The Problem: Cryptographic Failures
Are crypto keys checked into source code repositories?
Programmers still put their database passwords, secrets, encryption keys, and other sensitive data directly into source code. Ultimately these end up in your git repositories.
Why is this a problem?
Hackers are quickly learning that the easiest way to your data isn't to break into the system, it's to log in.
Developers like to share code
Why reinvent the wheel when someone else in the company has already solved the problem?
The hacker holy grail
Combine a philosophy of code sharing, the searching power of your Git repositories, and a habbit of hardcoding passwords and you have a treasure chest of hacker goodies.
Why Credential Hunter?
Credential Hunter is built to hunt down credentials in source code. It's aggressive. It's designed to combat the human by hunting for more than 1500+ patterns.
Far better results
Regular expressions are very slow and prone to errors. Our unique matching system significantly boosts performance and accuracy. In addition to being much much faster, we find more than just vendor tokens. Also, each finding is associated with a remediation guide.
Find more than vendor tokens
Tokens are important, and we do find them, but we also find much more. Credentials take many different forms, including passwords, API tokens, and encryption keys in source code, rejected commits, configuration files, and anything else that is in your repo.
Much much faster
Built for DevOps speed. Get results 20x faster. Legacy regEx-based tools are slow and can take far too long to provide results.
Simple, easy deployment
Credential Hunter uses a couple of container images with minimal configuration. We make no assumptions about your infrastructure.
Remediation guide included
Save time fixing findings. Credential Hunter tells you exactly how to get to each credential it finds so that you can implement an appropriate remediation.
Built by hunters for hunters
If you are a security-minded credential hunter, then Credential Hunter is for you. This is something that Red, Blue, and Yellow teams can use.
Credential hunting is not a solved problem
Other tools are slow and incomplete. Large repositories would take more than a day to analyze. Every existing tool was slowing down my team and providing incomplete coverage. Just because we could "check a box" and say that we were looking for credentials didn't allow me to sleep any easier at night.
[A tool to guard GitHub] found 6% of what [Credential Hunter] did. Barely better, [a tool that leaves you feeling blue] found only 30% [of what Credential Hunter did].
Thank you for saving us from a complicated server deployment. The new version [of a competing tool], released after we purchased it, doesn’t work in many of our environments. Now we can only use 25% of what we purchased. But at least we get a pretty report. FML.
We finally have control over how and when our tool runs. Your results are exactly what we need.
Pricing
Free, if your existing tool has more findings.1
Free, if you are an open source project, an educator teaching students about writing secure software, or are protecting software for a do-gooder organization.2
Penetration Tester
A monthly license based upon the number of repositories you are attacking.
Application Developer
An annual license based upon the number of repositories you are protecting.
1 Free use is only for the remaining duration of the existing contract with the competing product, and is subject to Credential Hunter's terms and conditions. You must provide a copy of the contract that Credential Hunter will replace.
2 Free use is at the sole discretion of Credential Hunter and may be changed at any time without notice. Our legal advisor made us write this.
We are preparing a lot of new functionality and are interested in design partners from all walks of life. Let us know if you are interested.