Context and Problem

An AWS EKS Cluster was attacked, and its secrets were compromised. The Kubernetes Secrets were not encrypted, anyone who works with Kubernetes know they are only base64-encoded by default.

---

Task

I had a mission to scan 115 repositories across GitHub and Azure DevOps for secrets exposed anywhere in the Git history.

The goal was simple: identify exposed secrets and provide actionable reports for the engineering team to fix them.

A colleague recommended a tool called TruffleHog, which became the foundation of the workflow.

TruffleHog

"TruffleHog is a secrets scanning tool that digs deep into your code repositories to find secrets, passwords, and sensitive keys."

— TruffleHog official website

---

My Workflow

1. Read the TruffleHog documentation;
2. Ran a test in a personal GitHub repository to see how the tool works;
3. Check the total amount of repositories to scan, 115;
4. Designed how I was going to complete the Task:

- Decided to automate the process using Bash and jq.
- The script would receive the repository URL as a parameter.
- Used jq to filter and mask findings.
- Used jq to generate separate JSON files for active and inactive secrets.
- Generated standardized Notion reports to support remediation workflows.
- Used the generated JSON data with Gemini to create the reports.

Report Example

---

Lessons Learned

- Standardizing reports made remediation much faster.
- Active and inactive secrets should be separated to improve prioritization.
- Automation becomes essential when dealing with dozens of repositories.

Why Bash and jq?

Keep the workflow simple and easy to run.

jq made it easy to:

- filter findings
- mask sensitive values
- split active and inactive secrets
- generate structured outputs

---

Check the code

ja-lourenco / trufflehog-scan

🔐 TruffleHog Secret Scanner Automation

Simple Bash automation to scan Git repositories for exposed secrets using TruffleHog, classify results, and generate structured outputs.

🚀 Features

• Scan any Git repository for secrets
• Classify findings (active vs inactive)
• Mask sensitive data automatically
• Generate structured JSON outputs
• Organize results per repository

---

⚙️ Requirements

• Bash
• jq
• TruffleHog

📦 Install TruffleHog

Official Documentation

Verify installation:

trufflehog --version

📦 Install jq

Official Documentation

Verify installation:

jq --version

---

▶️ Usage

1. Clone this repository:

git clone <your-repo-url>
cd <repo-folder>

2. Make script executable:

chmod +x trufflehog-scan.sh

3. Run the scan:

./trufflehog-scan.sh <REPOSITORY_URL>

Example:

./trufflehog-scan.sh https://github.com/user/repo.git

📂 Output

A directory will be created with the repository name:

repo-name/
├── repo-name_raw.json       # Full raw scan output
├── repo-name_active.json    # Active (verified) secrets
└── repo-name_inactive.json  # Inactive (unverified) secrets

---

🧠 How it works

• Runs TruffleHog scan on the repository
• Filters results using jq
• Masks sensitive values
• Splits…

View on GitHub