TruffleHog is an open-source scanner that identifies and addresses exposed secrets throughout your entire technology stack.
“TruffleHog was originally a research tool I independently authored in 2016. When I published it, no tools were scanning Git revision history for secrets. My hunch was a lot of secrets buried in older versions of code, but no tools existed to look for them. My hunch was right. The tool quickly took off and became very popular. These days, it’s been starred on GitHub ~14,000 times and is wildly adopted in the industry,” Dylan Ayrey, CEO at Truffle Security and original author of TruffleHog, told Help Net Security.
Features
- Comprehensive list of secrets it scans for, with over 700 types.
- For every secret type, verification logic is implemented to log in with the secret and confirm its validity.
- Besides scanning normal files, TruffleHog decodes dozens of encodings, including base64, zip files, docx files, and many more, and scans them for secrets.
- It scans more than just source code. It also scans filesystems, docker containers, S3 buckets, CI logs, and more.
- TruffleHog enriches findings with data learned from APIs, such as the account the key belongs to and sometimes the permissions or scope of the keys.
TruffleHog has a sub-command for each source of data that you want to scan:
- git
- github
- gitlab
- docker
- S3
- filesystem (files and directories)
- syslog
- circleci
- travisci
- GCS (Google Cloud Storage)
Future plans
“We have a lot of exciting plans, including new integration (places to look for secrets), more data enrichment, and leveraging a few cloud security tricks to continue to keep TruffleHog as the best-in-class secret scanner,” Ayrey concluded.
TruffleHog is available for free on GitHub.
Must read: 15 open-source cybersecurity tools you’ll wish you’d known earlier
More open-source tools to consider: