THE DIG
Thoughts, research, reports, and more from Truffle Security Co.
We've written a lot, so here's a search…
Joe Leon
Feb 25, 2026
Google API Keys Weren't Secrets. But then Gemini Changed the Rules.
Brad Larsen
Dec 16, 2025
TruffleHog now detects JWTs with public-key signatures and verifies them for liveness
Dylan Ayrey
Dec 1, 2025
The Rise of API Worms
Luke Marshall
Nov 25, 2025
Scanning 5.6 million public GitLab repositories for secrets
Luke Marshall
Nov 20, 2025
Scanning 2.6 million public Bitbucket Cloud repositories for secrets
Dylan Ayrey, Brad Larsen, & Zach Rice
Oct 31, 2025
We've been doing NHI since 2016
Joe Leon
Oct 17, 2025
Contributor Spotlight: Adam Reiser of Cisco Talos
Joe Leon
Sep 17, 2025
TruffleHog in Your Logs?
Joe Leon
Sep 10, 2025
Detecting Exposed Secrets in Salesforce with TruffleHog
Eduard Agavriloae & Matei Josephs
Jul 18, 2025
Guest Post: GCP CloudQuarry: Searching for Secrets in Public GCP Images
Joe Leon
Jul 11, 2025
How to Scan Force Pushed Commits for Secrets
Sharon Brizinov
Guest Post: How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets
Dylan Ayrey
May 9, 2025
This is how you build an AI Ransomware Worm
Joe Leon
Mar 13, 2025
Introducing TruffleHog's Burp Suite Extension: A Techical Deep Dive
Joe Leon
Feb 27, 2025
Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data
Dylan Ayrey and Jake King
Feb 21, 2025
Removing Jeff Bezos From My Bed
Ahrav Dutta
Jan 23, 2025
Under the Hood: The Algorithmic Power Behind TruffleHog’s Secret Scanning
Dylan Ayrey
Jan 13, 2025
Millions of Accounts Vulnerable due to Google’s OAuth Flaw
Dylan Ayrey
Dec 27, 2024
Vigilante Justice on GitHub
Joe Leon
Dec 19, 2024
Mishandled OAuth Tokens Open Backdoors
Joe Leon
Dec 12, 2024
LLMs are Teaching Developers to Hardcode API Keys
Joe Leon
Dec 4, 2024
Cracking Open APK Files at Scale
Zach Rice
Nov 26, 2024
Announcing the Winners of the TruffleHog Hacktoberfest 2024 Detector Competition
Joe Leon
Oct 31, 2024
7 Spooky Places Your Secrets Leak Online
Dylan Ayrey & Joe Leon
Oct 24, 2024
10% of TLS Certificates Reuse Private Keys
Joe Leon
Oct 18, 2024
Secret Scanning Encoded and Archived Data
Joe Leon
Oct 10, 2024
Securely Open-Sourcing on GitHub
Zach Rice
Oct 1, 2024
Hacktoberfest 2024: Detector Improvement Competition at Truffle Security!
Joe Leon
Sep 27, 2024
Announcing Truffle Security’s CFP
Joe Leon
Sep 19, 2024
8 Must-See Talks at OWASP 2024 Global AppSec
Joe Leon
Sep 12, 2024
You can Access Private Azure DevOps Repo Data
Joe Leon
Sep 4, 2024
TruffleHog Partners With Hugging Face to Scan for Secrets
Joe Leon
Aug 23, 2024
Why TruffleHog Analyze is a Game-Changer for Security Teams
Dustin Decker
Aug 16, 2024
Contributor Spotlight: Karan Bamal
Dylan Ayrey & The Analyze Team
Aug 7, 2024
TruffleHog Now Analyzes Permissions Of API Keys and Passwords
Joe Leon
Aug 2, 2024
TruffleHog now finds all Deleted & Private Commits on GitHub
Joe Leon
Jul 24, 2024
Anyone can Access Deleted and Private Repository Data on GitHub
Dylan Ayrey & Zach Rice
Jul 19, 2024
Secrets in Source Code Are Not A Code Security Problem
Haoxi Tan
Jul 10, 2024
Leaked Secrets in Public Jenkins Logs
Dylan Ayrey & Joe Leon
Jul 3, 2024
TruffleHog Scans Deleted Git Branches
Joe Leon
Jun 27, 2024
TruffleHog Now Scans Jenkins Logs
Charlie Gunyon
Jun 17, 2024
TruffleHog Partnering With Elastic to Scan for Secrets
Dylan Ayrey
Jun 7, 2024
11,000+ GitHub users' SSH keys are too weak
Joe Leon
May 29, 2024
Credentials Leaking with Subdomain Takeover
Dylan Ayrey
May 17, 2024
Stop Recommending JWTs (with symmetric keys)
Joe Leon and Dylan Ayrey
May 9, 2024
Bug Bounty Hunting Leaked Credentials
Joe Leon
May 2, 2024
Scan Postman for Secrets with TruffleHog
Joe Leon
Apr 25, 2024
(The) Postman Carries Lots of Secrets
Joe Leon
Apr 12, 2024
Do Secrets Leak on Public GitHub Gists in 2024?
Joe Leon
Apr 4, 2024
Scan Every Tag and Architecture of a Docker Image for Secrets
Sam Chan
Mar 20, 2024
How to Scan Jira for Secrets
Dylan Ayrey
Mar 14, 2024
The Keyboard Button that Displays Linux Root Memory
Dylan Ayrey
Mar 6, 2024
Contributor Spotlight: Helena Rosenzweig and Assetnote team
Joe Leon
Feb 27, 2024
How TruffleHog Verifies Secrets
Dylan Ayrey
Feb 21, 2024
TruffleHog Now Detects AWS Canaries without setting them off
Haoxi Tan
Feb 14, 2024
How to Scan S3 Buckets for Secrets
Haoxi Tan
Feb 7, 2024
How to Scan Azure Blobs for Secrets in 2024
Haoxi Tan
Jan 31, 2024
Scanning Git for Secrets: The 2024 Comprehensive Guide
Haoxi Tan
Jan 25, 2024
The Risks of a Leaked Stripe API Key
Joe Leon
Jan 17, 2024
Introducing whoamislack: Identify Slack Workspace Names from Webhook URLs
Joe Leon
Jan 10, 2024
74% of publicly leaked keys are never revoked
Joe Leon
Jan 4, 2024
Research Uncovers AWS Account Numbers Hidden in Access Keys
Dylan Ayrey
Dec 15, 2023
Google OAuth is Broken (Sort Of)
Haoxi Tan
Dec 13, 2023
Why did 1 GitHub Repo leak 5,000 Live GCP Keys?
Joe Leon
Dec 4, 2023
Running TruffleHog in Travis CI
Zach Rice
Nov 28, 2023
Improving TruffleHog Part I: Adding a New Detector
Zach Rice
Nov 22, 2023
Announcing the TruffleHog Hacktoberfest 2023 Winners!
Joe Leon
Nov 15, 2023
Tailscale + Truffle: A Blueprint for Open Source TruffleHog Contributions
Karim Rahal
Oct 25, 2023
Mirror, Mirror, on the Wall, Secrets Leaked from Repos All
Zach Rice
Oct 19, 2023
Contributor Spotlight: Richard Gomez
Zach Rice
Oct 6, 2023
TruffleHog Detector Competition at Hacktoberfest 2023!
Joe Leon
Sep 27, 2023
Think Twice Before Commenting: Thousands of GitHub Comments Leak Live API Keys
Joe Leon
Sep 18, 2023
How to Rotate: Key Rotation Tutorials
Joe Leon
Sep 11, 2023
How Secrets Leak out of Docker Images
Joe Leon
Sep 5, 2023
4,500 of the Top 1 Million Websites Leaked Source Code, Secrets
Miccah Castorina
Aug 30, 2023
Do Pre-Commit Hooks Prevent Secrets Leakage?
Joe Leon
Aug 22, 2023
Running TruffleHog in Azure Pipelines
Joe Leon
Aug 15, 2023
TruffleHog Commands: Git vs Filesystem
Karim Rahal
Nov 8, 2023
Does Travis CI leak secrets in 2023?
Hon Kwok
Aug 9, 2023
Announcing TruffleHog Terminal UI
Dylan Ayrey
Aug 3, 2023
Discovering a Vulnerability in Forager AuthZ, Hours before Public Launch
Joe Leon
Aug 3, 2023
Deleting leaked API keys isn’t a solution
Karim Rahal
Jul 28, 2023
How Secrets Leak in CI/CD Pipelines
Hon Kwok
Jul 17, 2023
Introducing Forager: Browse Millions of Leaked API keys Found With TruffleHog
Mike Vanbuskirk
May 18, 2023
Running TruffleHog in a GitHub action
Zach Rice
Apr 17, 2023
Making TruffleHog Faster with Aho Corasick
Dustin Decker
Feb 22, 2023
Secure Credential Storage in 2023
Dylan Ayrey
Jan 30, 2023
Introducing: A New XSSHunter, Hosted by the Truffle Security Co.
Dustin Decker
Jan 17, 2023
Introducing cloudsql-exporter, a New Way to Protect Cloud SQL Data
Dylan Ayrey
Jan 6, 2023
TruffleHog Now Scans CircleCI Build Logs
Chris Grayson
Jan 3, 2023
Bypass firewalls with of-CORs and typo-squatting
Dylan Ayrey
Nov 20, 2022
Email Graffiti: Hacking Old Email
Dylan Ayrey
Jul 7, 2022
It’s Impossible to Find Every Vulnerability, So We Don’t Try To
Dylan Ayrey
Apr 4, 2022
Introducing TruffleHog v3
Dylan Ayrey
Feb 9, 2022
Introducing Driftwood: Know if Private Keys are Sensitive
Dylan Ayrey
Jan 9, 2022
The Breach They Kept Secret
Dylan Ayrey
Dec 8, 2021
Truffle Security raises $14 million Series A led by a16z
Dylan Ayrey
Sep 19, 2021
Introducing TruffleHog, The Chrome Extension
Dylan Ayrey
Aug 30, 2021
Why Isn’t XSS Used More in the Wild?
Dylan Ayrey
Aug 23, 2021
A Leaky Key That Led to Jail Time
Dylan Ayrey
Aug 16, 2021
Uber’s Wild Story of Leaky Keys
Dylan Ayrey
Aug 9, 2021
Leaked Code Leads to Leaked Keys
Dylan Ayrey
Aug 4, 2021
Remediating TruffleHog Findings with Doppler
Guest User
Aug 3, 2021
An API Worm In The Making: Thousands Of Secrets Found In Open S3 Buckets
PREVIOUS
9