TruffleHog

TruffleHog is your last line of defense against the "I accidentally committed my AWS keys" disaster. It scans Git repos, S3 buckets, Slack, and more for leaked credentials — then actually verifies if those secrets are still live. That verification step is what separates it from grep-with-regex.

If you've ever pushed a .env file to GitHub (we all have), you need this in your CI pipeline yesterday. Gitleaks is the main alternative — faster, lighter, great for pre-commit hooks, but it doesn't verify credentials. On the commercial side, GitGuardian offers slick dashboards and team workflows but charges per developer.

Best for any team shipping code to public repos. Solo founders should at minimum run it as a pre-commit hook. The scan-and-verify workflow catches real problems, not just pattern matches.

The catch: it's AGPL-3.0. If you're building a security SaaS, you can't embed TruffleHog without open-sourcing your code. For internal use, that's fine. For a product, talk to a lawyer.