5 years ago I wrote the original TruffleHog tool to detect API keys, passwords and secrets that were committed to Git. This was a great research tool, but fell short many ways.
We’ve since raised millions of dollars to build open source security tooling, starting with the next generation of TruffleHog, which is faster, detects 10x more secrets, and automatically validates 100% of the secrets it supports with dynamic checks.
he most critical piece to our new detection engine is the verification step, which constitutes API calls to the providers for the keys identified. For example if we find an AWS key, we reach out to the GetCallerIdentity API endpoint to validate the AWS key found.
You can see this in action here: https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L92
We get creative with some of the checks we do, like with Driftwood for private encryption keys
We also made some significant improvements to the scanner’s runtime speed. Notably, all secret detectors are now preflighted with string comparisons which run quite a bit faster than regular expressions. You can see one example of the string comparisons here: https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L31
We also made some git improvements that were heavily inspired by Gitleaks.
You can browse the 639 key types we now support, and check out how we do verification for all of them here: https://github.com/trufflesecurity/trufflehog/tree/main/pkg/detectors
We do not know of another secrets scanning engine that supports this many key types, let alone the verification, and the fact they’re all now open source.
If you see a detector we’re missing, or see a way to improve an existing one, one of the most exciting things about open sourcing this engine is we can now all work on it together. Please check out our collaboration docs to see how you can contribute to detectors: https://github.com/trufflesecurity/trufflehog/blob/main/hack/docs/Adding_Detectors_external.md
Try the new engine out yourself with the following docker command:
docker run --rm -it -v "/tmp:/tmp" -v "$PWD:/pwd" trufflesecurity/trufflehog git https://github.com/trufflesecurity/test_keys.git
And check it out on GitHub for more details about how to run it and how to contribute https://github.com/trufflesecurity/trufflehog