trufflehog: Find leaked credentials

Truffle Hog

Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.

How it works

This module will go through the entire commit history of each branch, check each diff from each commit, and check for secrets. This is both by regex and by entropy. For entropy checks, trufflehog will evaluate the Shannon entropy for both the base64 charset and hexadecimal charset for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string >20 characters is detected, it will print to the screen.

TruffleHog has a sub-command for each source of data that you may want to scan:

  • git
  • github
  • gitlab
  • docker
  • s3
  • filesystem (files and directories)
  • syslog
  • circleci
  • travisci
  • gcs (Google Cloud Storage)
  • postman
  • jenkins
  • elasticsearch

TruffleHog v3 is a complete rewrite in Go with many new powerful features.

  • We’ve added over 700 credential detectors that support active verification against their respective APIs.
  • We’ve also added native support for scanning GitHub, GitLab, Docker, filesystems, S3, GCS, Circle CI and Travis CI.
  • Instantly verify private keys against millions of github users and billions of TLS certificates using our Driftwood technology.
  • Scan binaries, documents, and other file formats
  • Available as a GitHub Action and a pre-commit hook

Install & Use