Secrets in source code have lead to breaches in the past. They make it really easy to move laterally and escalate privileges once inside an environment, and it's a problem the entire industry faces. I'm going to talk about the tool I wrote to help identify secrets: TruffleHog. I'll be talking about different ways to use the tool, how it can be used in devops pipelines, and the future of the tool going forward. I'll also talk about a new type of problem I don't think anyone has looked at before: Secrets in old packages. I've tweaked truffleHog to scan package managers like npm and pypi, and found tons of secrets accidentally uploaded to the package manager, that weren't ever even in the git history. I'll be releasing the tweaked version of truffleHog and walk through how to use it, and why we need to pay more attention to this problem.
