TruffleHog
TruffleHog is the most powerful secrets Discovery, Classification, Validation, and Analysis tool. In this context secret refers to a credential a machine uses to authenticate itself to another machine. This includes API keys, database passwords, private encryption keys, and more…
Discovery 🔍
TruffleHog can look for secrets in many places including Git, chats, wikis, logs, API testing platforms, object stores, filesystems and more Classification 📁
TruffleHog classifies over 800 secret types, mapping them back to the specific identity they belong to. Is it an AWS secret? Stripe secret? Cloudflare secret? Postgres password? SSL Private key? Sometimes its hard to tell looking at it, so TruffleHog classifies everything it finds.
Validation ✅
For every secret TruffleHog can classify, it can also log in to confirm if that secret is live or not. This step is critical to know if there’s an active present danger or not.
Analysis 🔬
For the 20 some of the most commonly leaked out credential types, instead of sending one request to check if the secret can log in, TruffleHog can send many requests to learn everything there is to know about the secret. Who created it? What resources can it access? What permissions does it have on those resources?
Usage
Usage: TruffleHog [<flags>] <command> [<args> ...]
| Option | Description |
|---|---|
-h, --[no-]help | Show context-sensitive help (also try —help-long and —help-man). |
--log-level=0 | Logging verbosity on a scale of 0 (info) to 5 (trace). Can be disabled with “-1”. |
--[no-]profile | Enables profiling and sets a pprof and fgprof server on :18066. |
-j, --[no-]json | Output in JSON format. |
--[no-]json-legacy | Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources. |
--[no-]github-actions | Output in GitHub Actions format. |
--concurrency=12 | Number of concurrent workers. |
--[no-]no-verification | Don’t verify the results. |
--results=RESULTS | Specifies which type(s) of results to output: verified, unknown, unverified, filtered_unverified. Defaults to verified,unverified,unknown. |
--[no-]no-color | Disable colorized output. |
--[no-]allow-verification-overlap | Allow verification of similar credentials across detectors. |
--[no-]filter-unverified | Only output first unverified result per chunk per detector if there are more than one results. |
--filter-entropy=FILTER-ENTROPY | Filter unverified results with Shannon entropy. Start with 3.0. |
--config=CONFIG | Path to configuration file. |
--[no-]print-avg-detector-time | Print the average time spent on each detector. |
--[no-]no-update | Don’t check for updates. |
--[no-]fail | Exit with code 183 if results are found. |
--verifier=VERIFIER ... | Set custom verification endpoints. |
--[no-]custom-verifiers-only | Only use custom verification endpoints. |
--detector-timeout=DETECTOR-TIMEOUT | Maximum time to spend scanning chunks per detector (e.g., 30s). |
--archive-max-size=ARCHIVE-MAX-SIZE | Maximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB). |
--archive-max-depth=ARCHIVE-MAX-DEPTH | Maximum depth of archive to scan. |
--archive-timeout=ARCHIVE-TIMEOUT | Maximum time to spend extracting an archive. |
--include-detectors="all" | Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges. |
--exclude-detectors=EXCLUDE-DETECTORS | Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list. |
--[no-]no-verification-cache | Disable verification caching. |
--[no-]force-skip-binaries | Force skipping binaries. |
--[no-]force-skip-archives | Force skipping archives. |
--[no-]skip-additional-refs | Skip additional references. |
--user-agent-suffix=USER-AGENT-SUFFIX | Suffix to add to User-Agent. |
--[no-]version | Show application version. |
Commands
git [<flags>] <uri>
Find credentials in git repositories.
| Option | Description |
|---|---|
-i, --include-paths=INCLUDE-PATHS | Path to file with newline separated regexes for files to include in scan. |
-x, --exclude-paths=EXCLUDE-PATHS | Path to file with newline separated regexes for files to exclude in scan. |
--exclude-globs=EXCLUDE-GLOBS | Comma separated list of globs to exclude in scan. This option filters at the git log level, resulting in faster scans. |
--since-commit=SINCE-COMMIT | Commit to start scan from. |
--branch=BRANCH | Branch to scan. |
--max-depth=MAX-DEPTH | Maximum depth of commits to scan. |
--[no-]bare | Scan bare repository (e.g. useful while using in pre-receive hooks) |
--[no-]allow | No-op flag for backwards compat. |
--[no-]entropy | No-op flag for backwards compat. |
--[no-]regex | No-op flag for backwards compat. |
github [<flags>]
Find credentials in GitHub repositories.
| Option | Description |
|---|---|
--endpoint="https://api.github.com" | GitHub endpoint. |
--repo=REPO ... | GitHub repository to scan. You can repeat this flag. Example: "https://github.com/dustin-decker/secretsandstuff" |
--org=ORG ... | GitHub organization to scan. You can repeat this flag. Example: "trufflesecurity" |
--token=TOKEN | GitHub token. Can be provided with environment variable GITHUB_TOKEN. ($GITHUB_TOKEN) |
--[no-]include-forks | Include forks in scan. |
--[no-]include-members | Include organization member repositories in scan. |
--include-repos=INCLUDE-REPOS ... | Repositories to include in an org scan. This can also be a glob pattern. You can repeat this flag. Must use full repo name. Example: "trufflesecurity/t*" |
--[no-]include-wikis | Include repository wikis in scan. |
--exclude-repos=EXCLUDE-REPOS ... | Repositories to exclude in an org scan. This can also be a glob pattern. You can repeat this flag. Must use full repo name. Example: "trufflesecurity/d*" |
-i, --include-paths=INCLUDE-PATHS | Path to file with newline separated regexes for files to include in scan. |
-x, --exclude-paths=EXCLUDE-PATHS | Path to file with newline separated regexes for files to exclude in scan. |
--[no-]issue-comments | Include issue descriptions and comments in scan. |
--[no-]pr-comments | Include pull request descriptions and comments in scan. |
--[no-]gist-comments | Include gist comments in scan. |
--comments-timeframe=COMMENTS-TIMEFRAME | Number of days in the past to review when scanning issue, PR, and gist comments. |
--[no-]auth-in-url | Embed authentication credentials in repository URLs instead of using secure HTTP headers. |
gitlab --token=TOKEN [<flags>]
Find credentials in GitLab repositories.
| Option | Description |
|---|---|
--endpoint="https://gitlab.com" | GitLab endpoint. |
--repo=REPO ... | GitLab repo URL. You can repeat this flag. Leave empty to scan all repos accessible with provided credential. Example: https://gitlab.com/org/repo.git |
--token=TOKEN | GitLab token. Can be provided with environment variable GITLAB_TOKEN. ($GITLAB_TOKEN) |
--group-id=GROUP-ID ... | GitLab group ID. If provided, it will scan the group and its subgroups. You can repeat this flag. |
-i, --include-paths=INCLUDE-PATHS | Path to file with newline separated regexes for files to include in scan. |
-x, --exclude-paths=EXCLUDE-PATHS | Path to file with newline separated regexes for files to exclude in scan. |
--include-repos=INCLUDE-REPOS ... | Repositories to include in an org scan. This can also be a glob pattern. You can repeat this flag. Must use GitLab repo full name. Example: "trufflesecurity/t*" |
--exclude-repos=EXCLUDE-REPOS ... | Repositories to exclude in an org scan. This can also be a glob pattern. You can repeat this flag. Must use GitLab repo full name. Example: "trufflesecurity/d*" |
--[no-]auth-in-url | Embed authentication credentials in repository URLs instead of using secure HTTP headers. |
filesystem [<flags>] [<path>...]
Find credentials in a filesystem.
| Option | Description |
|---|---|
--directory=DIRECTORY ... | Path to directory to scan. You can repeat this flag. |
-i, --include-paths=INCLUDE-PATHS | Path to file with newline separated regexes for files to include in scan. |
-x, --exclude-paths=EXCLUDE-PATHS | Path to file with newline separated regexes for files to exclude in scan. |
s3 [<flags>]
Find credentials in S3 buckets.
| Option | Description |
|---|---|
--key=KEY | S3 key used to authenticate. Can be provided with environment variable AWS_ACCESS_KEY_ID. ($AWS_ACCESS_KEY_ID) |
--role-arn=ROLE-ARN ... | Specify the ARN of an IAM role to assume for scanning. You can repeat this flag. |
--secret=SECRET | S3 secret used to authenticate. Can be provided with environment variable AWS_SECRET_ACCESS_KEY. ($AWS_SECRET_ACCESS_KEY) |
--session-token=SESSION-TOKEN | S3 session token used to authenticate temporary credentials. Can be provided with environment variable AWS_SESSION_TOKEN. ($AWS_SESSION_TOKEN) |
--[no-]cloud-environment | Use IAM credentials in cloud environment. |
--bucket=BUCKET ... | Name of S3 bucket to scan. You can repeat this flag. Incompatible with --ignore-bucket. |
--ignore-bucket=IGNORE-BUCKET ... | Name of S3 bucket to ignore. You can repeat this flag. Incompatible with --bucket. |
--max-object-size=250MB | Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units e.g. 512B, 2KB, 4MB) |
gcs [<flags>]
Find credentials in GCS buckets.
| Option | Description |
|---|---|
--project-id=PROJECT-ID | GCS project ID used to authenticate. Can NOT be used with unauth scan. Can be provided with environment variable GOOGLE_CLOUD_PROJECT. ($GOOGLE_CLOUD_PROJECT) |
--[no-]cloud-environment | Use Application Default Credentials, IAM credentials to authenticate. |
--service-account=SERVICE-ACCOUNT | Path to GCS service account JSON file. |
--[no-]without-auth | Scan GCS buckets without authentication. This will only work for public buckets. |
--api-key=API-KEY | GCS API key used to authenticate. Can be provided with environment variable GOOGLE_API_KEY. ($GOOGLE_API_KEY) |
-I, --include-buckets=INCLUDE-BUCKETS ... | Buckets to scan. Comma separated list of buckets. You can repeat this flag. Globs are supported. |
-X, --exclude-buckets=EXCLUDE-BUCKETS ... | Buckets to exclude from scan. Comma separated list of buckets. Globs are supported. |
-i, --include-objects=INCLUDE-OBJECTS ... | Objects to scan. Comma separated list of objects. You can repeat this flag. Globs are supported. |
-x, --exclude-objects=EXCLUDE-OBJECTS ... | Objects to exclude from scan. Comma separated list of objects. You can repeat this flag. Globs are supported. |
--max-object-size=10MB | Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units e.g. 512B, 2KB, 4MB) |
syslog [<flags>]
Scan syslog
| Option | Description |
|---|---|
--address=ADDRESS | Address and port to listen on for syslog. Example: 127.0.0.1:514 |
--protocol=PROTOCOL | Protocol to listen on. udp or tcp |
--cert=CERT | Path to TLS cert. |
--key=KEY | Path to TLS key. |
--format=FORMAT | Log format. Can be rfc3164 or rfc5424 |
circleci --token=TOKEN
Scan CircleCI
| Option | Description |
|---|---|
--token=TOKEN | CircleCI token. Can also be provided with environment variable ($CIRCLECI_TOKEN) |
docker --image=IMAGE [<flags>]
Scan Docker Image
| Option | Description |
|---|---|
--image=IMAGE ... | Docker image to scan. Use the file:// prefix to point to a local tarball, the docker:// prefix to point to the docker daemon, otherwise an image registry is assumed. |
--token=TOKEN | Docker bearer token. Can also be provided with environment variable ($DOCKER_TOKEN) |
--exclude-paths=EXCLUDE-PATHS | Comma separated list of paths to exclude from scan |
travisci --token=TOKEN
Scan TravisCI
| Option | Description |
|---|---|
--token=TOKEN | TravisCI token. Can also be provided with environment variable ($TRAVISCI_TOKEN) |
postman [<flags>]
Scan Postman
| Option | Description |
|---|---|
--token=TOKEN | Postman token. Can also be provided with environment variable ($POSTMAN_TOKEN) |
--workspace-id=WORKSPACE-ID ... | Postman workspace ID to scan. You can repeat this flag. |
--collection-id=COLLECTION-ID ... | Postman collection ID to scan. You can repeat this flag. |
--environment=ENVIRONMENT ... | Postman environment to scan. You can repeat this flag. |
--include-collection-id=INCLUDE-COLLECTION-ID ... | Collection ID to include in scan. You can repeat this flag. |
--include-environments=INCLUDE-ENVIRONMENTS ... | Environments to include in scan. You can repeat this flag. |
--exclude-collection-id=EXCLUDE-COLLECTION-ID ... | Collection ID to exclude from scan. You can repeat this flag. |
--exclude-environments=EXCLUDE-ENVIRONMENTS ... | Environments to exclude from scan. You can repeat this flag. |
--workspace-paths=WORKSPACE-PATHS ... | Path to Postman workspaces. |
--collection-paths=COLLECTION-PATHS ... | Path to Postman collections. |
--environment-paths=ENVIRONMENT-PATHS ... | Path to Postman environments. |
elasticsearch [<flags>]
Scan Elasticsearch
| Option | Description |
|---|---|
--nodes=NODES ... | Elasticsearch nodes ($ELASTICSEARCH_NODES) |
--username=USERNAME | Elasticsearch username ($ELASTICSEARCH_USERNAME) |
--password=PASSWORD | Elasticsearch password ($ELASTICSEARCH_PASSWORD) |
--service-token=SERVICE-TOKEN | Elasticsearch service token ($ELASTICSEARCH_SERVICE_TOKEN) |
--cloud-id=CLOUD-ID | Elasticsearch cloud ID. Can also be provided with environment variable ($ELASTICSEARCH_CLOUD_ID) |
--api-key=API-KEY | Elasticsearch API key. Can also be provided with environment variable ($ELASTICSEARCH_API_KEY) |
--index-pattern="*" | Filters the indices to search ($ELASTICSEARCH_INDEX_PATTERN) |
--query-json=QUERY-JSON | Filters the documents to search ($ELASTICSEARCH_QUERY_JSON) |
--since-timestamp=SINCE-TIMESTAMP | Filters the documents to search to those created since this timestamp; overrides any timestamp from --query-json ($ELASTICSEARCH_SINCE_TIMESTAMP) |
--[no-]best-effort-scan | Attempts to continuously scan a cluster ($ELASTICSEARCH_BEST_EFFORT_SCAN) |
jenkins --url=URL [<flags>]
Scan Jenkins
| Option | Description |
|---|---|
--url=URL | Jenkins URL ($JENKINS_URL) |
--username=USERNAME | Jenkins username ($JENKINS_USERNAME) |
--password=PASSWORD | Jenkins password ($JENKINS_PASSWORD) |
--[no-]insecure-skip-verify-tls | Skip TLS verification ($JENKINS_INSECURE_SKIP_VERIFY_TLS) |
huggingface [<flags>]
Find credentials in HuggingFace datasets, models and spaces.
| Option | Description |
|---|---|
--endpoint="https://huggingface.co" | HuggingFace endpoint. |
--model=MODEL ... | HuggingFace model to scan. You can repeat this flag. Example: ‘username/model’ |
--space=SPACE ... | HuggingFace space to scan. You can repeat this flag. Example: ‘username/space’ |
--dataset=DATASET ... | HuggingFace dataset to scan. You can repeat this flag. Example: ‘username/dataset’ |
--org=ORG ... | HuggingFace organization to scan. You can repeat this flag. Example: “trufflesecurity” |
--user=USER ... | HuggingFace user to scan. You can repeat this flag. Example: “trufflesecurity” |
--token=TOKEN | HuggingFace token. Can be provided with environment variable HUGGINGFACE_TOKEN. ($HUGGINGFACE_TOKEN) |
--include-models=INCLUDE-MODELS ... | Models to include in scan. You can repeat this flag. Must use HuggingFace model full name. Example: ‘username/model’ (Only used with --user or --org) |
--include-spaces=INCLUDE-SPACES ... | Spaces to include in scan. You can repeat this flag. Must use HuggingFace space full name. Example: ‘username/space’ (Only used with --user or --org) |
--include-datasets=INCLUDE-DATASETS ... | Datasets to include in scan. You can repeat this flag. Must use HuggingFace dataset full name. Example: ‘username/dataset’ (Only used with --user or --org) |
--ignore-models=IGNORE-MODELS ... | Models to ignore in scan. You can repeat this flag. Must use HuggingFace model full name. Example: ‘username/model’ (Only used with --user or --org) |
--ignore-spaces=IGNORE-SPACES ... | Spaces to ignore in scan. You can repeat this flag. Must use HuggingFace space full name. Example: ‘username/space’ (Only used with --user or --org) |
--ignore-datasets=IGNORE-DATASETS ... | Datasets to ignore in scan. You can repeat this flag. Must use HuggingFace dataset full name. Example: ‘username/dataset’ (Only used with --user or --org) |
--[no-]skip-all-models | Skip all model scans. (Only used with --user or --org) |
--[no-]skip-all-spaces | Skip all space scans. (Only used with --user or --org) |
--[no-]skip-all-datasets | Skip all dataset scans. (Only used with --user or --org) |
--[no-]include-discussions | Include discussions in scan. |
--[no-]include-prs | Include pull requests in scan. |
stdin
Find credentials from stdin.
multi-scan
Find credentials in multiple sources defined in configuration.
analyze
Analyze API keys for fine-grained permissions information.