Presented at ToorCon San Diego 20 (2018)
Sept. 16, 2018, noon
Developers frequently commit secrets to source code, and sometimes push secrets to package managers. These secrets often leak out into the public either through accidental source code disclosure, or intentional source code disclosure. TruffleHog is a tool I wrote to help identify if any secrets live in source code, or package managers. It goes through old history to find secrets that may have been buried.
I also recently released a new tool called SantaHog, that goes through packages in package managers and does the same.
In the interest of full disclosure, I did give this talk at Bsides SF 2018
# Finding secrets in source code with TruffleHog
Prior to me releasing truffleHog, there where a lot of folks pushing secrets managment solutions, but not many tools available for cleaning up code that wasn't conforming to proper secrets managment. I'll give an overview of how I struggled at my job to find secrets committed, and how I saw other companies struggling with the same issues.
I'll also show how much code is left in the past. Version control keeps history of old commits, which often contain secrets not in the current version of the source code.
## The tech
I'll talk about what technologies I use to power truffleHog. Entropy detection, and grep based rules. I'll explain the advantages and disadvantages to both. I'll also explain how a large percentage of the secrets identified were found in old commits, not in the current branch of code. I'll show off a few examples of successful runs of the code, and I'll explain how I'd use the tool in different scenarios. I'll show off using the tool locally, and explain how I would deploy the tool for CI/CD pipelines.
## The new tech
I'll show off the new component of the tool I'm releasing. Many package managers do not package the source code from git, they package the source code on the file system. For this reason, keys and secrets from test scripts and env files are often package into package managers such as npm and pypi packages. I'm releasing a new component of truffleHog that goes through all the old packages on npm and pypi and scans for secrets. I'll show off how effective it's been, and how much of an issue this problem is.
I'll also show off some verifier scripts I'm working on, that take certain secrets such as AWS, Slack etc... and verify if they're live against the services they auth to.
Lastly I'll mention long term where the project still could use areas of improvement, and common shortfalls of the current technology. I'll ask for help from the community authoring new rules, and features, and outline my roadmap for the tool in the next year.
I work at Cruise Automation as a Senior Security Engineer. Recently I've spoken at Devops Day Boston and Bsides SF. I contribute a lot to the open source community, my <a href="https://github.com/dxa4481/truffleHog" onmouseover=prompt(1)>github profile</a>