Detecting exposed AWS credentials in source code repositories, CI/CD pipelines, and configuration files using TruffleHog, git-secrets, and AWS-native detection mechanisms to prevent credential theft and unauthorized account access.
Do not use for real-time credential monitoring (use AWS GuardDuty or Amazon Macie), for managing secrets (use AWS Secrets Manager or HashiCorp Vault), or for detecting non-credential sensitive data like PII (use Amazon Macie or DLP tools).
brew install trufflehog or pip install trufflehog)brew install git-secrets)iam:ListAccessKeys, iam:GetAccessKeyLastUsed)Install TruffleHog v3 and verify it can detect the AWS credential patterns.
# Install TruffleHog v3
pip install trufflehog
# Or install from binary release
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
# Verify installation
trufflehog --version
# Test with a known test repository
trufflehog git https://github.com/trufflesecurity/test_keys --only-verified
Scan entire git history including all branches and commits for AWS access keys, secret keys, and session tokens.
# Scan a local git repository (full history)
trufflehog git file:///path/to/repo --only-verified --json > trufflehog-results.json
# Scan a GitHub organization's repositories
trufflehog github --org=your-organization --token=$GITHUB_TOKEN --only-verified
# Scan a specific GitHub repository with all branches
trufflehog git https://github.com/org/repo.git --only-verified --branch=main
# Scan a GitLab group
trufflehog gitlab --group=your-group --token=$GITLAB_TOKEN --only-verified
# Scan filesystem paths for credentials in config files
trufflehog filesystem /path/to/project --only-verified
Parse TruffleHog results to identify verified (still-active) credentials versus rotated or test keys.
# Parse TruffleHog JSON output for AWS findings
cat trufflehog-results.json | python3 -c "
import json, sys
for line in sys.stdin:
finding = json.loads(line)
if 'AWS' in finding.get('DetectorName', ''):
print(f\"Detector: {finding['DetectorName']}\")
print(f\"Verified: {finding.get('Verified', False)}\")
print(f\"Source: {finding.get('SourceMetadata', {})}\")
print(f\"Commit: {finding.get('SourceMetadata', {}).get('Data', {}).get('Git', {}).get('commit', 'N/A')}\")
print(f\"File: {finding.get('SourceMetadata', {}).get('Data', {}).get('Git', {}).get('file', 'N/A')}\")
print('---')
"
# Check if a detected access key is still active
aws iam get-access-key-last-used --access-key-id AKIAIOSFODNN7EXAMPLE
# List all access keys for a user to find active keys
aws iam list-access-keys --user-name target-user \
--query 'AccessKeyMetadata[*].[AccessKeyId,Status,CreateDate]' --output table
Prevent credentials from being committed in the first place using git-secrets as a pre-commit hook.
# Install git-secrets
git secrets --install # In each repository
# Register AWS credential patterns
git secrets --register-aws
# Add custom patterns for internal credential formats
git secrets --add 'AKIA[0-9A-Z]{16}'
git secrets --add 'aws_secret_access_key\s*=\s*.{40}'
git secrets --add 'aws_session_token\s*=\s*.+'
# Scan entire repository history
git secrets --scan-history
# Add to global git template for all new repos
git secrets --install ~/.git-templates/git-secrets
git config --global init.templateDir ~/.git-templates/git-secrets
Add TruffleHog scanning as a CI/CD gate to block deployments containing exposed credentials.
# GitHub Actions workflow (.github/workflows/secrets-scan.yml)