It’s been a little over 4 years since I originally open sourced Trufflehog. At the time the tool was meant to be a tool to help me with Bug Bounties. It’s been inspiring to watch so many members of the community use the tool over the years to help clean up GitHub, and in many cases, provide some income for hackers all over the world on platforms like Hackerone through responsible disclosure.
The impact of leaky credentials is also evolving, as I pointed out in my 2020 Blackhat talk centered around GCP credentials.
In 2017, I was never prescriptive about what one SHOULD do with their secrets. I wrote a tool that told people what they shouldn’t do, but in the world of infosec that’s not particularly useful if it’s not accompanied with a usable solution to complement the problem.
Today Truffle Security helps customers scan all kinds of things for leaky credentials, as seen below:
But that’s only half the story. What if you’re in a situation where you’ve determined you don’t want your keys in Slack, and Jira, but you don’t have a mature strategy towards secrets management.
There’s a lot of different secrets management solutions out there, but many of them aren’t very user friendly, and can be difficult to set up. One we’ve had our eye on recently is Doppler.
They’ve really taken a user friendly approach to managing sensitive environment variables, and are very quick to set up.
This helps with one of the most important things Truffle Security helps customers with: remediation and rotation. Of course we prefer to catch keys before they leak out, in pre-commit hooks, or IDE plugin, but they still happen. The more approachable and usable your secrets management solution is, the quicker leaked keys can be rotated out, and the less exposure time they have to bad actors.
Another difficult thing is you usually need a secret solution that can inject secrets across many different providers. This is because companies typically operate in a multi-cloud, on-prem, docker, Kubernetes hodgepodge, and all of those places typically have secrets needs. A good example is if you’re using docker locally, building in GitLab, and are deploying to Kubernetes, you need secrets potentially injected into all those places, and Doppler supports this.
Here’s a video demo of Truffle Security finding a key, moving the key into free community version of Doppler, and rotating the key:
I’m happy to tell a more complete story now, not just highlighting problems, but also providing solutions that are easy to use, and developer friendly.