TruffleHog tool will sniff out secret keys on Github

Tool to help coders keep encryption keys secure could also be used on legacy code to find them...

A tool dubbed TruffleHog has been released that will enable administrators - and hackers - to uncover high-entropy encryption keys in code published on Github.

The "module will go through the entire commit history of each branch, and check each diff from each commit, and evaluate the Shannon Entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff.

"If at any point a high entropy string greater than 20 characters is detected, it will print to the screen", according to the project's home page on Github.

The tool is the work of Dylan Ayrey, who warned about so-called 'paste-jacking' in Javascript in May last year.

The aim is to save administrators from inadvertently exposing their networks, but will no doubt also be used by hackers to scan existing open-source apps for potential zero-day security backdoors that can be exploited.

Amazon Web Services (AWS) already uses a similar tool to preemptively search GitHub for AWS keys that may have been connected to public repositories by accident, preventing miscreants from making use of them to spin-up AWS instances (to, for example, mine for bitcoin), with users picking up the tab.

Indeed, according to Reddit users responding to news of the tool, which was released last week, AWS does this precisely to prevent exploits against its users and services.

"I have accidentally committed my AWS secret keys before to a public repository. Amazon actually found them and shut down my account until I created new ones. Kinda neat amazon," wrote one.