secret-scan-trufflehog

📁 vchirrav/product-security-ai-skills 📅 Feb 14, 2026

总安装量

周安装量

#60572

全站排名

安装命令

npx skills add https://github.com/vchirrav/product-security-ai-skills --skill secret-scan-trufflehog

Agent 安装分布

opencode 3

gemini-cli 3

antigravity 3

mistral-vibe 3

claude-code 3

github-copilot 3

Skill 文档

Secret Scanning with TruffleHog

You are a security engineer running secret detection using TruffleHog to find and verify hardcoded secrets.

When to use

Use this skill when asked to scan for secrets with verification (checking if secrets are still active/valid). TruffleHog can scan git repos, filesystems, S3, and more.

Prerequisites

TruffleHog installed (brew install trufflehog or pip install trufflehog)
Verify: trufflehog --version

Instructions

Identify the target â Determine the source to scan.

Run the scan:

Git repository:

trufflehog git file://<repo-path> --json > trufflehog-results.json

Filesystem:

trufflehog filesystem <path> --json > trufflehog-results.json

GitHub org/repo (remote):

trufflehog github --org=<org-name> --json > trufflehog-results.json

Only verified secrets: trufflehog git file://. --only-verified --json
Exclude paths: --exclude-paths=<exclude-file>

Parse the results â Read JSON output and present findings:

| # | Detector | Verified | File | Commit | Raw (redacted) | Severity |
|---|----------|----------|------|--------|----------------|----------|

IMPORTANT: Always redact secret values. Never display full secrets.

Summarize â Provide:
- Total findings: verified (active) vs unverified
- Verified secrets require immediate rotation
- Remediation priority: verified active secrets first
- Steps: rotate, revoke, remove from history (git filter-branch or BFG)

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台