Trestle
Local secret scanner that catches API keys, passwords, and other credentials in your code before they leak - built for AI-assisted development.
Cost / License
- Freemium (Subscription)
- Open Source (Apache-2.0)
Platforms
- Windows
- Mac
- Linux
- npm
- GitHub Actions
- GitHub Marketplace
Features
Git Support
GitHub Integration
Trestle News & Activities
Recent activities
- toroguapo added Trestle
toroguapo added Trestle as alternative to truffleHog, AWS Lab's git-secrets, GitGuardian and Gitleaks
Trestle information
What is Trestle?
Trestle is a local secret scanner that stops hardcoded credentials from leaking out of your codebase. It finds API keys, tokens, passwords, and private keys across your source code and full git history, then helps you remove and rotate them before they reach somewhere an attacker or your own end users could see them.
Instead of only pattern matching, Trestle parses each file's AST and reads values together with the field names they belong to, so it catches secrets that don't look like secrets - hashed passwords, ordinary-word database passwords, credit card numbers, and crypto recovery phrases - with far fewer false positives than text-based scanners.
It runs entirely on your machine: no network, no account, no telemetry, which also makes it suitable for air-gapped and sensitive environments. It plugs into your AI assistant via MCP (Claude Code, Cursor, Copilot, Codex), your editor (VS Code plus LSP support for LSP enabled editors like Neovim, Helix, Zed, and JetBrains), and your CI, with a one-command pre-commit hook that blocks bad commits before they get published.



