Getting Started
Trestle is a local secret scanner. It reads source files on the local machine and reports API keys, access tokens, passwords, private keys, and certificates found in the code. Trestle runs entirely on the local machine, with no network calls and no telemetry.
This page covers installing Trestle, running a first scan, and configuring it in a project.
Install
Trestle is a single binary with no runtime dependencies. The download page lists install instructions for macOS, Windows, and Linux, and instructions for building from source.
After installing, confirm the binary is available on the system PATH:
trestle --versionScan a directory
From inside any project, run:
trestle scanTrestle reads every file in the current directory and reports findings to the terminal. Files matched by .gitignore and common vendor, cache, and build directories are skipped.
To scan a specific path, pass it as an argument:
trestle scan ./src/apiConfigure Trestle in a project
Run this command once at the root of each project where Trestle should run automatically:
trestle installThis adds two integrations to the project:
- A Git pre-commit hook that runs
trestle scanagainst the files being committed. When a finding is reported, the commit is aborted so the finding can be addressed. - Instructions for AI coding assistants (Claude Code, Cursor, Copilot, Codex, and others) directing them to call Trestle on every proposed file change.
Both integrations are local to the project. To remove them, run:
trestle uninstallWhat to read next
- Command Line describes every subcommand and option.
- Output Formats documents every output format, the rule IDs they emit, and example output.
- MCP Server describes how AI coding assistants use Trestle.
- Editors describes the VS Code extension and how to configure Trestle as a language server in Neovim, Helix, Zed, and JetBrains IDEs.
- Configuration File documents every key in
.trestlerc.toml. - Directives describes the
trestle:skipcomment that suppresses findings on specific lines.