Hacker publishes GitHub secret key hunter

TruffleHog snuffles through your dirty commit drawers,.

A researcher has published a tool to help administrators delve into GitHub commits to find high-entropy secret keys.

The tool, dubbed TruffleHog, is able to locate high-entropy keys with Github potentially saving admins from exposing their networks and sensitive data.

TruffleHog developer Dylan Ayrey, who warned of the Pastejack attack last year, says the tool will locate any high entropy string longer than 20 characters.

"[TruffleHog] searches through git repositories for high entropy strings, digging deep into commit history and branches," Ayrey says.

"This is effective at finding secrets accidentally committed that contain high entropy.

"If at any point a high entropy string >20 characters is detected, it will print to the screen."

TruffleHog in action.

He says it searches the entire commit history of branches, checking each diff in commits, and evaluating the Shannon entropy for both the base64 character set and the hexadecimal character set for every blob of text larger than 20 characters and comprised of those character sets in each diff.

Reddit users praising the tool have claimed Amazon already searches GitHub for AWS keys and shutters the respective service when any are found.

TruffleHog relies only on GitPython. ®


Biting the hand that feeds IT © 1998–2017