Find and Analyze Leaked Credentials with TruffleHog
As developers, we've all been there. You push a commit, maybe to a public repo by accident, and that sinking feeling hits: did I just leak an API key? Or worse, a database connection string? Credential leaks happen, and they're a massive security risk. Manually searching through code, commits, and history is like looking for a needle in a haystack. What if a tool could do that for you, and do it well?
Enter TruffleHog. This open-source tool acts like a bloodhound for secrets, sniffing out accidentally committed credentials across your Git history and even in real-time as you code. It's the automated code review partner for security you never knew you needed.
What It Does
In a nutshell, TruffleHog scans Git repositories for high-entropy strings (things that look like secrets) and known patterns for over 700 different types of credentials—think AWS keys, Slack tokens, database passwords, and more. It doesn't just do a simple regex match; it goes the extra mile by verifying the suspected credentials against the respective service's API. This means far fewer false positives. You're not just alerted to something that looks like a key; you're alerted to a key that is actually active and valid.
Why It's Cool
The verification step is the killer feature. Anyone can write a script to find strings that match a pattern. TruffleHog takes it out of the realm of guesswork. Finding an old, disabled key is a minor concern; finding a live, active key is a five-alarm fire, and this tool tells you the difference.
It's also incredibly versatile. You can point it at a local repo, a remote GitHub URL, or even a GitHub PR to scan the diff. For the DevOps crowd, it can be integrated directly into CI/CD pipelines (like GitHub Actions) to automatically block commits that contain new secrets, shifting security left and preventing leaks before they happen.
How to Try It
Getting started is a classic brew-and-go (or docker-and-go) situation.
Install with Go:
go install github.com/trufflesecurity/trufflehog@latest
Or use Docker:
docker run --rm -v "$PWD":/tmp trufflesecurity/trufflehog git file:///tmp
To scan a public GitHub repository directly, the command is straightforward:
trufflehog github --repo=https://github.com/[user]/[repo]
The tool will output any verified secrets it finds, along with the commit hash and the offending string, so you can track down and remediate the leak immediately. Check out the TruffleHog GitHub repository for more detailed usage, including how to set up those all-important CI checks.
Final Thoughts
TruffleHog is one of those pragmatic, no-nonsense tools that just solves a real problem effectively. It's not about fear-mongering around security; it's about giving developers a concrete way to find and fix mistakes before they become major incidents. Whether you're doing a one-off audit of your old projects or baking it into your daily workflow, it's an invaluable addition to your toolkit. Running it on your own repos can be a real eye-opener—in the best way possible.
—
Follow @githubprojects for more cool projects.