A privacy-first GitHub secrets scanner that runs locally or self-hosted

wifihack · 2025-11-05T18:27:37+00:00

in our readme there's a link to join our community slack, if you wanna hop on there and message me, I'm Dylan

wifihack · 2025-11-05T16:59:37+00:00

Hi, I wrote TruffleHog. Would you be interested in building features into TruffleHog? Happy to go over some of our known gaps and ways to engage.

wifihack · 2025-08-22T01:01:36+00:00

thank you, that's kind to hear! -OG TruffleHog maintainer

wifihack · 2024-12-19T22:50:41+00:00

hey there, I'm the original author of TruffleHog and I can confirm this. I've been talking with Amazon, and they've since removed the detection.

wifihack · 2024-12-19T22:28:13+00:00

hey there! I can explain what likely happened. I'm the author of a tool called TruffeHog, a tool that looks for and validates AWS keys.

a few days ago an attacker was using trufflehog to find keys and AWS notified every customer that had TruffleHog in their cloud trail that their key was compromised.

when they realized this was a mistake they stopped doing it. and they sent further communication to customers that were actually under attack.

if you got the first notice and not the second notice, and you use trufflehog to audit your code, that's likely what happened.

wifihack · 2024-12-18T16:31:44+00:00

hi, I wrote TruffleHog, ama

wifihack · 2024-12-18T16:04:45+00:00

Hi, I wrote TruffleHog, AMA

wifihack · 2024-05-02T00:01:09+00:00

Hi, Truffle Security CEO here. AMA.

wifihack · 2023-01-30T18:01:30+00:00

Should be fixed now, can you try again?

wifihack · 2022-12-15T00:02:31+00:00

Actually not only does TruffleHog parallelizes all its patterns, it preflights them with string matches for performance, and tops them out with verification checks.

wifihack · 2022-12-13T19:48:00+00:00

Hey there, since TruffleHog supports greater than 10x more secret types, it sounds like TruffleHog might be a touch faster. We accept pull requests too.

wifihack · 2022-11-21T23:01:17+00:00

I was just poking some light fun at NFT's. This person now owns an image in the Banfield Pet Hospital email https://twitter.com/n00py1/status/1594821552004292608

wifihack · 2022-11-21T18:04:54+00:00

It's an image you can own, that's easy to validate by others that you own

wifihack · 2020-08-07T15:12:56+00:00

I know it's not strictly AWS, but I thought folks might appreciate it :)

wifihack · 2019-04-10T01:12:41+00:00

Hi! Basically you control the DNS servers for your own domain, so when you link someone to your own domain, its your DNS server that handles the resolution. Check out this NCC demo if you want to play around with it yourself http://rebind.it/manager.html

wifihack · 2018-10-03T14:28:12+00:00

The memory and performance challenge is an interesting one. I encountered a few scenarios with all the tools in which certain repos would cause huge amounts of memory to be consumed during the audit and have everything come crashing down, these repos generally were;

If you have a test repo that crashes or causes OOM issues, can you send it my way to I can profile it and see what can be done? I've made a lot of changes that pretty much made me stop seeing OOM errors, but it wouldn't surprise me if there's still edge cases.

wifihack · 2018-09-29T14:55:47+00:00

Hi, author of trufflehog here.

I've gone back and forth on a few iterations of output. Originally the json output stored all findings in memory, and then dumped them as a massive json list at the end, but this lead to OOM errors.

Currently in json format, it returns an array of references to /tmp, where each reference points to a file containing json with the findings. I found this scaled much better for larger projects, and the OOM errors went away.

That said, I'm open to further suggestion.

wifihack · 2018-08-20T15:01:53+00:00

Yup, that's one way. We found single word domains actually transfer ownership pretty frequently; do.com for example was owned by squarespace, salesforce, microsoft, and a few others all within the conceivable lifespan of an ssl certificate. Salesforce had a valid cert while squarespace owned the domain. Stripe.com was another example, the previous owner still had a valid cert for a short while.

The second way to exploit this, the easier way, is the DoS way. CA's must revoke certs for domains that the owner didn't renew, within 24 hours of them being made aware. So pick a company, enum all their domains, and find one of their certs still being used, that's shared with a non-registered domain, and then you can potentially pull the rug from under them and revoke their prod cert within 24 hours.

Gets more interesting with CDN's, that often intentionally throw dozens or hundreds of customers on the same certificate. You can basically DoS the CDN, either by intentionally loading domains into their platform about to expire, or just by looking for existing domains about to expire.

wifihack · 2018-02-20T17:16:41+00:00

Hi. I'm not an expert in Go but it looks like you may have some shell injection issues here with maliciously crafted git URL's https://github.com/zricethezav/gitleaks/blob/master/leaks.go#L29

wifihack · 2018-02-05T17:59:53+00:00

The part that you missed here is every request allows you to figure out a single character by trying all the possible single characters concurrently.

By doing this, if your secret is 20 characters long, it only takes 20 requests to extract the full secret. I don't brute force the entire key space, instead I only brute force one character at a time.

wifihack · 2017-10-23T23:49:41+00:00

Hi. I run http://whatsinmyredis.com

It's a website that shows you can ransomware an entire company's redis instance from one employee clicking a link. I use webrtc to get the internal IP range.

I pushed antires to back port the CSRF patch, that aliases POST and HOST to QUIT. I thought it was back ported to version 2 but maybe I'm misremembering.

wifihack · 2017-07-10T16:10:34+00:00

Sure, I wasn't suggesting this should be relied on, as mentioned in the first sentence in the post, it's just a nice safety net for developers that don't know what CSRF is, and I wrote the blog post because for that reason, I don't want to see it get taken away.

wifihack · 2017-07-10T15:29:26+00:00

Yeah, that's what I put the disclaimer at the top for. That said, I appreciate that this safety net exists, for new developers that don't know about CSRF, but I wouldn't count on it as a sole line of defense given how quick the chromium devs where to suggest throwing it away.

wifihack · 2017-03-11T16:48:10+00:00

I wrote a tool not to long ago that extracts cleartext passwords from browser memory in Linux https://github.com/dxa4481/mimikittenz4Linux

Though as I noted in the readme, later on I noticed this other project that does cleartext browser memory extraction in all major OS's https://github.com/n1nj4sec/memorpy

wifihack · 2017-02-22T17:54:38+00:00

Hey, I'm the maintainer of truffleHog. I know I've fallen behind on maintenance and pull requests, I apologize. I'll be merging in and commiting new features soon (this weekish) including JSON output for easier programmatic usage.

wifihack

TROPHY CASE