TruffleHog

TruffleHog finds leaked secrets in your code (API keys, passwords, tokens) and verifies whether they're actually live and valid. That's the key difference from other secret scanners. Instead of flagging every high-entropy string, TruffleHog checks if that AWS key still works, if that Slack token is active, if that database password connects.

AGPL v3, Go. Scans Git repos, GitHub/GitLab orgs, S3 buckets, Docker images, and filesystems. 800+ credential detectors with built-in verification. The CLI is fast and the output tells you exactly which secrets are verified-active vs. unverified.

The open source CLI is free under AGPL. TruffleSecurity offers an Enterprise platform with a dashboard, API, team management, and continuous monitoring. Pricing is custom. For solo developers and small teams: the CLI is everything you need. Run it on your repos, pipe it into CI, done. Medium teams: the CLI still works, but the Enterprise dashboard adds visibility. Large teams: Enterprise for org-wide scanning and compliance reporting.

The catch: AGPL license. If you're building a product that incorporates TruffleHog, the copyleft terms require you to open source your code. For internal use it doesn't matter, but SaaS products need to be careful. Also, verification means TruffleHog actually attempts to authenticate with found credentials. In rare cases, this could trigger rate limits or account lockouts on the service being tested.