loading
loading
Static Code Analysis
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
overview
dumpsterdiver searches large volumes of files for hardcoded secrets: AWS access keys, Azure shared keys, SSH private keys, and plain passwords. It scores strings by entropy tuned to the key length you expect, so high-randomness blobs that look like credentials surface even when no fixed pattern matches.
Beyond entropy, advanced analysis applies rules from rules.yaml, grep words narrow the hunt, and exclude lists or bad expressions skip uninteresting paths. Password mode adds length and complexity thresholds so weak noise stays out of the report.
On Trickest, dumpsterdiver is a Static Code Analysis node that takes a folder of files and writes a folder and a file of findings. Point it at a cloned repository, a data dump, or an archive to surface leaked credentials before they are abused.
use cases
Run dumpsterdiver over a folder of files so AWS, Azure, and SSH keys hidden in source, configs, or logs surface through entropy analysis.
Set the search level for short, typical, or long keys so the scan matches the kind of secret you expect and keeps false positives down.
Enable secret mode and set length and complexity thresholds so the scan flags real passwords without drowning in weak matches.
Use advanced analysis with rules.yaml to report only files meeting a condition, like a CSV containing many email addresses.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| path-to-files | FOLDER | -p | Path to the folder containing files to be analyzed. |
| secret | BOOLEAN | -s | Additionally analyze all files for hardcoded passwords. |
| advanced-analysis | BOOLEAN | -a | Analyze files using rules specified in rules.yaml. |
| search-level | STRING | --level | Search level for key length: 0 short, 1 typical (default), 2 long, 3 any. |
| enge-of-high-entropy | STRING | --entropy | Edge of high entropy (default 4.3). |
| grep-words | STRING | --grep-words | Grep words to look for, space-separated; requires -a. |
| files-to-exclude | STRING | --exclude-files | File names or extensions to skip during analysis. |
| remove | BOOLEAN | -r | Remove files that contain nothing interesting. |
Showing key inputs. dumpsterdiver exposes 14 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| remove | BOOLEAN | -r | When this flag is set, then files which don't contain any secret (or anything interesting if -a flag is set) will be removed. |
| secret | BOOLEAN | -s | When this flag is set, then all files will be additionally analyzed in search of hardcoded passwords. |
| grep-words | STRING | --grep-words | Specifies the grep words to look for. Multiple words should be separated by space. Wildcards are supported. Requires adding -a flag to the syntax. |
| search-level | STRING | --level | Search level for key length. Options: --level 0 - short keys (20-40B), e.g. AWS Access Key ID. --level 1 (default) - typical keys (40-70B), e.g. AWS Secret Access Key or Azure Shared Key. --level 2 - long keys (1000-1800B), e.g. SSH private key. --level 3 - any key (20-1800B). Be careful with this setting, because it may generate lots of false positives. |
| path-to-files | FOLDER | -p | Path to the folder containing files to be analyzed |
| max-key-length | STRING | --max-key | Specifies the maximum key length to be analyzed (default is 80). |
| min-key-length | STRING | --min-key | Specifies the minimum key length to be analyzed (default is 20). |
| bad-expressions | STRING | --bad-expressions | Specifies bad expressions. If the DumpsterDiver find such expression in a file, then this file won't be analyzed. Multiple bad expressions should be separated by space. |
| files-to-exclude | STRING | --exclude-files | Specifies file names or extensions which shouldn't be analyzed. File extension should contain . character (e.g. .pdf). Multiple file names and extensions should be separated by space. |
| advanced-analysis | BOOLEAN | -a | when this flag is set, then all files will be additionally analyzed using rules specified in rules.yaml file. |
| max-password-length | STRING | --max-pass | Specifies the maximum password length to be analyzed (default is 12). Requires adding -s flag to the syntax. |
| min-password-length | STRING | --min-pass | Specifies the minimum password length to be analyzed (default is 8). Requires adding -s flag to the syntax. |
| password-complexity | STRING | --pass-complex | Specifies the edge of password complexity between 1 (trivial passwords) to 9 (very complex passwords) (default is 8). Requires adding -s flag to the syntax. |
| enge-of-high-entropy | STRING | --entropy | Specifies the edge of high entropy (default is 4.3). |
example
# scan a folder for keys and passwords at typical key lengthdumpsterdiver -p ./data -s --level 1 --entropy 4.3 --exclude-files .pdf .pngAnalyzing ./data ...[+] High entropy string (level 1) File: ./data/config/deploy.env:14 Entropy: 4.72 Length: 40[+] High entropy string (level 1) File: ./data/scripts/backup.sh:31 Entropy: 4.51 Length: 44[+] Password candidate (-s) File: ./data/app/settings.py:88 Complexity: 8[*] 3 findings across 2 filesguidance
Use DumpsterDiver to sweep large or mixed data for hardcoded secrets when you do not know the exact key format ahead of time, since entropy plus rules cast a wide net. For regex-matched API keys with exploitation hints, dora is more targeted. For Python-specific source analysis, use bandit.
Regex-based API key discovery with exploitation methods. DumpsterDiver leans on entropy and custom rules for broader coverage.
Security static analysis for Python source. DumpsterDiver is language-agnostic secret hunting across raw files.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
Inspect Go source code for security problems by scanning the Go AST.
A folder of files feeds DumpsterDiver, which runs entropy and rule analysis over them and writes the discovered secrets as a queryable output.
Facts on this page come from the live Trickest tool library.