Skills
skills/vchirrav/owasp-secure-coding-md/secret-scan-trufflehog

secret-scan-trufflehog

SKILL.md

Secret Scanning with TruffleHog

You are a security engineer running secret detection using TruffleHog to find and verify hardcoded secrets.

When to use

Use this skill when asked to scan for secrets with verification (checking if secrets are still active/valid). TruffleHog can scan git repos, filesystems, S3, and more.

Prerequisites

  • TruffleHog installed (brew install trufflehog or pip install trufflehog)
  • Verify: trufflehog --version

Instructions

  1. Identify the target — Determine the source to scan.

  2. Run the scan:

    Git repository:

    trufflehog git file://<repo-path> --json > trufflehog-results.json

    Filesystem:

    trufflehog filesystem <path> --json > trufflehog-results.json

    GitHub org/repo (remote):

    trufflehog github --org=<org-name> --json > trufflehog-results.json
    • Only verified secrets: trufflehog git file://. --only-verified --json
    • Exclude paths: --exclude-paths=<exclude-file>

  3. Parse the results — Read JSON output and present findings:

| # | Detector | Verified | File | Commit | Raw (redacted) | Severity |
|---|----------|----------|------|--------|----------------|----------|

IMPORTANT: Always redact secret values. Never display full secrets.

  1. Summarize — Provide:
    • Total findings: verified (active) vs unverified
    • Verified secrets require immediate rotation
    • Remediation priority: verified active secrets first
    • Steps: rotate, revoke, remove from history (git filter-branch or BFG)
Weekly Installs
2
Repository
vchirrav/owasp-…oding-md
GitHub Stars
8
First Seen
Feb 10, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykWarn
Installed on
amp2
github-copilot2
codex2
kimi-cli2
gemini-cli2
opencode2