---
title: GitHub Trufflehog user agent activity observed
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > GitHub Trufflehog user agent activity
  observed
---

# GitHub Trufflehog user agent activity observed
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1552-unsecured-credentials](https://attack.mitre.org/techniques/T1552) 
## Goal{% #goal %}

Detects the TruffleHog credential scanning tool user agent within GitHub audit logs.

## Strategy{% #strategy %}

This rule monitors GitHub audit logs for user agent strings associated with Trufflehog use. The detection creates higher severity alerts when Trufflehog usage is combined with VPN or tunnel usage marked as suspicious or malicious by threat intelligence. Trufflehog is a legitimate security tool used to detect exposed credentials in code repositories; however, unauthorized usage may indicate reconnaissance activity or credential harvesting attempts.

## Triage and response{% #triage-and-response %}

- Verify if `{{@github.actor}}` has legitimate authorization to perform security scanning activities on the affected repositories.
- Review the specific repositories that were scanned to determine if they contain sensitive or proprietary code.
- Examine any VPN or tunnel usage associated with the scanning activity to determine if it originates from expected security team infrastructure.
- Determine if any credentials or secrets were actually discovered and potentially compromised during the scanning activity.

## Changelog{% #changelog %}

- 25 September 2025 - Updated title to clarify the logic focus on TruffleHog user agent indicator.