Tool integration

TruffleHog Integration Guide

Credential scanner for git, filesystems, and cloud services

Get a Free API Key

Integrate TruffleHog with Vulnetix. Scan for leaked credentials across git repos, filesystems, S3, GCS, and more. Outputs JSON.

CLI toolSARIF

Install & scan

$ curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
$ trufflehog filesystem --json . > trufflehog.json

Run TruffleHog in CI

Scan on every push and upload the results to Vulnetix:

- name: Install TruffleHog
  run: curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
- name: Run TruffleHog
  run: trufflehog filesystem --only-verified --json . > trufflehog.json
- name: Upload to Vulnetix
  run: vulnetix upload --file trufflehog.json

How Vulnetix compares — better together

Vulnetix does not replace TruffleHog. Keep running it. Vulnetix sits on top of TruffleHog — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

TruffleHog is strongest at its core category and also carries features in Container & Image Scanning — just like Vulnetix spans categories.

CapabilityVulnetixTruffleHog
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile~ `trufflehog docker --image` pulls and scans image layers — for baked-in secrets only, not CVE/OCI vuln scanning
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git historyCore: 800+ detectors with live API verification across git, filesystem, cloud buckets, CI
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What TruffleHog does well

Where Vulnetix adds to it: TruffleHog's verification is genuinely superior at proving a secret is live, and its Docker/npm-package scanning is secrets-only, not CVE or dependency analysis. Vulnetix ingests TruffleHog output into the unified queue, dedupes it with its own secret and container scanners, and wraps it in exploit-intel prioritisation, versioned VEX/audit, EOL and SSVC policy. Better together: TruffleHog confirms the live credential, Vulnetix orchestrates remediation and attestation across every other finding class.

No migration, no rip-and-replace. TruffleHog keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise TruffleHog results in Vulnetix

Upload TruffleHog SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

TruffleHog documentation ↗  ·  Source repository ↗

Wire TruffleHog into your CI/CD pipeline →