{"id":"3d8d17c4-814c-4234-bddd-60e6730bf0ad","shortId":"8ZZej2","kind":"skill","title":"trufflehog-cli","tagline":"Perform local secret scanning, remote repository scanning, pre-commit integration, and single-credential verification using TruffleHog CLI. Triggers when the user mentions trufflehog, secret scan, leaked credential investigation, Git history scan, remote repo scan, pre-commit, or","description":"# trufflehog-cli\n\nUnified entry point Skill for TruffleHog CLI in this repository.\n\nLoad modules on demand:\n\n- Installation, version pinning, checksum verification, and temp-file strategy:\n  [install-and-baseline.md](references/install-and-baseline.md)\n- Local workspace + local Git history scanning:\n  [local-scan.md](references/local-scan.md)\n- Pre-commit integration:\n  [pre-commit.md](references/pre-commit.md)\n- Remote GitLab repository scanning:\n  [remote-repo-scan.md](references/remote-repo-scan.md)\n- Single-credential identification and verification:\n  [credential-verify.md](references/credential-verify.md)\n- Common credential types and verification patterns:\n  [credential-types.md](references/credential-types.md)\n- JSONL report field reference:\n  [trufflehog-jsonl-format.md](references/trufflehog-jsonl-format.md)\n\nFor reproducible, auditable installation workflows, use the built-in scripts:\n\n- POSIX install:\n  [install-trufflehog.sh](scripts/install-trufflehog.sh)\n- PowerShell install:\n  [install-trufflehog.ps1](scripts/install-trufflehog.ps1)\n\nFor pre-commit, use the built-in wrapper script:\n\n- POSIX pre-commit wrapper:\n  [pre-commit-trufflehog.sh](scripts/pre-commit-trufflehog.sh)\n\n## Description\n\nTreat this Skill as the company's standard operating manual for TruffleHog CLI.\n\nIt covers four primary workflows:\n\n- Local scanning: developer workstation files and local Git history\n- Pre-commit integration: block new leaks before they are committed\n- Remote repository scanning: scan a single HTTPS remote repository\n- Credential verification: confirm whether a leaked credential is still active\n\nDo not extend this Skill into general-purpose SAST, dependency vulnerability scanning, or code auditing.\n\n## Rules\n\n### Rule 1 - Read the unified baseline first\n\nRead [install-and-baseline.md](references/install-and-baseline.md) first.\n\nBaseline rules apply to all workflows:\n\n- Version is sourced from [trufflehog-version.txt](assets/trufflehog-version.txt) as the single source of truth\n- Must use official GitHub Release binaries and verify the official checksum\n- All commands must include `--no-update` by default\n- Scan artifacts go to the system temp directory, never the repository root\n- Tokens must not appear in repository URLs or command-line arguments\n- Reports may only use TruffleHog's `Redacted` output; raw secret values must never be printed\n\n### Rule 2 - Select one primary workflow at a time\n\nDetermine the task type first, then load the corresponding reference:\n\n- Local repository / developer workstation self-check:\n  [local-scan.md](references/local-scan.md)\n- Pre-commit integration:\n  [pre-commit.md](references/pre-commit.md)\n- Remote GitLab HTTPS repository scanning:\n  [remote-repo-scan.md](references/remote-repo-scan.md)\n- Single-credential leak investigation or post-rotation verification:\n  [credential-verify.md](references/credential-verify.md)\n\nDo not load all references at once by default.\n\n### Rule 3 - Match commands to scenarios\n\nChoose the command family based on the actual scan scope:\n\n- `trufflehog filesystem .`: current workspace files\n- `trufflehog git file://...`: local repository history\n- `trufflehog git <https-repo-url>`: remote repository history\n- `trufflehog analyze`: only when an interactive TUI session is available\n\nDo not force the same command onto every scenario.\n\n### Rule 4 - Least privilege first\n\nFollow least-privilege for credentials:\n\n- For remote repository clone scanning, prefer `read_repository`\n- Only escalate to `read_api`/`api` when GitLab API-level verification is needed (e.g., PAT self-check)\n- Prefer short-lived credentials and explicitly clean up after the workflow completes\n\n### Rule 5 - Reports must clearly state scope and boundaries\n\nEvery result summary must include:\n\n- Scan target\n- Actual command family used\n- Execution directory or target repository\n- Result file location\n- Count of `verified` vs `unknown` findings\n- Scope constraints (e.g., `--branch`, `--since-commit`, `--max-depth`)\n\nDo not claim coverage of branches that were not explicitly scanned.\n\n## Examples\n\n### Bad\n\n```text\nUser says “scan the repo,” and I run a generic command, write JSON to the repo root,\noutput plaintext secrets, and conclude “all branches are clean.”\n```\n\nProblems:\n\n- Command does not match scope\n- Pollutes the workspace\n- Leaks sensitive information\n- Conclusion exceeds actual coverage\n\n### Good\n\n```text\nConfirm version, installation, and output strategy per the unified baseline first,\nthen select a single workflow with its corresponding command;\nartifacts go to a temp directory, and the report clearly states what was and was not covered.\n```\n\nStrengths:\n\n- Single entry point + single baseline avoids duplicate maintenance\n- Progressive loading keeps the main document concise\n- Centralized rules simplify collaboration and auditing\n- Output is traceable and does not leak sensitive information","tags":["trufflehog","cli","enterprise","harness","engineering","addxai","agent-skills","ai-agent","ai-engineering","claude-code","code-review","cursor"],"capabilities":["skill","source-addxai","skill-trufflehog-cli","topic-agent-skills","topic-ai-agent","topic-ai-engineering","topic-claude-code","topic-code-review","topic-cursor","topic-devops","topic-enterprise","topic-sre","topic-windsurf"],"categories":["enterprise-harness-engineering"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/addxai/enterprise-harness-engineering/trufflehog-cli","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add addxai/enterprise-harness-engineering","source_repo":"https://github.com/addxai/enterprise-harness-engineering","install_from":"skills.sh"}},"qualityScore":"0.458","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 16 github stars · SKILL.md body (4,912 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T01:02:13.217Z","embedding":null,"createdAt":"2026-04-21T19:04:02.776Z","updatedAt":"2026-04-22T01:02:13.217Z","lastSeenAt":"2026-04-22T01:02:13.217Z","tsv":"'1':231 '2':319 '3':381 '4':431 '5':482 'activ':212 'actual':393,497,579 'analyz':412 'api':453,454,458 'api-level':457 'appear':294 'appli':243 'argument':302 'artifact':280,603 'assets/trufflehog-version.txt':252 'audit':117,228,641 'avail':420 'avoid':626 'bad':537 'base':390 'baselin':235,241,592,625 'binari':264 'block':187 'boundari':489 'branch':518,530,562 'built':123,144 'built-in':122,143 'central':636 'check':343,467 'checksum':64,269 'choos':386 'claim':527 'clean':475,564 'clear':485,612 'cli':3,22,46,53,168 'clone':444 'code':227 'collabor':639 'command':271,300,383,388,426,498,549,566,602 'command-lin':299 'commit':13,42,83,140,151,185,193,348,521 'common':101 'compani':161 'complet':480 'concis':635 'conclud':560 'conclus':577 'confirm':205,583 'constraint':516 'correspond':335,601 'count':509 'cover':170,619 'coverag':528,580 'credenti':18,32,95,102,203,209,361,440,472 'credential-types.md':107 'credential-verify.md':99,369 'current':398 'default':278,379 'demand':60 'depend':223 'depth':524 'descript':155 'determin':327 'develop':176,339 'directori':286,502,608 'document':634 'duplic':627 'e.g':463,517 'entri':48,622 'escal':450 'everi':428,490 'exampl':536 'exceed':578 'execut':501 'explicit':474,534 'extend':215 'famili':389,499 'field':111 'file':69,178,400,507 'filesystem':397 'find':514 'first':236,240,331,434,593 'follow':435 'forc':423 'four':171 'general':220 'general-purpos':219 'generic':548 'git':34,76,181,402,407 'github':262 'gitlab':88,353,456 'go':281,604 'good':581 'histori':35,77,182,405,410 'https':200,354 'identif':96 'includ':273,494 'inform':576,650 'instal':61,118,127,131,133,585 'install-and-baseline.md':71,238 'install-trufflehog':132 'install-trufflehog.sh':128 'integr':14,84,186,349 'interact':416 'investig':33,363 'json':551 'jsonl':109 'keep':631 'leak':31,189,208,362,574,648 'least':432,437 'least-privileg':436 'level':459 'line':301 'live':471 'load':57,333,373,630 'local':5,73,75,174,180,337,403 'local-scan.md':79,344 'locat':508 'main':633 'mainten':628 'manual':165 'match':382,569 'max':523 'max-depth':522 'may':304 'mention':27 'modul':58 'must':259,272,292,314,484,493 'need':462 'never':287,315 'new':188 'no-upd':274 'offici':261,268 'one':321 'onto':427 'oper':164 'output':310,556,587,642 'pat':464 'pattern':106 'per':589 'perform':4 'pin':63 'plaintext':557 'point':49,623 'pollut':571 'posix':126,148 'post':366 'post-rot':365 'powershel':130 'pre':12,41,82,139,150,184,347 'pre-commit':11,40,81,138,149,183,346 'pre-commit-trufflehog.sh':153 'pre-commit.md':85,350 'prefer':446,468 'primari':172,322 'print':317 'privileg':433,438 'problem':565 'progress':629 'ps1':135 'purpos':221 'raw':311 'read':232,237,447,452 'redact':309 'refer':112,336,375 'references/credential-types.md':108 'references/credential-verify.md':100,370 'references/install-and-baseline.md':72,239 'references/local-scan.md':80,345 'references/pre-commit.md':86,351 'references/remote-repo-scan.md':92,358 'references/trufflehog-jsonl-format.md':114 'releas':263 'remot':8,37,87,194,201,352,408,442 'remote-repo-scan.md':91,357 'repo':38,543,554 'report':110,303,483,611 'repositori':9,56,89,195,202,289,296,338,355,404,409,443,448,505 'reproduc':116 'result':491,506 'root':290,555 'rotat':367 'rule':229,230,242,318,380,430,481,637 'run':546 'sast':222 'say':540 'scan':7,10,30,36,39,78,90,175,196,197,225,279,356,394,445,495,535,541 'scenario':385,429 'scope':395,487,515,570 'script':125,147 'scripts/install-trufflehog.ps1':136 'scripts/install-trufflehog.sh':129 'scripts/pre-commit-trufflehog.sh':154 'secret':6,29,312,558 'select':320,595 'self':342,466 'self-check':341,465 'sensit':575,649 'session':418 'short':470 'short-liv':469 'simplifi':638 'sinc':520 'since-commit':519 'singl':17,94,199,255,360,597,621,624 'single-credenti':16,93,359 'skill':50,158,217 'skill-trufflehog-cli' 'sourc':249,256 'source-addxai' 'standard':163 'state':486,613 'still':211 'strategi':70,588 'strength':620 'summari':492 'system':284 'target':496,504 'task':329 'temp':68,285,607 'temp-fil':67 'text':538,582 'time':326 'token':291 'topic-agent-skills' 'topic-ai-agent' 'topic-ai-engineering' 'topic-claude-code' 'topic-code-review' 'topic-cursor' 'topic-devops' 'topic-enterprise' 'topic-sre' 'topic-windsurf' 'traceabl':644 'treat':156 'trigger':23 'trufflehog':2,21,28,45,52,134,167,307,396,401,406,411 'trufflehog-c':1,44 'trufflehog-jsonl-format.md':113 'trufflehog-version.txt':251 'truth':258 'tui':417 'type':103,330 'unifi':47,234,591 'unknown':513 'updat':276 'url':297 'use':20,120,141,260,306,500 'user':26,539 'valu':313 'verif':19,65,98,105,204,368,460 'verifi':266,511 'version':62,247,584 'vs':512 'vulner':224 'whether':206 'workflow':119,173,246,323,479,598 'workspac':74,399,573 'workstat':177,340 'wrapper':146,152 'write':550","prices":[{"id":"d4565562-faa0-4446-b139-85875ae6009a","listingId":"3d8d17c4-814c-4234-bddd-60e6730bf0ad","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"addxai","category":"enterprise-harness-engineering","install_from":"skills.sh"},"createdAt":"2026-04-21T19:04:02.776Z"}],"sources":[{"listingId":"3d8d17c4-814c-4234-bddd-60e6730bf0ad","source":"github","sourceId":"addxai/enterprise-harness-engineering/trufflehog-cli","sourceUrl":"https://github.com/addxai/enterprise-harness-engineering/tree/main/skills/trufflehog-cli","isPrimary":false,"firstSeenAt":"2026-04-21T19:04:02.776Z","lastSeenAt":"2026-04-22T01:02:13.217Z"}],"details":{"listingId":"3d8d17c4-814c-4234-bddd-60e6730bf0ad","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"addxai","slug":"trufflehog-cli","github":{"repo":"addxai/enterprise-harness-engineering","stars":16,"topics":["agent-skills","ai-agent","ai-engineering","claude-code","code-review","cursor","devops","enterprise","sre","windsurf"],"license":"apache-2.0","html_url":"https://github.com/addxai/enterprise-harness-engineering","pushed_at":"2026-04-17T08:57:37Z","description":"Enterprise-grade AI Agent Skills for software development, DevOps, SRE, security, and product teams. Compatible with Claude Code, Cursor, Windsurf, Gemini CLI, GitHub Copilot, and 30+ AI coding agents.","skill_md_sha":"de589344ccbb94bc95ab402b4d06d68930d14c92","skill_md_path":"skills/trufflehog-cli/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/addxai/enterprise-harness-engineering/tree/main/skills/trufflehog-cli"},"layout":"multi","source":"github","category":"enterprise-harness-engineering","frontmatter":{"name":"trufflehog-cli","description":"Perform local secret scanning, remote repository scanning, pre-commit integration, and single-credential verification using TruffleHog CLI. Triggers when the user mentions trufflehog, secret scan, leaked credential investigation, Git history scan, remote repo scan, pre-commit, or post-rotation credential verification."},"skills_sh_url":"https://skills.sh/addxai/enterprise-harness-engineering/trufflehog-cli"},"updatedAt":"2026-04-22T01:02:13.217Z"}}