🔐 TruffleHog Secret Scanner Automation

João Antonio Lourenço — Tue, 12 May 2026 02:17:02 +0000

Context and Problem

An AWS EKS Cluster was attacked, and its secrets were compromised. The Kubernetes Secrets were not encrypted, anyone who works with Kubernetes know they are only base64-encoded by default.

Task

I had a mission to scan 115 repositories across GitHub and Azure DevOps for secrets exposed anywhere in the Git history.

The goal was simple: identify exposed secrets and provide actionable reports for the engineering team to fix them.

A colleague recommended a tool called TruffleHog, which became the foundation of the workflow.

TruffleHog

"TruffleHog is a secrets scanning tool that digs deep into your code repositories to find secrets, passwords, and sensitive keys."

— TruffleHog official website

My Workflow

Read the TruffleHog documentation;
Ran a test in a personal GitHub repository to see how the tool works;
Check the total amount of repositories to scan, 115;
Designed how I was going to complete the Task:

- Decided to automate the process using Bash and jq.
- The script would receive the repository URL as a parameter.
- Used jq to filter and mask findings.
- Used jq to generate separate JSON files for active and inactive secrets.
- Generated standardized Notion reports to support remediation workflows.
- Used the generated JSON data with Gemini to create the reports.

Report Example

Lessons Learned

- Standardizing reports made remediation much faster.
- Active and inactive secrets should be separated to improve prioritization.
- Automation becomes essential when dealing with dozens of repositories.

Why Bash and jq?

Keep the workflow simple and easy to run.

jq made it easy to:

- filter findings
- mask sensitive values
- split active and inactive secrets
- generate structured outputs

Check the code

ja-lourenco / trufflehog-scan

🔐 TruffleHog Secret Scanner Automation

Simple Bash automation to scan Git repositories for exposed secrets using TruffleHog, classify results, and generate structured outputs.

🚀 Features

Scan any Git repository for secrets
Classify findings (active vs inactive)
Mask sensitive data automatically
Generate structured JSON outputs
Organize results per repository

⚙️ Requirements

Bash
jq
TruffleHog

📦 Install TruffleHog

Official Documentation

Verify installation:

trufflehog --version

📦 Install jq

Official Documentation

Verify installation:

jq --version

▶️ Usage

Clone this repository:

git clone <your-repo-url>
cd <repo-folder>

Make script executable:

chmod +x trufflehog-scan.sh

Run the scan:

./trufflehog-scan.sh <REPOSITORY_URL>

Example:

./trufflehog-scan.sh https://github.com/user/repo.git

📂 Output

A directory will be created with the repository name:

repo-name/
├── repo-name_raw.json       # Full raw scan output
├── repo-name_active.json    # Active (verified) secrets
└── repo-name_inactive.json  # Inactive (unverified) secrets

🧠 How it works

Runs TruffleHog scan on the repository
Filters results using jq
Masks sensitive values
Splits…

View on GitHub

DEV Community: João Antonio Lourenço

🔐 TruffleHog Secret Scanner Automation

Context and Problem

Task

TruffleHog

My Workflow

Report Example

Lessons Learned

Why Bash and jq?

Check the code

ja-lourenco / trufflehog-scan

🔐 TruffleHog Secret Scanner Automation

🚀 Features

⚙️ Requirements

📦 Install TruffleHog

📦 Install jq

▶️ Usage

📂 Output

🧠 How it works