TruffleHog is a powerful open-source tool designed to discover, classify, and validate leaked credentials across various data sources. It targets developers, security professionals, and DevOps teams by providing automated detection of sensitive information like API keys and passwords, helping to prevent security breaches.

How It Works

TruffleHog leverages a comprehensive suite of over 800 detectors to identify more than 800 types of secrets. Its core innovation lies in its ability to actively verify detected credentials against their respective services (e.g., AWS API calls for AWS keys), significantly reducing false positives. The tool supports a wide array of data sources, including Git repositories, cloud storage (S3, GCS), filesystems, Docker images, and more, offering detailed analysis of credential permissions and access.

Quick Start & Requirements

• Install: brew install trufflehog (macOS), or use Docker: docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys. Binary releases and installation scripts are also available.
• Prerequisites: Docker engine for Docker installations. Cosign is recommended for verifying release artifacts.
• Resources: Scanning large Git organizations can be time-consuming, especially without authentication tokens due to rate limits.
• Docs: product page, Quick Start Examples

Highlighted Details

• Active credential verification against APIs to eliminate false positives.
• Supports scanning Git, S3, GCS, Docker, filesystems, Postman, Jenkins, Elasticsearch, and more.
• Can analyze credential permissions and resource access.
• Offers a pre-commit hook to prevent secrets from being committed.

Maintenance & Community

• Actively developed, with v3 being a complete rewrite in Go.
• Community channels available via Slack and Discord.
• Contribute guidelines are provided.

Licensing & Compatibility

• Licensed under AGPL-3.0.
• AGPL-3.0 is a strong copyleft license, requiring derivative works to also be open-sourced under the same license. This may have implications for commercial or closed-source integration.

Limitations & Caveats

• The "Regex Detector" feature is currently in alpha and subject to change.
• The "Cross Fork Object References" feature for scanning deleted commits is also noted as alpha.
• The project requires a Contributor License Agreement (CLA) for contributions.