Introducing TruffleHog v3

5 years ago I wrote the original TruffleHog tool to detect API keys, passwords and secrets that were committed to Git. This was a great research tool, but fell short many ways.

We’ve since raised millions of dollars to build open source security tooling, starting with the next generation of TruffleHog, which is faster, detects 10x more secrets, and automatically validates 100% of the secrets it supports with dynamic checks.

https://github.com/trufflesecurity/trufflehog

Key Verification

he most critical piece to our new detection engine is the verification step, which constitutes API calls to the providers for the keys identified. For example if we find an AWS key, we reach out to the GetCallerIdentity API endpoint to validate the AWS key found.

You can see this in action here: https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L92

We get creative with some of the checks we do, like with Driftwood for private encryption keys

Performance

We also made some significant improvements to the scanner’s runtime speed. Notably, all secret detectors are now preflighted with string comparisons which run quite a bit faster than regular expressions. You can see one example of the string comparisons here: https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L31

We also made some git improvements that were heavily inspired by Gitleaks.

Volume of keys

You can browse the 639 key types we now support, and check out how we do verification for all of them here: https://github.com/trufflesecurity/trufflehog/tree/main/pkg/detectors

We do not know of another secrets scanning engine that supports this many key types, let alone the verification, and the fact they’re all now open source.

Collaboration

If you see a detector we’re missing, or see a way to improve an existing one, one of the most exciting things about open sourcing this engine is we can now all work on it together. Please check out our collaboration docs to see how you can contribute to detectors: https://github.com/trufflesecurity/trufflehog/blob/main/hack/docs/Adding_Detectors_external.md

Try it out

Try the new engine out yourself with the following docker command:

docker run --rm -it -v "/tmp:/tmp" -v "$PWD:/pwd" trufflesecurity/trufflehog git https://github.com/trufflesecurity/test_keys.git

And check it out on GitHub for more details about how to run it and how to contribute https://github.com/trufflesecurity/trufflehog

Recent Posts

Blog

Driftwood: Know if Private Keys are Sensitive

Blog

It’s impossible to find every vulnerability, so we don’t try to

Blog

Introducing TruffleHog v3

Take control of your secrets with TruffleHog. Contact us to get started on a free 7-day trial.

© 2022 Truffle Security. All Rights Reserved.