GitHub has extended its secret scanning capabilities to cover Terraform state files β a notorious source of credential leaks when accidentally committed to public repositories.
How It Works
The scanner now recognizes terraform.tfstate and *.tfstate.backup files and parses their nested JSON structure, including the resources[].instances[].attributes paths where providers commonly store sensitive values like IAM access keys, database passwords, and TLS private keys.
Provider Coverage
At launch, the scanner covers 42 official HashiCorp and partner providers: AWS, Azure, GCP, Cloudflare, Datadog, PagerDuty, GitHub itself, and more. Detection rules are open-source and contributed back to the trufflehog community database.
Push Protection
Push protection is available for Terraform state: pushes containing sensitive material in .tfstate files are blocked with a clear error message pointing to remote state best practices (S3 + DynamoDB, Terraform Cloud, or equivalent).
The feature is included with GitHub Advanced Security; free public repo scanning also benefits from the new detectors.
