Zach Rice


October 6, 2023

TruffleHog Detector Competition at Hacktoberfest 2023!

TruffleHog Detector Competition at Hacktoberfest 2023!

Zach Rice

October 6, 2023

We’re giving out a free M2 MacBook Air to the top open source contributor this October; it’s a Detector Competition!

Detector Competition

Every month we get a ton of community contributions to TruffleHog, this month we’re giving back to the top contributor (rules outlined below) with the following prizes:

1st Prize: 13 inch MacBook Air (M2)

2nd Prize: Timbuk2 Backpack

3rd Prize: Custom TruffleHog Swag

There are two ways to win points for the Detector Competition: adding new detectors (1 point) and fixing detectors (2 points). Each merged PR with a Hacktoberfest-Detector-Competition-New or Hacktoberfest-Detector-Competition-Fix will be awarded 1 or 2 points, respectively.


Below are some examples of fixes that will be considered. Make sure to supply ample evidence of the fix in the PR description.

  • Correct the verification logic to accurately check detected secrets against the respective APIs.

  • Correct the regular expressions used for secret detection.


Submit a PR for a Detector you think would be valuable. Please follow the “Adding Detectors” contributing guidelines here. In the new detector PR please provide documentation and supporting evidence for the validity of the detector’s regular expressions.

Check out this video for a detailed explanation of how to create a new detector:

Competition Rules and Notes

  • Start date for submissions: Sept 30.

  • End date for submissions: Oct 31.

  • Any submissions received after Oct 31 will be ineligible for the Detector Competition.

  • Each PR should focus on one new detector or one fix for a detector. I.e, don’t open a PR with two new detectors.

  • New Detectors must be for valid credential providers. There is no benefit to the community for adding a Detector when the credential provider has no users. PRs that add invalid Detectors will be labeled invalid.

  • Spam PRs will be marked with a spam label and closed. Contributors with 2+ spammy PRs are disqualified.

  • This competition is first come first serve. If multiple PRs for the same Detector or Detector fix are opened, only the first one opened will be awarded points if merged.

  • However, if we request changes in a PR and that PR is abandoned (aka, no activity within 3 days), then we will consider new contributions.

  • If you want your PRs to be excluded from the competition all you have to do is ensure that you don’t apply the Hacktoberfest-Detector-Competition-New/Fix label. To avoid folks gaming the competition, we have a few criteria that must be met for a new Detector to be considered. See the Detector Criteria section below.

  • The final tally will be determined once all competition PRs submitted before November 1 are either merged or closed.

1. Documentation:
  • Provide screenshots or log outputs of passing tests. This includes a local test of the detector actually receiving a 2xx (i.e, proving verification). See the testing section in the detector contributing guidelines.

  • Provide steps on how to create an account and generate credentials for the provider.

  • Provide supporting evidence for the validity of the Detector’s regular expressions.

  • If possible, cite official documentation or recognized community resources to justify the regex patterns used.

  • Make sure to redact any sensitive information!

2. Relevance:

The Detector should fall under one of the recognized categories such as:

  • Payment Processors (e.g., Stripe, PayPal, Square)

  • DevOps Tools (e.g., Jenkins, CircleCI, Travis CI)

  • Security Tooling (e.g., HashiCorp Vault, Fortify)

  • Infrastructure Platforms (e.g., AWS, Azure, GCP)

  • AI & Data Products (e.g., TensorFlow, Jupyter, AWS Sagemaker)

  • Collaboration & Communication (e.g., Slack, Trello, Zoom)

  • Databases (e.g, Supabase, MongoDB)CSM (e.g, HubSpot, Zendesk)

If a Detector doesn’t fit into one of these categories, but you believe it’s crucial, provide a compelling case for its inclusion.

3. User Base & Popularity:

The credential provider the Detector is targeting should have a healthy and active user base. Consider using metrics like:

– Monthly active users.

– GitHub stars (if it’s an open-source tool).

– Presence in industry reports or articles.

  1. Fork the TruffleHog Repository.

  2. Fix or create a Detector.Commit and push your changes.

  3. Create a Pull Request.

  4. Label the Pull Request with either

    Hacktoberfest-Detector-Competition-Fix or


  5. Sign the CLA.

  6. Wait for a review.

General Contributions

We’re also participating in the largest “Hacktoberfest” program sponsored by Digital Ocean. To maintain the integrity of TruffleHog, we’re looking for meaningful contributions that align with the project’s goals. Here are the types of contributions that are eligible:

– Issues labeled “Hacktoberfest”: We have a backlog of issues and some of them have been labeled “Hacktoberfest”.

– Expanding our Test Coverage: Add new tests or expand existing tests to increase our test coverage to make TruffleHog even more robust!