Third version of the open source software comes with significant upgrades
The newest version of TruffleHog has landed with support for more than 600 key types, furthering the tool’s ability to hunt for credential leaks.
Leaked credentials, including secret key pairs, are a serious cybersecurity issue. Keys can be abused to compromise enterprise networks, often more covertly and for longer time periods than the exploit of vulnerabilities in popular software.
The system can alert developers or researchers when websites or front-end applications are accidentally leaking keys. TruffleHog can also be used to find exposed .git repository credentials.
On April 4, Truffle Security co-founder Dylan Ayrey said in a blog post that TruffleHog is now entering its third phase with many improvements, including verification and enhanced key volume.
In December, Truffle Security raised $14 million in a Series A investment round. These funds have been used to improve the software – and Ayrey says that TruffleHog “is faster, detects 10x more secrets, and automatically validates 100% of the secrets it supports with dynamic checks”.
The most significant change is a new verification step. API calls can now be made to vendors who provide keys to validate a newly-discovered key. Secret detectors are also now preflighted to boost TruffleHog’s performance and runtime speed.
In addition, 639 key types are now supported, including AWS, Azure, Confluent, Facebook, and GitHub.
“We do not know of another secrets scanning engine that supports this many key types, let alone the verification, and the fact they’re all now open source,” Ayrey commented.
TruffleHog’s story began in 2017. Ayrey wrote the script to quickly find leaked API keys and secrets in Git source code, with the overall purpose of bug bounty submissions.
The code was published as an open source project. Its popularity led Ayrey, alongside Dustin Decker and Julian Dunning, to leave their jobs to focus full-time on Truffle Security and credential leakage tools.
Truffle Security has since released the TruffleHog Chrome extension, alongside Driftwood, open source software for discovering leaked, paired private, and public keys.
“I think the part we’re most excited about though is the verification piece,” Ayrey told The Daily Swig.
“It was such a pain to try and figure out if a key is still active or not, you would have to read the documentation for the key type and figure out how to test it out, and then you may find 20 inactive keys for every one active key that you’d manually have to try all 20. We now automate all of that.”