detecting-aws-credential-exposure-with-trufflehog
Installation
SKILL.md
Detecting AWS Credential Exposure with TruffleHog
When to Use
- When integrating secrets detection into CI/CD pipelines to prevent credential commits reaching production
- When performing a security audit of existing repositories for historically committed AWS credentials
- When responding to an AWS GuardDuty alert about credential usage from an unexpected IP or region
- When onboarding repositories from acquired companies or third-party vendors
- When validating that credential rotation processes have removed all references to old access keys
Do not use for real-time credential monitoring (use AWS GuardDuty or Amazon Macie), for managing secrets (use AWS Secrets Manager or HashiCorp Vault), or for detecting non-credential sensitive data like PII (use Amazon Macie or DLP tools).
Prerequisites
- TruffleHog v3 installed (
brew install trufflehogorpip install trufflehog) - git-secrets installed for pre-commit hook integration (
brew install git-secrets) - Access to source code repositories (GitHub, GitLab, Bitbucket, or local git repos)
- AWS CLI configured with permissions to check key status (
iam:ListAccessKeys,iam:GetAccessKeyLastUsed) - GitHub or GitLab API token for scanning organization-wide repositories