keyhog is a high-performance secret scanner written in Rust, designed to identify leaked credentials across source trees, git history, Docker images, and S3 buckets. It utilizes 901 service-specific detectors and features a unique hardware-accelerated pipeline including SIMD and GPU paths to achieve scanning speeds up to 50 GB/s. For red teamers, keyhog provides high-fidelity discovery with minimal false positives through Bayesian confidence scoring and live verification against vendor APIs.
Key Features
- 901 service-specific detectors with companion-required validation to reduce noise.
- SIMD-accelerated pre-filtering (AVX-512/AVX2/NEON) and optional WGPU/CUDA/Metal GPU acceleration.
- Advanced decode-through scanning for Base64, Hex, URL, and Protobuf nested encodings.
- Live verification module to confirm if discovered secrets (AWS, Stripe, GitHub, etc.) are still active.
- Native SARIF support for seamless integration into CI/CD pipelines and security dashboards.
- Lockdown mode for security-critical environments, preventing secrets from paging to swap and disabling core dumps.
Use Cases
- Post-exploitation credential harvesting from local filesystems, git history, and environment variables.
- Automated secret discovery during reconnaissance against public Docker images or S3 buckets.
- CI/CD security gating to prevent hardcoded secrets from reaching production environments.
- Incident response triage to identify the scope of leaked credentials on compromised developer workstations.
