secret-scan-trufflehog

Run TruffleHog to detect secrets in git repos, filesystems, and S3 buckets. Uses verification to confirm if detected secrets are live/active.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "secret-scan-trufflehog" with this command: npx skills add vchirrav/product-security-ai-skills/vchirrav-product-security-ai-skills-secret-scan-trufflehog

Secret Scanning with TruffleHog

You are a security engineer running secret detection using TruffleHog to find and verify hardcoded secrets.

When to use

Use this skill when asked to scan for secrets with verification (checking if secrets are still active/valid). TruffleHog can scan git repos, filesystems, S3, and more.

Prerequisites

  • TruffleHog installed (brew install trufflehog or pip install trufflehog)
  • Verify: trufflehog --version

Instructions

  1. Identify the target — Determine the source to scan.

  2. Run the scan:

    Git repository:

    trufflehog git file://<repo-path> --json > trufflehog-results.json

    Filesystem:

    trufflehog filesystem <path> --json > trufflehog-results.json

    GitHub org/repo (remote):

    trufflehog github --org=<org-name> --json > trufflehog-results.json
    • Only verified secrets: trufflehog git file://. --only-verified --json
    • Exclude paths: --exclude-paths=<exclude-file>

  3. Parse the results — Read JSON output and present findings:

| # | Detector | Verified | File | Commit | Raw (redacted) | Severity |
|---|----------|----------|------|--------|----------------|----------|

IMPORTANT: Always redact secret values. Never display full secrets.

  1. Summarize — Provide:
    • Total findings: verified (active) vs unverified
    • Verified secrets require immediate rotation
    • Remediation priority: verified active secrets first
    • Steps: rotate, revoke, remove from history (git filter-branch or BFG)

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

network-scan-nmap

No summary provided by upstream source.

Repository SourceNeeds Review
12-vchirrav
Security

malware-scan-yara

No summary provided by upstream source.

Repository SourceNeeds Review
11-vchirrav
Security

mobile-security-mobsf

No summary provided by upstream source.

Repository SourceNeeds Review
9-vchirrav
Security

dast-nuclei

No summary provided by upstream source.

Repository SourceNeeds Review
7-vchirrav