keys — Free, Open Source, Terrifying
Someone scanned GitHub and found 28 million passwords sitting in plain sight. Yours might be one of them.
This tool was supposed to be a secret. 25,000 GitHub stars later, it’s not.
Here’s what most people don’t know. Every time you push code, every config file you committed in 2019, every .env you “deleted” — Git remembers all of it. Deleted commits? Still there. Force-pushed code? Still there. That Stripe test key from your college project? Still. There. And there’s a free tool that finds every single one, then actually logs in with each key to check if it still works.
It’s called TruffleHog. Open source. One command. Scans 800+ types of secrets across GitHub, Slack, Docker, S3, and 20+ more places you forgot had passwords in them.
The scary part isn’t that it exists. The scary part is that hackers find leaked keys within 5 minutes of exposure. The average company takes 94 days to fix it. That gap is where careers end and breaches begin.
🕵️ 7 Things You Can Do With This That Nobody Talks About
These aren’t the boring “scan your repo for safety” use cases. These are the ones that make you lean forward.
1. Make real money finding other people’s leaked keys
Bug bounty hunters point TruffleHog at public repos and get paid when they find live credentials. One researcher made $64,000 just from scanning deleted files that developers thought were gone. Another pulled $2,400 from a single IntelliJ settings file that had copy-paste history encoded in Base64. TruffleHog finds the key, KeyHacks tells you what it can access, you report it, you get paid. The tool is free — the bounties are very real.
2. Scan a company before you accept their job offer
One command: trufflehog github --org=startup-name --only-verified. If live AWS keys show up in their public repos, that tells you everything about their security culture without asking a single interview question. Wiz Research scanned the Forbes AI 50 list and found 65% of them had leaked verified secrets. The companies collectively worth $400 billion. Your future employer might be one of them.
3. Turn leaked keys into tripwires that catch attackers
This one’s beautiful. After you rotate a compromised key, don’t delete the old one — replace it with a Canary Token (free, from Thinkst). It looks like a real AWS key. The moment anyone tries to use it, you get an email with their IP address. Grafana caught a real attacker in 2025 exactly this way — their planted honeypots fired before their security team even finished investigating. You’re turning defense into offense.
4. One private key can unlock push access to IBM, Oracle, and Arm repos
TruffleHog has a feature called Driftwood that most people skip past. It checks every leaked private key against a database of billions of TLS certificates and millions of GitHub SSH keys. In a sample of 50,000 keys found online, they discovered dozens that had push access to hundreds of repositories — including ones owned by IBM, Arm, and Oracle. One leaked key = potential supply chain attack on everything downstream. Oh, and 70% of the encrypted keys were crackable with a 250-word password list.
5. Catch secrets hiding in places nobody thinks to scan
Git repos are obvious. But 2.4% of Slack channels contain leaked secrets. 6.1% of Jira tickets have credentials in bug report logs. Over 10,000 Docker Hub images have baked-in passwords. Researchers found cloud API keys inside arXiv research papers — the PDF source files on academic preprints. TruffleHog scans all of these. Also HuggingFace AI models, Postman workspaces, Jenkins servers, and Elasticsearch clusters. Your code might be clean. Your Slack probably isn’t.
6. Your AI coding assistant is leaking your secrets for you
AI-assisted commits leak secrets at a 3.2% rate — roughly double the human baseline. Cursor (the AI code editor) was caught sending .env file contents to its servers for tab completion, even when those files were in .cursorignore. AI coding tools can memorize credentials from training data and re-emit them into someone else’s code. The fastest-growing leak vector isn’t human mistakes anymore — it’s the tools we built to prevent human mistakes.
7. Sell “security audits” using entirely free tools
Freelancers are packaging TruffleHog + Gitleaks scans into professional security audit services at $100-300/hour. The tools are free — the expertise is the product. Run TruffleHog across a client’s repos, generate a findings report, prioritize by verification status, deliver rotation steps from howtorotate.com. SOC 2 auditors now expect secret scanning evidence. Startups preparing for certification will pay for someone who knows how to run these commands and write the report.
⚡ Try It Right Now — 60 Seconds, Zero Excuses
Pick your install method, then run one command.
# macOS
brew install trufflehog
# Linux
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
# Docker (no install)
docker run --rm -it trufflesecurity/trufflehog:latest --help
Now scan your own repo — the one you’re probably nervous about:
trufflehog git https://github.com/YOUR_USERNAME/YOUR_REPO --only-verified
If it finds something, don’t panic. Rotate the key immediately using howtorotate.com, then drop a Canary Token in its place from canarytokens.org.
Trick: Use
--results=verified,unknowninstead of--only-verified. The “unknown” status means TruffleHog tried to verify but got a timeout or rate limit — those secrets might still be live.--only-verifiedmisses them.
🔗 The Free Toolkit — Every Link You Need
| Tool | What It Does | Link |
|---|---|---|
| TruffleHog | Finds + verifies leaked secrets across 20+ sources | GitHub |
| Gitleaks | Fast pre-commit scanning — blocks secrets before they enter git | GitHub |
| KeyHacks | Shows what each leaked API key can actually access | GitHub |
| howtorotate.com | Step-by-step rotation guides for 20+ services | Site |
| Canary Tokens | Free honeypots — get alerted when someone uses a fake key | Site |
| Driftwood | Checks private keys against billions of TLS certs + SSH keys | GitHub |
| git-secrets | AWS-specific pre-commit hook — stops AWS keys from being committed | GitHub |
| detect-secrets | Yelp’s baseline scanner — lightweight, Python-based | GitHub |
| Betterleaks | Brand new (Feb 2026) — 98.6% recall, from the creator of Gitleaks | GitHub |
| GitHound | Scans ALL of GitHub for secrets — not just your repos | GitHub |
🚫 What NOT To Do
| Don’t | Why |
|---|---|
| Don’t just delete the file and push again | Git keeps the full history — the secret is still in old commits forever |
| Don’t assume “it was a test key” | TruffleHog verifies by actually logging in — if it says verified, it’s live |
Don’t scan without --results=verified,unknown |
Missing the “unknown” category means missing secrets that timed out during verification |
| Don’t skip Slack/Jira/Docker | 6.1% of Jira tickets have credentials — your git repos might be clean while your tickets leak |
| Don’t ignore the legal side | Uber’s security chief got a criminal conviction for hiding a credential-based breach — 57 million users affected |
Quick Hits
| Want | Do |
|---|---|
 Find live secrets |
→ trufflehog git <repo> --results=verified,unknown |
 Block future leaks |
→ Install Gitleaks as a pre-commit hook |
 Make money from this |
→ Scan public repos → report via HackerOne → get paid |
 Catch attackers |
→ Rotate key → plant Canary Token in its place |
 Assess damage |
→ Found a key? Check KeyHacks for what it can access |
 Scan before joining a company |
→ trufflehog github --org=company-name --only-verified |
28 million secrets leaked last year. You just got the tool to find yours before someone else does.
!