trufflesecurity.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-11.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-11 2026 | GitHub Comments Leak Live API KeysSecrets | Tool update. TruffleHog now scans GitHub issues, pull requests, and comments, revealing thousands of live API keys and passwords accidentally posted by human users. Many leakers have no association with the repository, and edited comments can still expose secrets in their history. Secrets are primarily found in plain text, not code blocks, and repositories with commented secrets often also have secrets within their git history. |
| 2026-04-11 2026 | Secret Scanning Encoded and Archived DataSecrets | Library for automated secret scanning, TruffleHog detects sensitive data within various encoded string formats like Base64, UTF-8, UTF-16, and Escaped Unicode. It also supports scanning archived files, including Unix archives, Debian packages, RPM, CPIO, and common formats such as .zip, .tar, and .gz, efficiently uncovering secrets hidden within compressed data. |
| 2026-04-11 2026 | How TruffleHog Verifies SecretsSecrets | Library detailing how TruffleHog verifies secrets, moving beyond simple entropy and regex checks. It explains the challenges in programmatically confirming API key validity by testing various endpoints like Doppler's `/v3/me`, handling diverse HTTP responses (including rate limits and error codes), and adapting to API changes and new key types. The library also covers complex verification for database credentials and emphasizes the community's role in maintaining TruffleHog's accuracy and low false-positive rates. |
| 2023-12-16 2023 | Google OAuth is broken (sort of)AuthN | Writeup on a Google OAuth vulnerability allowing former employees indefinite access to applications like Slack and Zoom post-offboarding. This exploit leverages the ability to create non-Gmail Google accounts using corporate email aliases and plus sign forwarding, bypassing organizational de-provisioning. Google's documentation advises against using email as an identifier, yet this flaw highlights the risks of relying on the email claim for authentication. Potential mitigations include organizations enforcing SAML, service providers utilizing the HD claim or disabling just-in-time provisioning, and Google banning specific account creation methods. |
| 2021-09-20 2021 | TruffleHog The Chrome ExtensionSecrets | Tool for detecting API keys and other secrets like `.git` directories and `.env` files within JavaScript code and client-side applications. It leverages permissive CORS headers from services like AWS to identify instances where credentials might be inadvertently exposed, as demonstrated by an example on weather.com. The extension can be side-loaded while awaiting review on the Google Extension Store. |