diff --git a/pkgs/tools/security/trufflehog/default.nix b/pkgs/tools/security/trufflehog/default.nix
new file mode 100644
index 00000000000..f805670a5d5
--- /dev/null
+++ b/pkgs/tools/security/trufflehog/default.nix
@@ -0,0 +1,38 @@
+{ lib, pythonPackages }:
+
+let
+  truffleHogRegexes = pythonPackages.buildPythonPackage rec {
+    pname = "truffleHogRegexes";
+    version = "0.0.4";
+    src = pythonPackages.fetchPypi {
+      inherit pname version;
+      sha256 = "09vrscbb4h4w01gmamlzghxx6cvrqdscylrbdcnbjsd05xl7zh4z";
+    };
+  };
+in
+  pythonPackages.buildPythonApplication rec {
+    pname = "truffleHog";
+    version = "2.0.91";
+
+    src = pythonPackages.fetchPypi {
+      inherit pname version;
+      sha256 = "0r4c9ihy6wjh5cwli7lb6cr2yfvxrh7r6cgznql1src5gzlnkymx";
+    };
+
+    # Relax overly restricted version constraint
+    postPatch = ''
+      substituteInPlace setup.py --replace "GitPython ==" "GitPython >= "
+    '';
+
+    propagatedBuildInputs = [ pythonPackages.GitPython truffleHogRegexes ];
+
+    # Test cases run git clone and require network access
+    doCheck = false;
+
+    meta = {
+      homepage = https://github.com/dxa4481/truffleHog;
+      description = "Searches through git repositories for high entropy strings and secrets, digging deep into commit history";
+      license = with lib.licenses; [ gpl2 ];
+      maintainers = with lib.maintainers; [ bhipple ];
+    };
+  }
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 774f2becdd4..90f9edcd9f1 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -21119,6 +21119,8 @@ with pkgs;
 
   tup = callPackage ../development/tools/build-managers/tup { };
 
+  trufflehog = callPackage ../tools/security/trufflehog { };
+
   tvheadend = callPackage ../servers/tvheadend { };
 
   ums = callPackage ../servers/ums { };