TRUFFLEHOG

COMPANY

RESOURCES

Dylan Ayrey

THE DIG

April 4, 2022

Introducing TruffleHog v3

Introducing TruffleHog v3

Dylan Ayrey

April 4, 2022

5 years ago I wrote the original TruffleHog tool to detect API keys, passwords and secrets that were committed to Git. This was a great research tool, but fell short many ways.

Introducing TruffleHog v3

We’ve since raised millions of dollars to build open source security tooling, starting with the next generation of TruffleHog, which is faster, detects 10x more secrets, and automatically validates 100% of the secrets it supports with dynamic checks.

Check it out here: https://github.com/trufflesecurity/trufflehog



KEY VERIFICATION

The most critical piece to our new detection engine is the verification step, which constitutes API calls to the providers for the keys identified. For example if we find an AWS key, we reach out to the GetCallerIdentity API endpoint to validate the AWS key found.

You can see this in action here:

https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L92


We get creative with some of the checks we do, like with Driftwood for private encryption keys

PERFORMANCE

We also made some significant improvements to the scanner’s runtime speed. Notably, all secret detectors are now preflighted with string comparisons which run quite a bit faster than regular expressions. You can see one example of the string comparisons here:

https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L31

We also made some git improvements that were heavily inspired by Gitleaks.

VOLUME OF KEYS

You can browse the 639 key types we now support, and check out how we do verification for all of them here:

https://github.com/trufflesecurity/trufflehog/tree/main/pkg/detectors

We do not know of another secrets scanning engine that supports this many key types, let alone the verification, and the fact they’re all now open source.

COLLABORATION

If you see a detector we’re missing, or see a way to improve an existing one, one of the most exciting things about open sourcing this engine is we can now all work on it together. Please check out our collaboration docs to see how you can contribute to detectors:

https://github.com/trufflesecurity/trufflehog/blob/main/hack/docs/Adding_Detectors_external.md

TRY IT OUT

Try the new engine out yourself with the following docker command:


docker run --rm -it -v "/tmp:/tmp" -v "$PWD:/pwd" trufflesecurity/trufflehog git


And check it out on GitHub for more details about how to run it and how to contribute

https://github.com/trufflesecurity/trufflehog