https://github.com/trufflesecurity/trufflehog Skip to content Sign up * Product + Features + Mobile + Actions + Codespaces + Packages + Security + Code review + Issues + Integrations + GitHub Sponsors + Customer stories * Team * Enterprise * Explore + Explore GitHub + Learn and contribute + Topics + Collections + Trending + Learning Lab + Open source guides + Connect with others + The ReadME Project + Events + Community forum + GitHub Education + GitHub Stars program * Marketplace * Pricing + Plans + Compare plans + Contact Sales + Education [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this organization All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} trufflesecurity / trufflehog Public * Notifications * Fork 936 * Star 7.1k Find credentials all over the place trufflesecurity.com AGPL-3.0 License 7.1k stars 936 forks Star Notifications * Code * Issues 12 * Pull requests 2 * Actions * Security * Insights More * Code * Issues * Pull requests * Actions * Security * Insights This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 7 branches 11 tags Code Latest commit @dustin-decker dustin-decker Update source to coming soon ... cd09f84 Apr 6, 2022 Update source to coming soon cd09f84 Git stats * 1,313 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github Publish docker images on docker hub too Apr 3, 2022 hack Add more contributing docs Apr 4, 2022 pkg fix regex for Slack API Tokens (#302) Apr 6, 2022 proto Add JFrog Artifactory protobuf source and metadata (#293) Apr 5, 2022 scripts Adding detectors (#46) Mar 4, 2022 .gitattributes Adding detectors (#46) Mar 4, 2022 .gitignore Add more contributing docs Apr 4, 2022 .goreleaser.yml fix the name template Apr 3, 2022 CODE_OF_CONDUCT.md Initial docs and release automation (#5) Jan 19, 2022 CONTRIBUTING.md Add more contributing docs Apr 4, 2022 Dockerfile Add git to Dockerfiles Mar 15, 2022 Dockerfile.goreleaser Remove --from=builder and copy the binary from the local directory (# 119 Apr 1, 2022 LICENSE Add license Jan 12, 2022 Makefile Add DenyChannel to slack source (#90) Mar 18, 2022 README.md Update source to coming soon Apr 6, 2022 SECURITY.md Initial docs and release automation (#5) Jan 19, 2022 go.mod Binary fixes are merged upstream (#301) Apr 6, 2022 go.sum Binary fixes are merged upstream (#301) Apr 6, 2022 main.go fix cli parsing Apr 4, 2022 View code [ ] TruffleHog Join The Slack Demo What's new in v3? What is credential verification? Installation 1. Go 2. Release binaries 3. Docker Most users Apple M1 users 4. Pip (help wanted) 5. Brew (help wanted) Usage Scanning an organization Contributors Contributing Adding new secret detectors License Change README.md GoReleaser Logo TruffleHog Find leaked credentials. --------------------------------------------------------------------- CI Status Go Report Card Docker Hub Build Status GitHub --------------------------------------------------------------------- Join The Slack Have questions? Feedback? Jump in slack and hang out with us https://join.slack.com/t/trufflehog-community/shared_invite/ zt-pw2qbi43-Aa86hkiimstfdKH9UCpPzQ Demo GitHub scanning demo docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity What's new in v3? TruffleHog v3 is a complete rewrite in Go with many new powerful features. * We've added over 600 credential detectors that support active verification against their respective APIs. * We've also added native support for scanning GitHub, GitLab, filesystems, and S3. What is credential verification? For every potential credential that is detected, we've painstakingly implemented programatic verification against the API that we think it belongs to. Verification eliminates false positives. For example, the AWS credential detector performs a GetCallerIdentity API call against the AWS API to verify if an AWS credential is active. Installation Several options: 1. Go git clone https://github.com/trufflesecurity/trufflehog.git cd trufflehog; go install 2. Release binaries 3. Docker Note: Apple M1 hardware users should run with docker run --platform linux/arm64 for better performance. Most users docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys Apple M1 users The linux/arm64 image is better to run on the M1 than the amd64 image. Even better is running the native darwin binary avilable, but there is not container image for that. docker run --platform linux/arm64 -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys 4. Pip (help wanted) It's possible to distribute binaries in pip wheels. Here is an example of a project that does it. Help with setting up this packaging would be appreciated! 5. Brew (help wanted) We'd love to distribute via brew and could use your help. Usage TruffleHog has a sub-command for each source of data that you may want to scan: * git * github * gitlab * S3 * filesystem * file and stdin (coming soon) Each subcommand can have options that you can see with the -h flag provided to the sub command: $ trufflehog git --help usage: TruffleHog git [] Find credentials in git repositories. Flags: --help Show context-sensitive help (also try --help-long and --help-man). --debug Run in debug mode --version Prints trufflehog version. -j, --json Output in JSON format. --json-legacy Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources. --concurrency=1 Number of concurrent workers. --no-verification Don't verify the results. --only-verified Only output verified results. --print-avg-detector-time Print the average time spent on each detector. --no-update Don't check for updates. -i, --include-paths=INCLUDE-PATHS Path to file with newline separated regexes for files to include in scan. -x, --exclude-paths=EXCLUDE-PATHS Path to file with newline separated regexes for files to exclude in scan. --since-commit=SINCE-COMMIT Commit to start scan from. --branch=BRANCH Branch to scan. --max-depth=MAX-DEPTH Maximum depth of commits to scan. --allow No-op flag for backwards compat. --entropy No-op flag for backwards compat. --regex No-op flag for backwards compat. Args: Git repository URL. https:// or file:// schema expected. For example, to scan a git repository, start with $ trufflehog git https://github.com/trufflesecurity/trufflehog.git Scanning an organization Try scanning an entire GitHub organization with the following: docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity Contributors This project exists thanks to all the people who contribute. [ Contribute]. [6874747073] Contributing Contributions are very welcome! Please see our contribution guidelines first. We no longer accept contributions to TruffleHog v2, but that code is available in the v2 branch. Adding new secret detectors We have published some documentation and tooling to get started on adding new secret detectors. Let's improve detection together! License Change Since v3.0, TruffleHog is released under a AGPL 3 license, included in LICENSE. TruffleHog v3.0 uses none of the previous codebase, but care was taken to preserve backwards compatibility on the command line interface. The work previous to this release is still available licensed under GPL 2.0 in the history of this repository and the previous package releases and tags. A completed CLA is required for us to accept contributions going forward. About Find credentials all over the place trufflesecurity.com Topics security credentials secret trufflehog Resources Readme License AGPL-3.0 License Code of conduct Code of conduct Stars 7.1k stars Watchers 152 watching Forks 936 forks Releases 7 v3.0.5 Latest Apr 6, 2022 + 6 releases Packages 0 No packages published Used by 109 * @quantumblacklabs * @quantumblacklabs * @netguru * @channelbeta * @datajoely * @jsalamander * @SuryaNaryn * @vitorpbarbosa7 + 101 Contributors 17 * @lonmarsDev * @santampus * @dmarquero * @dustin-decker * @ladybug0125 * @dependabot[bot] * @bill-rich * @jonee * @alemhar * @trufflesteeeve * @trufflesec-julian + 6 contributors Languages * Go 99.9% * Other 0.1% * (c) 2022 GitHub, Inc. * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.