trufflehog

command module
v3.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 15, 2022 License: AGPL-3.0 Imports: 24 Imported by: 0

README

GoReleaser Logo

TruffleHog

Find leaked credentials.

CI Status Go Report Card License

Join The Slack

Have questions? Feedback? Jump in slack and hang out with us

https://join.slack.com/t/trufflehog-community/shared_invite/zt-pw2qbi43-Aa86hkiimstfdKH9UCpPzQ

Demo

GitHub scanning demo

docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity

What's new in v3?

TruffleHog v3 is a complete rewrite in Go with many new powerful features.

  • We've added over 600 credential detectors that support active verification against their respective APIs.
  • We've also added native support for scanning GitHub, GitLab, filesystems, and S3.

What is credential verification?

For every potential credential that is detected, we've painstakingly implemented programatic verification against the API that we think it belongs to. Verification eliminates false positives. For example, the AWS credential detector performs a GetCallerIdentity API call against the AWS API to verify if an AWS credential is active.

Installation

Several options:

1. Go

git clone https://github.com/trufflesecurity/trufflehog.git

cd trufflehog; go install

2. Release binaries

3. Docker

Note: Apple M1 hardware users should run with docker run --platform linux/arm64 for better performance.

Most users
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
Apple M1 users

The linux/arm64 image is better to run on the M1 than the amd64 image. Even better is running the native darwin binary avilable, but there is not container image for that.

docker run --platform linux/arm64 -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys

4. Pip (help wanted)

It's possible to distribute binaries in pip wheels.

Here is an example of a project that does it.

Help with setting up this packaging would be appreciated!

5. Brew

brew tap trufflesecurity/trufflehog
brew install trufflehog

Usage

TruffleHog has a sub-command for each source of data that you may want to scan:

  • git
  • github
  • gitlab
  • S3
  • filesystem
  • file and stdin (coming soon)

Each subcommand can have options that you can see with the -h flag provided to the sub command:

$ trufflehog git --help
usage: TruffleHog git [<flags>] <uri>

Find credentials in git repositories.

Flags:
      --help                     Show context-sensitive help (also try --help-long and --help-man).
      --debug                    Run in debug mode
      --version                  Prints trufflehog version.
  -j, --json                     Output in JSON format.
      --json-legacy              Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.
      --concurrency=1            Number of concurrent workers.
      --no-verification          Don't verify the results.
      --only-verified            Only output verified results.
      --print-avg-detector-time  Print the average time spent on each detector.
      --no-update                Don't check for updates.
  -i, --include-paths=INCLUDE-PATHS
                                 Path to file with newline separated regexes for files to include in scan.
  -x, --exclude-paths=EXCLUDE-PATHS
                                 Path to file with newline separated regexes for files to exclude in scan.
      --since-commit=SINCE-COMMIT
                                 Commit to start scan from.
      --branch=BRANCH            Branch to scan.
      --max-depth=MAX-DEPTH      Maximum depth of commits to scan.
      --allow                    No-op flag for backwards compat.
      --entropy                  No-op flag for backwards compat.
      --regex                    No-op flag for backwards compat.

Args:
  <uri>  Git repository URL. https:// or file:// schema expected.

For example, to scan a git repository, start with

$ trufflehog git https://github.com/trufflesecurity/trufflehog.git
Scanning an organization

Try scanning an entire GitHub organization with the following:

docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity

Contributors

This project exists thanks to all the people who contribute. [Contribute].

Contributing

Contributions are very welcome! Please see our contribution guidelines first.

We no longer accept contributions to TruffleHog v2, but that code is available in the v2 branch.

Adding new secret detectors

We have published some documentation and tooling to get started on adding new secret detectors. Let's improve detection together!

License Change

Since v3.0, TruffleHog is released under a AGPL 3 license, included in LICENSE. TruffleHog v3.0 uses none of the previous codebase, but care was taken to preserve backwards compatibility on the command line interface. The work previous to this release is still available licensed under GPL 2.0 in the history of this repository and the previous package releases and tags. A completed CLA is required for us to accept contributions going forward.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
hack
generate
snifftest
pkg
common
decoders
detectors
detectors/abbysale
detectors/abstract
detectors/abuseipdb
detectors/accuweather
detectors/adafruitio
detectors/adobeio
detectors/adzuna
detectors/aeroworkflow
detectors/agora
detectors/airbrakeprojectkey
detectors/airbrakeuserkey
detectors/airship
detectors/airtableapikey
detectors/airvisual
detectors/alconost
detectors/alegra
detectors/aletheiaapi
detectors/algoliaadminkey
detectors/alibaba
detectors/alienvault
detectors/allsports
detectors/amadeus
detectors/ambee
detectors/amplitudeapikey
detectors/anypoint
detectors/apacta
detectors/apacta/apacta
detectors/api2cart
detectors/apideck
detectors/apiflash
detectors/apifonica
detectors/apify
detectors/apimatic
detectors/apimatic/apimatic
detectors/apiscience
detectors/apiscience/apiscience
detectors/apitemplate
detectors/apollo
detectors/appcues
detectors/appfollow
detectors/appsynergy
detectors/appsynergy/appsynergy
detectors/apptivo
detectors/artifactory
detectors/artsy
detectors/asanaoauth
detectors/asanapersonalaccesstoken
detectors/assemblyai
detectors/audd
detectors/auth0managementapitoken
detectors/auth0oauth
detectors/autodesk
detectors/autoklose
detectors/autopilot
detectors/avazapersonalaccesstoken
detectors/aviationstack
detectors/aws
detectors/axonaut
detectors/aylien
detectors/ayrshare
detectors/azure
detectors/bannerbear
detectors/baremetrics
detectors/baseapiio
detectors/beamer
detectors/beebole
detectors/beebole/beebole
detectors/besttime
detectors/billomat
detectors/bitbar
detectors/bitcoinaverage
detectors/bitfinex
detectors/bitlyaccesstoken
detectors/bitmex
detectors/blablabus
detectors/blazemeter
detectors/blitapp
detectors/blogger
detectors/bombbomb
detectors/boostnote
detectors/borgbase
detectors/brandfetch
detectors/browshot
detectors/buddyns
detectors/bugherd
detectors/bugsnag
detectors/buildkite
detectors/bulbul
detectors/buttercms
detectors/caflou
detectors/caflou/caflou
detectors/calendarific
detectors/calendlyapikey
detectors/calorieninja
detectors/campayn
detectors/cannyio
detectors/capsulecrm
detectors/captaindata
detectors/carboninterface
detectors/cashboard
detectors/cashboard/cashboard
detectors/caspio
detectors/censys
detectors/centralstationcrm
detectors/cexio
detectors/chatbot
detectors/chatfule
detectors/checio
detectors/checio/checio
detectors/checklyhq
detectors/checklyhq/checklyhq
detectors/checkout
detectors/checkvist
detectors/cicero
detectors/circleci
detectors/clarifai
detectors/clearbit
detectors/clickhelp
detectors/clicksendsms
detectors/clickuppersonaltoken
detectors/cliengo
detectors/clinchpad
detectors/clockify
detectors/clockworksms
detectors/closecrm
detectors/cloudelements
detectors/cloudelements/cloudelements
detectors/cloudflareapitoken
detectors/cloudflarecakey
detectors/cloudflareglobalapikey
detectors/cloudimage
detectors/cloudmersive
detectors/cloudplan
detectors/cloverly
detectors/cloze
detectors/clustdoc
detectors/codacy
detectors/codequiry
detectors/coinapi
detectors/coinbase
detectors/coinlayer
detectors/coinlib
detectors/column
detectors/commercejs
detectors/commodities
detectors/companyhub
detectors/confluent
detectors/contentfulpersonalaccesstoken
detectors/convertkit
detectors/convier
detectors/copper
detectors/countrylayer
detectors/courier
detectors/courier/courier
detectors/coveralls
detectors/craftmypdf
detectors/crowdin
detectors/cryptocompare
detectors/currencycloud
detectors/currencyfreaks
detectors/currencylayer
detectors/currencyscoop
detectors/currentsapi
detectors/customerguru
detectors/customerio
detectors/d7network
detectors/dailyco
detectors/dandelion
detectors/datadogtoken
detectors/datafire
detectors/datagov
detectors/debounce
detectors/deepai
detectors/deepgram
detectors/delighted
detectors/deputy
detectors/deputy/deputy
detectors/detectlanguage
detectors/dfuse
detectors/diffbot
detectors/digitaloceantoken
detectors/discordbottoken
detectors/discordwebhook
detectors/ditto
detectors/ditto/ditto
detectors/dnscheck
detectors/documo
detectors/doppler
detectors/dotmailer
detectors/dovico
detectors/dronahq
detectors/dronahq/dronahq
detectors/droneci
detectors/dropbox
detectors/dwolla
detectors/dynalist
detectors/dyspatch
detectors/eagleeyenetworks
detectors/eagleeyenetworks/eagleeyenetworks
detectors/easyinsight
detectors/edamam
detectors/edenai
detectors/eightxeight
detectors/elasticemail
detectors/enablex
detectors/enigma
detectors/ethplorer
detectors/etsyapikey
detectors/everhour
detectors/exchangerateapi
detectors/exchangeratesapi
detectors/extractorapi
detectors/facebookoauth
detectors/faceplusplus
detectors/fakejson
detectors/fastforex
detectors/fastforex/fastforex
detectors/fastlypersonaltoken
detectors/feedier
detectors/fetchrss
detectors/figmapersonalaccesstoken
detectors/fileio
detectors/finage
detectors/financialmodelingprep
detectors/findl
detectors/findl/findl
detectors/finnhub
detectors/fixerio
detectors/flatio
detectors/fleetbase
detectors/flickr
detectors/flightapi
detectors/flightstats
detectors/float
detectors/flowflu
detectors/flutterwave
detectors/fmfw
detectors/fmfw/fmfw
detectors/formbucket
detectors/formio
detectors/foursquare
detectors/frameio
detectors/freshbooks
detectors/freshdesk
detectors/freshdesk/freshdesk
detectors/front
detectors/fulcrum
detectors/fullstory
detectors/fusebill
detectors/fusebill/fusebill
detectors/fxmarket
detectors/gcp
detectors/geckoboard
detectors/geckoboard/geckoboard
detectors/generic
detectors/gengo
detectors/geoapify
detectors/geocode
detectors/geocodify
detectors/geocodio
detectors/geoipifi
detectors/getemail
detectors/getemails
detectors/getgeoapi
detectors/getgist
detectors/getsandbox
detectors/getsandbox/getsandbox
detectors/github
detectors/github_old
detectors/githubapp
detectors/gitlab
detectors/gitlabv2
detectors/gitter
detectors/glassnode
detectors/glitterlyapi
detectors/gocanvas
detectors/gocardless
detectors/goodday
detectors/goodday/goodday
detectors/graphcms
detectors/graphhopper
detectors/groovehq
detectors/guardianapi
detectors/guru
detectors/gyazo
detectors/happi
detectors/happi/happi
detectors/happyscribe
detectors/harvest
detectors/hellosign
detectors/helpcrunch
detectors/helpscout
detectors/hereapi
detectors/heroku
detectors/hive
detectors/hiveage
detectors/holidayapi
detectors/host
detectors/html2pdf
detectors/hubspotapikey
detectors/humanity
detectors/hunter
detectors/hybiscus
detectors/hypertrack
detectors/ibmclouduserkey
detectors/iconfinder
detectors/iexcloud
detectors/imagekit
detectors/imagga
detectors/impala
detectors/insightly
detectors/integromat
detectors/intercom
detectors/intrinio
detectors/invoiceocean
detectors/invoiceocean/invoiceocean
detectors/ipapi
detectors/ipgeolocation
detectors/ipify
detectors/ipinfodb
detectors/ipquality
detectors/ipstack
detectors/jdbc
detectors/jiratoken
detectors/jotform
detectors/jumpcloud
detectors/juro
detectors/kanban
detectors/kanban/kanban
detectors/karmacrm
detectors/keenio
detectors/kickbox
detectors/klipfolio
detectors/knapsackpro
detectors/kontent
detectors/kraken
detectors/kucoin
detectors/kylas
detectors/languagelayer
detectors/lastfm
detectors/launchdarkly
detectors/leadfeeder
detectors/lendflow
detectors/lessannoyingcrm
detectors/lexigram
detectors/linearapi
detectors/linemessaging
detectors/linenotify
detectors/linkpreview
detectors/liveagent
detectors/livestorm
detectors/loadmill
detectors/lob
detectors/locationiq
detectors/loginradius
detectors/lokalisetoken
detectors/loyverse
detectors/luno
detectors/luno/luno
detectors/m3o
detectors/macaddress
detectors/madkudu
detectors/magicbell
detectors/magnetic
detectors/mailboxlayer
detectors/mailchimp
detectors/mailerlite
detectors/mailgun
detectors/mailjetbasicauth
detectors/mailjetsms
detectors/mailmodo
detectors/mailsac
detectors/mandrill
detectors/manifest
detectors/manifest/manifest
detectors/mapbox
detectors/mapquest
detectors/marketstack
detectors/mattermostpersonaltoken
detectors/mavenlink
detectors/maxmindlicense
detectors/meaningcloud
detectors/mediastack
detectors/meistertask
detectors/meistertask/meistertask
detectors/mesibo
detectors/messagebird
detectors/metaapi
detectors/metrilo
detectors/microsoftteamswebhook
detectors/midise
detectors/mindmeister
detectors/miro
detectors/mite
detectors/mite/mite
detectors/mixmax
detectors/mixmax/mixmax
detectors/mixpanel
detectors/mockaroo
detectors/moderation
detectors/monday
detectors/moonclerck
detectors/moonclerk
detectors/moosend
detectors/mrticktock
detectors/myfreshworks
detectors/myintervals
detectors/myintervals/myintervals
detectors/nasdaqdatalink
detectors/nethunt
detectors/netlify
detectors/neutrinoapi
detectors/newrelicpersonalapikey
detectors/newsapi
detectors/newscatcher
detectors/nexmoapikey
detectors/nftport
detectors/nicereply
detectors/nimble
detectors/nitro
detectors/noticeable
detectors/notion
detectors/nozbeteams
detectors/numverify
detectors/nutritionix
detectors/nylas
detectors/nytimes
detectors/oanda
detectors/oanda/oanda
detectors/okta
detectors/omnisend
detectors/onedesk
detectors/onelogin
detectors/onepagecrm
detectors/onwaterio
detectors/oopspam
detectors/opencagedata
detectors/opengraphr
detectors/openuv
detectors/openweather
detectors/optimizely
detectors/owlbot
detectors/pagerdutyapikey
detectors/pandadoc
detectors/pandascore
detectors/paralleldots
detectors/partnerstack
detectors/passbase
detectors/pastebin
detectors/paymoapp
detectors/paymoapp/paymoapp
detectors/paymongo
detectors/paypaloauth
detectors/paystack
detectors/pdflayer
detectors/pdfshift
detectors/peopledatalabs
detectors/peopledatalabs/peopledatalabs
detectors/pepipost
detectors/pipedream
detectors/pipedrive
detectors/pivotaltracker
detectors/pixabay
detectors/plaidkey
detectors/planviewleankit
detectors/planyo
detectors/plivo
detectors/poloniex
detectors/polygon
detectors/positionstack
detectors/postageapp
detectors/posthog
detectors/postman
detectors/postmark
detectors/powrbot
detectors/privatekey
detectors/prospectcrm
detectors/prospectio
detectors/protocolsio
detectors/proxycrawl
detectors/pubnubpublishkey
detectors/pubnubsubscriptionkey
detectors/purestake
detectors/pushbulletapikey
detectors/pusherchannelkey
detectors/qase
detectors/qualaroo
detectors/qubole
detectors/quickmetrics
detectors/rapidapi
detectors/raven
detectors/rawg
detectors/razorpay
detectors/readme
detectors/reallysimplesystems
detectors/rebrandly
detectors/refiner
detectors/repairshopr
detectors/restpack
detectors/restpackhtmltopdfapi
detectors/restpackscreenshotapi
detectors/rev
detectors/revampcrm
detectors/ringcentral
detectors/ritekit
detectors/roaring
detectors/rocketreach
detectors/roninapp
detectors/route4me
detectors/rownd
detectors/rubygems
detectors/runrunit
detectors/salesblink
detectors/salescookie
detectors/salesflare
detectors/satismeterprojectkey
detectors/satismeterwritekey
detectors/saucelabs
detectors/scalewaykey
detectors/scrapeowl
detectors/scraperapi
detectors/scraperbox
detectors/scrapersite
detectors/scrapestack
detectors/scrapfly
detectors/scrapfly/scrapfly
detectors/scrapingant
detectors/scrapingbee
detectors/screenshotapi
detectors/screenshotlayer
detectors/securitytrails
detectors/segmentapikey
detectors/selectpdf
detectors/selectpdf/selectpdf
detectors/semaphore
detectors/sendbird
detectors/sendbirdorganizationapi
detectors/sendgrid
detectors/sendinbluev2
detectors/sentiment
detectors/sentrytoken
detectors/serphouse
detectors/serpstack
detectors/sheety
detectors/sherpadesk
detectors/sherpadesk/sherpadesk
detectors/shipday
detectors/shodankey
detectors/shortcut
detectors/shotstack
detectors/shotstack/shotstack
detectors/shutterstock
detectors/shutterstockoauth
detectors/signable
detectors/signalwire
detectors/signaturit
detectors/signupgenius
detectors/sigopt
detectors/sigopt/sigopt
detectors/simplesat
detectors/simplynoted
detectors/simplynoted/simplynoted
detectors/simvoly
detectors/sinchmessage
detectors/sirv
detectors/siteleaf
detectors/skrappio
detectors/skybiometry
detectors/slack
detectors/slackwebhook
detectors/smartsheets
detectors/smartystreets
detectors/smooch
detectors/snipcart
detectors/snykkey
detectors/sparkpost
detectors/splunkobservabilitytoken
detectors/spoonacular
detectors/sportsmonk
detectors/spotifykey
detectors/square
detectors/squareapp
detectors/squarespace
detectors/squareup
detectors/sslmate
detectors/statuspage
detectors/statuspal
detectors/stitchdata
detectors/stockdata
detectors/storecove
detectors/stormglass
detectors/storyblok
detectors/storychief
detectors/strava
detectors/streak
detectors/stripe
detectors/stytch
detectors/sugester
detectors/sumologickey
detectors/supernotesapi
detectors/surveyanyplace
detectors/surveybot
detectors/surveysparrow
detectors/survicate
detectors/swell
detectors/swiftype
detectors/swiftype/swiftype
detectors/tallyfy
detectors/tatumio
detectors/taxjar
detectors/teamgate
detectors/teamworkcrm
detectors/teamworkdesk
detectors/teamworkspaces
detectors/technicalanalysisapi
detectors/telegrambottoken
detectors/teletype
detectors/telnyx
detectors/terraformcloudpersonaltoken
detectors/testdetector
detectors/text2data
detectors/textmagic
detectors/theoddsapi
detectors/thinkific
detectors/thousandeyes
detectors/thousandeyes/thousandeyes
detectors/ticketmaster
detectors/tiingo
detectors/timecamp
detectors/timezoneapi
detectors/tly
detectors/tmetric
detectors/todoist
detectors/toggltrack
detectors/tomorrowio
detectors/tomtom
detectors/tradier
detectors/travelpayouts
detectors/travelpayouts/travelpayouts
detectors/travisci
detectors/trelloapikey
detectors/tru
detectors/twelvedata
detectors/twilio
detectors/twitter
detectors/tyntec
detectors/typeform
detectors/ubidots
detectors/unifyid
detectors/unplugg
detectors/unsplash
detectors/upcdatabase
detectors/uplead
detectors/uploadcare
detectors/upwave
detectors/upwave/upwave
detectors/uri
detectors/urlscan
detectors/user
detectors/userflow
detectors/userstack
detectors/vatlayer
detectors/vercel
detectors/verifier
detectors/verimail
detectors/veriphone
detectors/versioneye
detectors/versioneye/versioneye
detectors/viewneo
detectors/viewneo/viewneo
detectors/virustotal
detectors/visualcrossing
detectors/voicegain
detectors/vouchery
detectors/vpnapi
detectors/vultrapikey
detectors/vyte
detectors/walkscore
detectors/weatherbit
detectors/weatherstack
detectors/webex
detectors/webflow
detectors/webscraper
detectors/webscraper/webscraper
detectors/webscraping
detectors/wepay
detectors/whoxy
detectors/wistia
detectors/worksnaps
detectors/worksnaps/worksnaps
detectors/workstack
detectors/worldcoinindex
detectors/worldweather
detectors/wrike
detectors/yandex
detectors/youneedabudget
detectors/yousign
detectors/youtubeapikey
detectors/zapierwebhook
detectors/zendeskapi
detectors/zenkitapi
detectors/zenscrape
detectors/zenserp
detectors/zeplin
detectors/zerobounce
detectors/zipapi
detectors/zipbooks
detectors/zipcodeapi
detectors/zonkafeedback
engine
giturl
output
pb/credentialspb
pb/detectorspb
pb/source_metadatapb
pb/sourcespb
sanitizer
sources
sources/filesystem
sources/git
sources/github
sources/gitlab
sources/s3
updater
version

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.