October 3, 2023

The newest version of TruffleHog has launched with support for more than 600 key types, furthering the tool’s ability to hunt for credential leaks.

Leaked credentials, including secret key pairs, are a serious cybersecurity issue. Keys can be abused to compromise enterprise networks, often more covertly and for longer time periods than the exploit of vulnerabilities in popular software.

Available on GitHub, TruffleHog is an open-source project tool for discovering keys leaked via JavaScript or too-permissive CORS settings in APIs.


The system can alert developers or researchers when websites or front-end applications are accidentally leaking keys. TruffleHog can also be used to find exposed .git repository credentials.

On April 4, Truffle Security co-founder Dylan Ayrey said in a blog post that TruffleHog is now entering its third phase with many improvements, including verification and enhanced key volume.

Truffle Security raised $14 million in a Series A investment round last year December. These funds have been used to improve the software

Significant change is a new verification step. API calls can now be made to vendors who provide keys to validate a newly-discovered key. Secret detectors are also now preflight to boost TruffleHog’s performance and runtime speed. In addition, 639 key types are now supported, including AWS, Azure, Confluent, Facebook, and GitHub.


The code was published as an open-source project. Its popularity led Ayrey, alongside Dustin Decker and Julian Dunning, to leave their jobs to focus full-time on Truffle Security and credential leakage tools.

Truffle Security has since released the TruffleHog Chrome extension, alongside Driftwood, open-source software for discovering leaked, paired private, and public keys.

Leave a Reply

%d bloggers like this: