{ "id": "bf7547a3-4763-4f89-a8f4-b0ad428ed959", "created_at": "2026-04-29T02:20:45.804543Z", "updated_at": "2026-04-29T10:42:12.236001Z", "deleted_at": null, "sha1_hash": "3b0103ce0f4f8add798c8f8320263942731e5146", "title": "Rooting For Secrets with TruffleHog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1088605, "plain_text": "Rooting For Secrets with TruffleHog\r\nBy BHIS\r\nPublished: 2024-01-18 · Archived: 2026-04-29 02:09:29 UTC\r\nThe potential leaking of confidential information can pose a significant security risk for any organization. When\r\nsensitive details (i.e., API keys, passwords, cryptographic keys, and other credentials) are unintentionally\r\ncommitted to version control systems like Git, they could lead to a compromise of systems, data, or other\r\nresources.\r\nLeaking secrets can have severe repercussions for an organization, compromising data integrity, confidentiality,\r\nand system security. Exposed tokens can provide unauthorized access to sensitive information, enabling malicious\r\nactors to manipulate or steal data, disrupt services, and potentially escalate their attacks. Additionally, exploited\r\ntokens could also be leveraged to conduct sophisticated phishing campaigns or launch further cyberattacks.\r\nThe impact of this lapse in security could manifest as financial losses, reputational damage, and legal\r\nconsequences.\r\nhttps://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/\r\nPage 1 of 8\n\nSo how do you know if you have buried secrets hiding in the vast digital landscape of your organization? Easy.\r\nYou employ a truffle hog.\r\nTruffleHog\r\nTruffleHog1 is a free security tool designed to root around for sensitive information exposure within version\r\ncontrol systems, CI, cloud assets, and file systems. Specifically, it helps identify and mitigate security risks related\r\nto the inadvertent storage of credentials, secrets, and other sensitive data.\r\nFor example, TruffleHog could scan a Git code repository for patterns that resemble known sensitive information,\r\nhelping the organization and developers proactively identify and remove such data before it becomes a security\r\nvulnerability.\r\nhttps://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/\r\nPage 2 of 8\n\nIdentifying and cleaning up leaked secrets before an attacker can find them is a crucial component to security.\r\nInstallation\r\nInstalling TruffleHog is easy using APT by executing the command below.\r\nsudo apt install trufflehog\r\nAPT not your thing? Don’t worry. The tool supports several other methods for installation:\r\nUsing brew on MacOS\r\nDocker\r\nhttps://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/\r\nPage 3 of 8\n\nBinary releases via https://github.com/trufflesecurity/trufflehog/releases\r\nGit clone and compile from source\r\nUsing the install.sh script on GitHub (also supports specific version installation\r\nExact steps for these alternative installation methods can be found at\r\nhttps://github.com/trufflesecurity/trufflehog#floppy_disk-installation.\r\nSub-Commands\r\nOnce installed, it’s time to familiarize yourself with the nine available “sub-commands” that TruffleHog uses to\r\nroot around for secrets. These can be listed by using the --help flag from the command line as shown below.\r\ntrufflehog --help\r\nTruffleHog Sub-Commands\r\nEach of the commands above has specific subsequent “flags” that can be set when executing TruffleHog. These\r\nadditional flags help to both extend functionality and narrow the tool’s scope. These flags can be listed by\r\nincluding the --help flag after any of the above sub-commands as shown below.\r\nhttps://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/\r\nPage 4 of 8\n\nOptional Flags (Snippet)\r\nThere are some flags that are available across every sub-command. The --json flag, for example, outputs the\r\ntool’s results in JSON format.\r\nSample JSON Output\r\nThis could then be consumed and parsed by a custom script to convert any findings into even more actionable\r\nintelligence. Given the sample TruffleHog JSON output above, let’s say you want to extract information about\r\neach detected issue, specifically the commit, file, email, repository, and the detected AWS keys. You can use jq\r\nto accomplish this!\r\nThe jq command-line tool is a powerful and lightweight way to process and manipulate JSON data. It provides\r\na convenient and efficient way to extract, transform, and filter JSON content, making it a valuable tool for\r\nworking with JSON-based APIs, configuration files, and data processing.\r\nSome of jq ‘s useful features are:\r\nQuerying and Selecting Data\r\nFiltering and Transformation\r\nPrettifying Output\r\nConditional Processing\r\nCombining with Other Unix Tools (i.e., cat , grep , sed )\r\nScripting Support\r\nThe command below takes our TruffleHog JSON output and extracts commit, file, email, repository, and the\r\ndetected AWS keys to display in a shortened JSON format.\r\ncat trufflehog_output.json | jq -c '.SourceMetadata.Data.Git as $git | {commit: $git.commit, file: $git.file, e\r\nhttps://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/\r\nPage 5 of 8\n\njq Parsing\r\nAnother shared sub-command flag is --only-verified , which directs TruffleHog to check every potential\r\ncredential that is detected against the API that it thinks it belongs to. This additional step can help eliminate false\r\npositives. For example, the AWS credential detector performs a GetCallerIdentity API call against the AWS\r\nAPI to verify if an AWS credential is active.\r\nSample Verified Key\r\nOther flags are sub-command specific like --since-commit and --max-depth , which are available in the git\r\ncommand and control how far back and to what depth into commits the scan focuses on. These are useful to\r\nnarrow the scope of the scan and incorporate it into your CI process to identify problems before they reach a\r\ndistributed repository.\r\nNow that we know what TruffleHog is, why it’s important, and understand the basics of how it works, let’s look at\r\nsome real examples.\r\nWeb Application… err… Application\r\nTruffleHog has been so successful in reviewing repositories, filesystems, cloud assets, and CI implementations\r\nthat it has also been adapted (by third parties) into browser extensions (Chrome2 and Firefox3) to scan web\r\napplication code returned by a server for secrets too!\r\nhttps://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/\r\nPage 6 of 8\n\nFor example, the image below shows a React application that graciously returned numerous secrets for a\r\ncompany’s CI/CD pipeline within the main.js file. Including GitHub, Bamboo, Polaris, AWS, and SonarQube\r\nsecrets.\r\nAPI keys for CI/CD pipeline\r\nThis issue is made worse by the file not requiring authentication to get — meaning anyone online could retrieve\r\nthese keys. With a little extra legwork, and the help of GitHub’s API, an attacker would discover the GitHub token\r\nallowed for full read-write to the organization’s private GitHub. This could also permit user information for who\r\nissued the token, the organization’s larger list of users, and repository enumeration.\r\nGitHub Token Authorization Sample\r\n The leaked AWS keys were also valid and could be abused using AWS’s own cli tool4.\r\nMy Code Has Secrets. What Now?\r\nBHIS recommends taking the following steps when you encounter secrets in your (or your customer’s) code:\r\nRemove all secrets.\r\nRemove the previous commit(s) in the repository’s history that contained the secret.\r\nPeriodically run open-source token scanning software such as TruffleHog.\r\nReview the CI/CD configurations.\r\nWhat Next?\r\nIf you’re interested in learning more advanced usage of TruffleHog, you can start by checking out their guide on\r\nGitHub (https://github.com/trufflesecurity/trufflehog#advanced-usage).\r\nReferences\r\n1. https://github.com/trufflesecurity/trufflehog ↩︎\r\n2. https://chromewebstore.google.com/detail/trufflehog/bafhdnhjnlcdbjcdcnafhdcphhnfnhjc ↩︎\r\n3. https://addons.mozilla.org/en-US/firefox/addon/trufflehog/ ↩︎\r\nhttps://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/\r\nPage 7 of 8\n\n4. https://aws.amazon.com/cli/ ↩︎\r\nEnjoyed this blog? Want to learn more?\r\nChris will be presenting live, online training during The Most Offensive Con That Ever Offensived!\r\nFind more details here:\r\nAdvanced Offensive Tooling\r\nSource: https://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/\r\nhttps://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.blackhillsinfosec.com/rooting-for-secrets-with-trufflehog/" ], "report_names": [ "rooting-for-secrets-with-trufflehog" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-29T10:39:55.355319Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-29T10:39:53.168852Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Red Lich", "TEMP.HEX", "Earth Preta", "LuminousMoth", "Polaris", "BRONZE PRESIDENT", "TA416", "Stately Taurus", "TANTALUM", "Twill Typhoon", "HoneyMyte" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1777429245, "ts_updated_at": 1777459332, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b0103ce0f4f8add798c8f8320263942731e5146.pdf", "text": "https://archive.orkl.eu/3b0103ce0f4f8add798c8f8320263942731e5146.txt", "img": "https://archive.orkl.eu/3b0103ce0f4f8add798c8f8320263942731e5146.jpg" } }