Titus: High-Performance Secrets Scanner

Titus is a high-performance secrets scanner that detects credentials, API keys, and tokens in source code, files, and git history. It ships with 487 detection rules covering hundreds of services and credential types, drawn from NoseyParker and Kingfisher. Titus runs as a CLI, a Go library, a Burp Suite extension, and a Chrome browser extension — all sharing the same detection engine and rule set.

Built for security engineers, penetration testers, and DevSecOps teams, Titus combines Hyperscan/Vectorscan-accelerated regex matching with live credential validation to find and verify leaked secrets across your entire codebase.

Why Titus?
Installation
Quick Start
Scanning Options
Go Library
Burp Suite Extension
Browser Extension
Building from Source
Contributing
License

Why Titus?

Fast secrets scanning: Regex matching accelerated by Hyperscan/Vectorscan when available, with a pure-Go fallback for portability on any platform.
Broad credential detection coverage: 487 rules detect API keys, tokens, and credentials for AWS, GCP, Azure, GitHub, Slack, databases, CI/CD systems, and hundreds more services.
Live secret validation: Detected secrets are checked against their source APIs to confirm whether they are active, reducing false positives and prioritizing remediation.
Multiple interfaces for every workflow: Scan from the CLI, embed as a Go library, passively scan HTTP traffic in Burp Suite, or scan web pages in Chrome during application security testing.
Binary file extraction: Extract and scan secrets from Office documents, PDFs, archives (zip, tar, 7z), mobile apps (APK, IPA), browser extensions, and more.

Installation

Download a prebuilt binary from the Releases page, or build from source:

make build

The binary will be at dist/titus.

Quick Start

# Scan a file for secrets
titus scan path/to/file.txt

# Scan a directory for leaked credentials
titus scan path/to/directory

# Scan a public GitHub repository (no token needed)
titus scan github.com/org/repo

# Scan a public GitLab project (no token needed)
titus scan gitlab.com/namespace/project

# Scan git history for secrets in past commits
titus scan --git path/to/repo

# Validate detected secrets against source APIs
titus scan path/to/code --validate

Results are written to a datastore (titus.ds by default) and printed to the console.

Scanning Options

GitHub & GitLab Scanning

Scan public repositories directly by URL — no API token required:

# Scan a GitHub repository
titus scan github.com/kubernetes/kubernetes

# Scan a GitLab project
titus scan gitlab.com/gitlab-org/cli

# Full URLs work too
titus scan https://github.com/org/repo
titus scan https://gitlab.com/namespace/project.git

For organization-wide or user-wide scanning, use the dedicated subcommands:

# Scan all public repos in a GitHub org
titus github --org kubernetes

# Scan all repos in a GitHub org with a token (private repos + higher rate limits)
titus github --org kubernetes --token $GITHUB_TOKEN

# Scan all repos for a GitHub user
titus github --user octocat

# Scan all projects in a GitLab group
titus gitlab scan --group mygroup --token $GITLAB_TOKEN

# Scan a single repo with git history (finds deleted secrets)
titus github owner/repo --git

Tokens are optional for public repositories. Set GITHUB_TOKEN or GITLAB_TOKEN (or use --token) for private repository access and higher API rate limits.

Viewing Scan Results

Use report to re-read findings from a previous scan:

# Human-readable summary of detected secrets
titus report

# JSON output for programmatic processing
titus report --format json

# SARIF output for CI/CD integration with GitHub Advanced Security
titus report --format sarif

# Report from a specific datastore
titus report --datastore path/to/titus.ds

You can also control the output format at scan time with --format:

titus scan path/to/code --format json

Validating Detected Secrets

Pass --validate during a scan to check detected secrets against their source APIs:

titus scan path/to/code --validate

Validation runs concurrently (4 workers by default, configurable with --validate-workers) and marks each finding as confirmed, denied, or unknown.

Filtering Detection Rules

# List all available detection rules
titus rules list

# Scan with only specific rules (e.g., AWS and GCP credentials)
titus scan path/to/code --rules-include "aws,gcp"

# Exclude rules by pattern
titus scan path/to/code --rules-exclude "kingfisher.generic"

# Use a custom rules file for organization-specific secrets
titus scan path/to/code --rules path/to/custom-rules.yaml

Extracting Secrets from Binary Files

Titus can extract text from binary file formats and scan the contents for secrets:

# Extract and scan all supported binary formats
titus scan path/to/files --extract=all

# Target specific formats
titus scan path/to/files --extract=xlsx,docx,pdf,zip

Supported formats include Office documents (xlsx, docx, pptx, odp, ods, odt), PDFs, Jupyter notebooks, SQLite databases, email (eml, rtf), and archives (zip, tar, tar.gz, jar, war, ear, apk, ipa, crx, xpi, 7z). Archives are recursively extracted up to configurable depth and size limits.

# Tune extraction limits for large codebases
titus scan path/to/files --extract=all \
  --extract-max-size 10MB \
  --extract-max-total 100MB \
  --extract-max-depth 5

For SQLite databases, Titus extracts text from all tables (1000 rows per table by default). Use --sqlite-row-limit to adjust:

# Full dump of all SQLite tables (no row limit)
titus scan path/to/files --extract=all --sqlite-row-limit 0

# Custom row limit per table
titus scan path/to/files --extract=all --sqlite-row-limit 5000

Go Library for Secrets Detection

Titus can be imported as a Go library to add secrets detection to your own tools and pipelines.

go get github.com/praetorian-inc/titus

package main

import (
    "fmt"
    "log"

    "github.com/praetorian-inc/titus"
)

func main() {
    // Initialize the secrets scanner with default rules
    scanner, err := titus.NewScanner()
    if err != nil {
        log.Fatal(err)
    }
    defer scanner.Close()

    // Scan a string for API keys, tokens, and credentials
    matches, err := scanner.ScanString(`aws_access_key_id = AKIAIOSFODNN7EXAMPLE`)
    if err != nil {
        log.Fatal(err)
    }

    for _, match := range matches {
        fmt.Printf("%s (rule: %s) at line %d\n",
            match.RuleName, match.RuleID,
            match.Location.SourceSpan.Start.Line,
        )
    }
}

The library also supports scanning bytes and files, validating detected secrets, and loading custom rules:

// Scan a file for leaked credentials
matches, err := scanner.ScanFile("/path/to/config.json")

// Enable validation to check if detected secrets are live
scanner, err := titus.NewScanner(titus.WithValidation())

// Load custom detection rules for organization-specific secrets
rules, err := titus.LoadRulesFromFile("/path/to/rules.yaml")
scanner, err := titus.NewScanner(titus.WithRules(rules))

See docs/library-usage.md for the full API reference, concurrency patterns, and more examples.

Burp Suite Extension for Secret Scanning

The Burp extension scans HTTP responses for secrets during proxy traffic and active penetration testing.

Setup

Linux / macOS (Build from Source)

# Build the CLI and Burp extension JAR, install CLI to ~/.titus/
make install-burp

Then load dist/titus-burp-1.0.0-all.jar in Burp Suite under Extensions > Add.

Windows (Download from Releases)

Download titus-windows-amd64.exe and titus-burp-<version>.jar from Releases

Create the Titus directory and install the binary:

mkdir %USERPROFILE%\.titus
copy titus-windows-amd64.exe %USERPROFILE%\.titus\titus.exe

Load the JAR in Burp Suite under Extensions > Add

Linux / macOS (Download from Releases)

Download the appropriate binary for your platform and titus-burp-<version>.jar from Releases:
- titus-linux-amd64 or titus-linux-arm64 for Linux
- titus-darwin-amd64 or titus-darwin-arm64 for macOS

Install the binary:

mkdir -p ~/.titus
cp titus-<platform> ~/.titus/titus
chmod +x ~/.titus/titus

Load the JAR in Burp Suite under Extensions > Add

The extension launches a titus serve process in the background and communicates over stdin/stdout using NDJSON. Detection rules are loaded once at startup.

Burp Extension Features

Passive secret scanning: automatically scans proxy traffic as it flows through Burp

Titus

Install / Use

README