This repository implements automated secret scanning to prevent accidental credential commits.
- Pre-commit Hook (Local) - Optional local validation on your machine
- GitHub Actions (Required) - Automated server-side checks on all commits
- TruffleHog Scanner - Detects API keys, tokens, passwords, and other credentials
Install TruffleHog locally to catch secrets before pushing:
# Install TruffleHog
pip install trufflehog
# Enable the pre-commit hook (make it executable)
chmod +x .git/hooks/pre-commitNow, any commit with secrets will be blocked locally before reaching the server.
If you prefer manual scanning:
# Scan current uncommitted changes
trufflehog filesystem .
# Scan specific file
trufflehog filesystem path/to/fileAct immediately — exposed credentials pose security risks.
Check the failed workflow run to see which patterns matched.
- Change API keys, tokens, and passwords immediately
- Update services that use the exposed credential
- Monitor for unauthorized access
Use git filter-branch or git rebase to remove the secret:
# Option A: Rebase to remove the commit (if not yet pushed to main)
git rebase -i HEAD~N # N = number of commits to rebase
# Option B: Use git filter-branch for complex scenarios
git filter-branch --tree-filter 'rm -f path/to/secret-file' HEADgit push -f origin your-branchTruffleHog detects patterns for:
- AWS credentials
- Private keys (RSA, DSA, EC, PGP)
- Database credentials
- API tokens and keys
- OAuth tokens
- Slack tokens
- GitHub tokens
- And many more...
If TruffleHog flags something that isn't actually a secret:
- Use
truffleHogdirectly to verify - Document the false positive in a comment
- Contact the security team if you need an exception
Never commit .env files containing actual secrets.
# ✅ Good: Use .env.example with placeholder values
DB_PASSWORD=your_password_here
API_KEY=your_api_key_here
# ✅ Good: Add to .gitignore
echo ".env" >> .gitignore
# ❌ Wrong: Never commit actual credentials
# .env files with real values should always be in .gitignoreIf you encounter false positives or have questions, open an issue or contact the security team.
Last Updated: June 2026