https://www.helpnetsecurity.com/2024/02/21/trufflehog-open-source-solution-for-scanning-secrets/

  

  * News
  * Features
  * Expert analysis
  * Videos
  * Events
  * Whitepapers
  * Industry news
  * Product showcase
  * Newsletters

  *  
  *  
  *  

Please turn on your JavaScript for this page to function normally.
 Mirko Zorz
Mirko Zorz, Director of Content, Help Net Security
February 21, 2024
Share     

TruffleHog: Open-source solution for scanning secrets

TruffleHog is an open-source scanner that identifies and addresses
exposed secrets throughout your entire technology stack.

TruffleHog

"TruffleHog was originally a research tool I independently authored
in 2016. When I published it, no tools were scanning Git revision
history for secrets. My hunch was a lot of secrets buried in older
versions of code, but no tools existed to look for them. My hunch was
right. The tool quickly took off and became very popular. These days,
it's been starred on GitHub ~14,000 times and is wildly adopted in
the industry," Dylan Ayrey, CEO at Truffle Security and original
author of TruffleHog, told Help Net Security.

Features

  * Comprehensive list of secrets it scans for, with over 700 types.
  * For every secret type, verification logic is implemented to log
    in with the secret and confirm its validity.
  * Besides scanning normal files, TruffleHog decodes dozens of
    encodings, including base64, zip files, docx files, and many
    more, and scans them for secrets.
  * It scans more than just source code. It also scans filesystems,
    docker containers, S3 buckets, CI logs, and more.
  * TruffleHog enriches findings with data learned from APIs, such as
    the account the key belongs to and sometimes the permissions or
    scope of the keys.

TruffleHog has a sub-command for each source of data that you want to
scan:

  * git
  * github
  * gitlab
  * docker
  * S3
  * filesystem (files and directories)
  * syslog
  * circleci
  * travisci
  * GCS (Google Cloud Storage)

Future plans

"We have a lot of exciting plans, including new integration (places
to look for secrets), more data enrichment, and leveraging a few
cloud security tricks to continue to keep TruffleHog as the
best-in-class secret scanner," Ayrey concluded.

TruffleHog is available for free on GitHub.

[divider]

Must read: 15 open-source cybersecurity tools you'll wish you'd known
earlier

[divider]

More open-source tools to consider:

  * CVE Prioritizer: Open-source tool to prioritize vulnerability
    patching
  * Fabric: Open-source framework for augmenting humans using AI
  * SiCat: Open-source exploit finder
  * SOAPHound: Open-source tool to collect Active Directory data via
    ADWS
  * Prowler: Open-source security tool for AWS, Google Cloud
    Platform, Azure
  * Latio Application Security Tester: Use AI to scan your code
  * CVEMap: Open-source tool to query, browse and search CVEs
  * Faction: Open-source pentesting report generation and
    collaboration framework
  * Adalanche: Open-source Active Directory ACL visualizer, explorer
  * AuthLogParser: Open-source tool for analyzing Linux
    authentication logs
  * DriveFS Sleuth: Open-source tool for investigating Google Drive
    File Stream's disk forensic artifacts
  * Subdominator: Open-source tool for detecting subdomain takeovers
  * EMBA: Open-source security analyzer for embedded devices

More about

  * authentication
  * cybersecurity
  * GitHub
  * open source
  * scanning
  * software

Share     

Featured news

  * Microsoft begins broadening free cloud logging capabilities
  * Attackers exploiting ConnectWise ScreenConnect flaws, fixes
    available for all users (CVE-2024-1709, CVE-2024-1708)
  * A step-by-step plan for safe use of GenAI models for software
    development

Whitepaper: Why Microsoft's password protection is not enough

Sponsored

  * Whitepaper: Why Microsoft's password protection is not enough
  * eBook: Defending the Infostealer Threat
  * Guide: SaaS Offboarding Checklist

Don't miss

  * Microsoft begins broadening free cloud logging capabilities
  * Attackers exploiting ConnectWise ScreenConnect flaws, fixes
    available for all users (CVE-2024-1709, CVE-2024-1708)
  * A step-by-step plan for safe use of GenAI models for software
    development
  * Wire fraud scams escalate in real estate deals
  * VMware pushes admins to uninstall vulnerable, deprecated vSphere
    plugin (CVE-2024-22245, CVE-2024-22250)

Cybersecurity news
[ ] Daily Newsletter
[ ] Weekly Newsletter
[ ] (IN)SECURE - monthly newsletter with top articles
[                    ] Subscribe
[ ] I have read and agree to the terms & conditions
Leave this field empty if you're human: [                    ]
 
(c) Copyright 1998-2024 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us   
x