TruffleHog v3 – Detect and automatically verify over 600 credential types
github.comNote that v3 shifts to AGPL, from GPL in prior versions.
Doesn't bother me personally, but I know a lot of companies won't touch AGPL'd projects with a bargepole so this probably worth bearing in mind.
then they must have rewritten the 2.0.97 tag from 2016 because it's AGPL also: https://github.com/trufflesecurity/trufflehog/blob/2.0.97/LI...
Github's identification is incorrect, the text is clearly the GPL and not AGPL. My guess is that github does its LICENSE-autodetect thing only on the default branch but displays it everywhere (this probably should be considered a bug?).
Gosh, I'm so sorry for spreading false information. Had that license widget not taken up so much screen real estate one might have had a fighting chance at spotting the error :-(
I dread tracking down which issue in the GitHub org that belongs to
I don't understand the hype for v3. There are a number of other secret detection tools out there that leave this in the dust. Plus, for all the money they took on (wasn't it more than $10M?) I'd expect a bigger delta between versions. From the commit history it looks like they superglued this thing together in ~3 months. Looking at the codebase, they also don't seem to know Golang very well.
Is there a tool like this with a more permissive license?
There are a lot of secret detection tools out there. It probably is going to depend a lot on the specific features you care about. I personally really like shhgit[0] which is MIT licensed and is the tool I've found to most match my workflows.
Gitleaks