Haoxi Tan


February 7, 2024

How to Scan Azure Blobs for Secrets in 2024

How to Scan Azure Blobs for Secrets in 2024

Haoxi Tan

February 7, 2024

What is Azure Storage and why does it have secrets?

Azure Blob Storage is one of Microsoft’s cloud storage offerings. Developers often use Azure Blob Storage’s scalable object storage to store all types of data including source code, configuration files, database backups, and more. That means a variety of secrets like API keys and credentials might be present inside Azure Blobs just waiting for attackers to find them. 

In 2023, Wiz researchers found an accidentally-leaked token that granted them access to an Azure Storage container belonging to Microsoft’s AI researchers. The Storage container had 38TB of sensitive data including private keys and chat screenshots.

What is TruffleHog and how does it work?

To scan the contents of an Azure Blob for secrets, use a secret scanning tool like TruffleHog. TruffleHog is open source, detects 800 different types of secrets, and verifies secrets by checking the credentials against the actual SaaS providers’ APIs. 

TruffleHog installation instructions can be found here. Now, let’s step through how to scan Azure Blobs for secrets.

Scanning an Azure Blob

To scan the contents of an Azure Blob for secrets, first download all available data via the Azure portal, az client, or mount it to a directory via rclone‘s mount command. 

Downloading a file from Azure Storage, from Microsoft’s documentation

Then, scan the files on your local system using TruffleHog’s filesystem subcommand. 

As an example, if all files are downloaded and accessible in the current directory, you could run the following TruffleHog command:

trufflehog filesystem .

For any compressed files (such as gzip’d files, zip archives and so on), TruffleHog will automatically extract them and scan the contents inside, so manual extraction is not necessary.

An unverified AWS API key found in a test zip file

By default, TruffleHog will verify all leaked secrets it identifies using dynamic requests. Verification eliminates nearly all false positives, so security engineers and developers can focus on remediating true vulnerabilities and issues.

TruffleHog Enterprise

If you’re looking for continuous monitoring and not just a one-off scan, please check out our enterprise version: . And if you’re an Azure repos customer, we recently added a native Azure repos integration for our Enterprise clients.