A security researcher has developed a tool that can automatically detect sensitive access keys that have been hard-coded inside software projects.

The Truffle Hog tool was created by U.S.-based researcher Dylan Ayrey and is written in Python.

It searches for hard-coded access keys by scanning deep inside git code repositories for strings that are 20 or more characters and which have a high entropy.

A high Shannon entropy, named after American mathematician Claude E. Shannon, would suggest a level of randomness that makes it a candidate for a cryptographic secret, like an access token.

Hard-coding access tokens for various services in software projects is considered a security risk because those tokens can be extracted without much effort by hackers.

Unfortunately this practice is very common.

The text above is a summary, you can read full article here.