National Cyber Warfare Foundation (NCWF)

TruffleHog scans Git repositories and their full history to find high-entropy strings and regex matches that indicate exposed secrets. When combined with dumped .git data, those findings can reveal credentials that give access to databases, cloud accounts, or third-party services.

The post Open Source Intelligence (OSINT): Leaked Secrets with TruffleHog first appeared on Hackers Arise.

Hello cyberwarriors!

Today we’re learning how to use TruffleHog. TruffleHog is an open‑source tool for scanning Git repositories and their full history to find accidentally exposed secrets. It uses high‑entropy checks and custom regular expressions to spot strings that look like API keys, tokens, passwords, or other sensitive data. You can run TruffleHog against a single repository or point it at a GitHub or GitLab API to scan many projects at once.

Attackers love TruffleHog because it digs through every commit, tag, and metadata entry. Even if a developer removes a secret later, it still lives in Git’s history, and TruffleHog will find it. Once you obtain those credentials, you can slip into databases, cloud accounts, or third‑party services without setting off alarms.

Let’s see it in action.

Installation

First, install the two tools we’ll need: git-dumper and trufflehog. Note that the Python‑library version of TruffleHog differs slightly from the standalone GitHub release, its help menu and flags may vary.

kali > pip3 install git-dumper

kali > pip3 install trufflehog

We will use git-dumper to dump exposed .git directories before running our Trufflehog scan. This vector is common and deadly, many hosts have fallen to leaked Git folders.

Dump a Repository

Some servers accidentally expose their entire .git directory over HTTP. In the example below the entire directory was accessible.

With our tool, you can easily dump it by specifying the target and the directory where the files should be saved:

kali > git-dumper http://target.ru/.git dump

dumping exposed git directory with git-dumper

Apart from the easily accessible, there are websites that block you from accessing the .git directory, but some of its files can still be accessed.

viewing exposed git of a russian goverment website

We can still use git-dumper to pull every accessible object, commit, and reference into the local dump folder.

dumping exposed git of a russian website with git-dumper

It will pull every object, commit, and reference into the local dump folder. If some files are blocked, but others are open to HTTP, you can still dump them the same way.

Analyzing the Repositories

After the repository has been successfully dumped, let’s see what we can find in all this clutter. There are multiple ways of finding valuable strings in files using trufflehog. Normally, the tool defaults to entropy, which can be useful sometimes but should not limit our understanding of the tool. Another practical method is to use regex with no entropy. In our case it turned out to be the most efficient approach.

kali > trufflehog --regex --entropy NO dump

In one of the files we found the credentials for the database.

Another way to approach this would be by installing Trufflehog from the Github repository and running it against the filesystem:

kali > curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin

kali > trufflehog filesystem /home/kali/Documents/dump

This approach can help you tune your scans, but it often creates noisy output and false positives.

Other Ways to Analyze Repositories

Depending on which TruffleHog build you’re using, these flags let you fine‑tune your search

Scan a Repository For Verified Secrets

kali > trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown

scanning for verified secrets with trufflehog

Shows findings that TruffleHog could verify live against service APIs (AWS, GitHub) in the “verified” category, and high‑entropy or regex matches in “unknown”

Scan All Repositories of an Organization

kali > trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown --json

scanning all repos of an organization with trufflehog

Runs across every repository in the trufflesecurity organization and outputs JSON only for verified or unknown.

Scan a GitHub Repository, Issues and Pull Requests

kali > trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments

scanning issues comments and pull requests with trufflehog

Digs into issue descriptions, comments, PR text, and PR comments – useful because secrets sometimes leak in the discussion.

Scan a Local Git Repository

kali > trufflehog git file://test_keys --results=verified,unknown

Targets a cloned repository on your disk rather than accessing it over HTTP.

Summary

TruffleHog is a powerful time‑saver for both offensive and defensive ops. It quickly sifts through every corner of your Git history using entropy, regex, and API verification. With a bit of custom tuning, you can weed out false alarms and spotlight the real gems. Whether you’re hunting forgotten keys or locking down your own code, TruffleHog is an essential part of your toolkit.