HelpNet Security

TruffleHog: Open-Source Solution for Scanning Secrets

TruffleHog is an open-source scanner that identifies and addresses exposed secrets throughout your entire technology stack.


Thousands of Popular Websites Leaking Secrets

Code security firm Truffle Security warns that thousands of the domains in the Alexa top 1 million websites list are leaking secrets, including credentials.


India’s national logistics portal exposed sensitive personal data, trade records

Called the National Logistics Portal-Marine, the website made the sensitive and private data public due to misconfigured Amazon S3 buckets. It also carried a JavaScript file that included login credentials into the web source code. Security researcher Bob Diachenko found the issues with the Indian portal through the open source security tool TruffleHog.

The New Stack

The Challenges of Secrets Management, from Code to Cloud

TruffleHog is a powerful open source tool for identifying secrets and sensitive information across an organization’s entire software development life cycle (SDLC). In addition to identifying secrets in code, TruffleHog can also detect insecurely shared secrets in other areas of the SDLC, such as configuration files, build scripts and deployment pipelines.


Docker users careless with secrets

The researchers emphasised that image creators need to be warned against uploading secrets to public Docker registries, and when deploying containers based on downloaded images, users should be warned that secrets like private keys might already be compromised. They also suggest that “credential-finding tools such as TruffleHog or SecretScanner … be integrated on both sides of the Docker paradigm.”

tl;dr sec

[tl;dr sec] #199 - Supply Chain Security Overview, Container Escapes, AI + Cybersecurity

Truffle’s Joe Leon et al scanned the Alexa Top 1 Million for https://.com/.git, and found 4,500 exposed their source code (note: this is not even looking at sub paths, only top level).


Founder Spotlight: Dylan Ayrey of Truffle Security

As George Washington and Bill Belichick have often said: The best defense is a good offense. One of the best examples of this adage in action is Truffle Security, which helps companies identify and address credentials and passwords before hackers are able to find and exploit them.

SkyNet Tools

TruffleHog – Find Leaked Credentials In GitHub, GitLab, Filesystems, S3, & Circle CI