Integrate TruffleHog with Vulnetix. Scan for leaked credentials across git repos, filesystems, S3, GCS, and more. Outputs JSON.
Install & scan
$ curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin $ trufflehog filesystem --json . > trufflehog.json
Run TruffleHog in CI
Scan on every push and upload the results to Vulnetix:
- name: Install TruffleHog run: curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin - name: Run TruffleHog run: trufflehog filesystem --only-verified --json . > trufflehog.json - name: Upload to Vulnetix run: vulnetix upload --file trufflehog.json
How Vulnetix compares — better together
Vulnetix does not replace TruffleHog. Keep running it. Vulnetix sits on top of TruffleHog — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
TruffleHog is strongest at its core category and also carries features in Container & Image Scanning — just like Vulnetix spans categories.
| Capability | Vulnetix | TruffleHog |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ~ `trufflehog docker --image` pulls and scans image layers — for baked-in secrets only, not CVE/OCI vuln scanning |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✓ Core: 800+ detectors with live API verification across git, filesystem, cloud buckets, CI |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What TruffleHog does well
- 800+ credential detectors with live verification — actively tests found keys against the provider API so a 'verified' finding is a confirmed live credential, dramatically cutting false positives
- Broad surface coverage: git history, filesystems, S3/GCS buckets, Docker images, npm packages, Slack, and CI — not just source repos
- 'Analyze' feature enumerates the actual resources and permissions a leaked key grants, giving real blast-radius context for incident response
Where Vulnetix adds to it: TruffleHog's verification is genuinely superior at proving a secret is live, and its Docker/npm-package scanning is secrets-only, not CVE or dependency analysis. Vulnetix ingests TruffleHog output into the unified queue, dedupes it with its own secret and container scanners, and wraps it in exploit-intel prioritisation, versioned VEX/audit, EOL and SSVC policy. Better together: TruffleHog confirms the live credential, Vulnetix orchestrates remediation and attestation across every other finding class.
No migration, no rip-and-replace. TruffleHog keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise TruffleHog results in Vulnetix
Upload TruffleHog SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.