Introducing: Entropy Scanner
I have released my first extension for Visual Studio Code!
Entropy Scanner is based on the algorithm that underpins
truffleHog, but provides real-time feedback on your source code while you are writing it. The extension is open source and can be found on GitHub.
Entropy scanners are useful because they can detect certain types of strings without any predefined lists to pattern match against. High entropy strings may contain private keys, auth tokens or other sensitive information that should not be tracked in your version control. This shouldn’t be the only tool you use to scan your source code for secrets, but it definitely helps.
Entropy Scanner provides real-time feedback on these high entropy strings, but it also adds a quick action to exclude certain findings in a
tartufo.toml file. The extension also reads the
exclude-path-patterns tartufo config, providing a seamless experience between the two tools.