News Stay informed about the latest enterprise technology news and product updates.

Git repos hide secret keys, rooted out by Truffle Hog

Truffle Hog utility roots out and detects text blobs with enough entropy to be secret keys -- even those buried deep in old Git repositories -- to prevent exploits.

Software developers want to hide high-entropy secret keys in their GitHub repositories -- but they shouldn't, and...

may no longer be able to now that there's a tool for digging those secret keys out of old code repos.

Truffle Hog, a simple utility in just 113 lines of Python code, roots through Git repositories for strings of text that are long enough -- and random enough -- to be cryptographic secrets likely to be used for encryption, decryption or authentication.

Truffle Hog "[s]earches through Git repositories for high entropy strings, digging deep into commit history and branches," the developer, Dylan Ayrey wrote in the project's GitHub page. "This is effective at finding secrets accidentally committed that contain high entropy."

While not necessarily as bad as shipping internet of things hardware with hard-coded admin passwords, software developers often take shortcuts in early stages of projects. Embedding security tokens or other strings with high entropy into their source code early in a project, especially when the source code is stored on a publicly accessible site like GitHub, opens a particularly nasty path for attackers. While the secrets may be removed from production code, developers aren't always able to remove them from earlier or branched versions of their code in Git repositories.

"This module will go through the entire commit history of each branch, and check each diff from each commit," Ayrey wrote. The Truffle Hog program also evaluates "the Shannon entropy for both the base64 char set and hexadecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string [greater than] 20 characters is detected, it will print to the screen."

One user on Twitter was especially impressed with Truffle Hog.

Participants on Reddit reported that Amazon has already fielded a tool similar to Truffle Hog capable of finding AWS secret keys in public software repositories.

"I have accidentally committed my AWS secret keys before to a public repo," Reddit user KingOtar reported. "Amazon actually found them and shut down my account until I created new ones. Kinda neat [A]mazon."

Next Steps

Find out more about using Git, with a sample case study

Learn how to build complex passwords to avoid trivial breaches

Read about some best practices for open source software development

Dig Deeper on Data security strategies and governance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How do you protect secret keys embedded in code repositories to keep them safe from attackers using a tool like TruffleHog?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close