Install TruffleHog via the official script or Homebrew: brew install trufflesecurity/trufflehog/trufflehog.
Run a full history scan against a local repository: trufflehog git file://./your-repo --only-verified to surface only credentials that verify as live against their upstream services.
Scan a remote repository directly by providing the HTTPS clone URL: trufflehog git https://github.com/org/repo --only-verified.
Add the TruffleHog GitHub Action to your CI workflow to scan only the commits in each pull request, failing the build on any verified finding.
Use --json output to pipe results into a SIEM or alerting system: trufflehog git file://./your-repo --only-verified --json.
After a verified secret is found, immediately revoke it in the issuing service, then use git filter-repo to remove it from history and force-push.
Known gotchas
TruffleHog verifies secrets by making live network calls to APIs; run it only on networks that allow egress, and be aware that verification attempts may be logged by the target service.
The --only-verified flag skips unverified findings; omit it for a broader scan that may surface expired or test credentials worth investigating.
Scanning large monorepos with deep git history can be slow; use --since-commit to limit scope to recent commits in CI contexts.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp