Sergey Nivens - Fotolia

Git repos hide secret keys, rooted out by Truffle Hog

Truffle Hog utility roots out and detects text blobs with enough entropy to be secret keys -- even those buried deep in old Git repositories -- to prevent exploits.

Software developers want to hide high-entropy secret keys in their GitHub repositories -- but they shouldn't, and may no longer be able to now that there's a tool for digging those secret keys out of old code repos.

Truffle Hog, a simple utility in just 113 lines of Python code, roots through Git repositories for strings of text that are long enough -- and random enough -- to be cryptographic secrets likely to be used for encryption, decryption or authentication.

Truffle Hog "[s]earches through Git repositories for high entropy strings, digging deep into commit history and branches," the developer, Dylan Ayrey wrote in the project's GitHub page. "This is effective at finding secrets accidentally committed that contain high entropy."

While not necessarily as bad as shipping internet of things hardware with hard-coded admin passwords, software developers often take shortcuts in early stages of projects. Embedding security tokens or other strings with high entropy into their source code early in a project, especially when the source code is stored on a publicly accessible site like GitHub, opens a particularly nasty path for attackers. While the secrets may be removed from production code, developers aren't always able to remove them from earlier or branched versions of their code in Git repositories.

"This module will go through the entire commit history of each branch, and check each diff from each commit," Ayrey wrote. The Truffle Hog program also evaluates "the Shannon entropy for both the base64 char set and hexadecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string [greater than] 20 characters is detected, it will print to the screen."

One user on Twitter was especially impressed with Truffle Hog.

Participants on Reddit reported that Amazon has already fielded a tool similar to Truffle Hog capable of finding AWS secret keys in public software repositories.

"I have accidentally committed my AWS secret keys before to a public repo," Reddit user KingOtar reported. "Amazon actually found them and shut down my account until I created new ones. Kinda neat [A]mazon."

Next Steps

New to Git and distributed version control? Here are some Git examples and Jenkins-Git integration tutorials designed to help you master the popular source code versioning tool:

Dig Deeper on Data security and privacy