Detecting AWS Credential Exposure with TruffleHog

When to Use

• When integrating secrets detection into CI/CD pipelines to prevent credential commits reaching production
• When performing a security audit of existing repositories for historically committed AWS credentials
• When responding to an AWS GuardDuty alert about credential usage from an unexpected IP or region
• When onboarding repositories from acquired companies or third-party vendors
• When validating that credential rotation processes have removed all references to old access keys

Do not use for real-time credential monitoring (use AWS GuardDuty or Amazon Macie), for managing secrets (use AWS Secrets Manager or HashiCorp Vault), or for detecting non-credential sensitive data like PII (use Amazon Macie or DLP tools).

Prerequisites

• TruffleHog v3 installed (brew install trufflehog or pip install trufflehog)
• git-secrets installed for pre-commit hook integration (brew install git-secrets)
• Access to source code repositories (GitHub, GitLab, Bitbucket, or local git repos)
• AWS CLI configured with permissions to check key status (iam:ListAccessKeys, iam:GetAccessKeyLastUsed)
• GitHub or GitLab API token for scanning organization-wide repositories