Privacy Policy

trufflehog-pingpwn — Last updated: 2025-12-14

Overview

trufflehog-pingpwn is a browser extension that scans web pages and referenced resources for patterns that may indicate exposed secrets (for example: API keys, tokens, private keys, and webhook URLs). Scanning and analysis are performed locally within the user's browser.

What data the extension accesses

• Page content and referenced resource contents (scripts, `.env` files, `.git` files) are read by the extension in order to perform pattern-based checks.
• Detected findings (matched strings) and user preferences are stored locally using the browser's chrome.storage.sync API.

Network activity

The extension may fetch resources (for example, external scripts, `.env` files or potential `.git` files) to analyze them. These fetches are initiated by the browser and are subject to the same-origin and CORS policies. All fetches are performed solely to enable local analysis.

No findings or page content are transmitted to external servers. The extension does not POST, upload, or otherwise send findings or page content to any remote endpoint.

Permissions and why they are required

• activeTab / tabs: to identify the active tab and message content scripts for origin-scoped updates.
• scripting: to inject the content script used to inspect page content and referenced resources.
• storage: to retain user settings and detected findings locally.
• notifications: to display local notifications for selected detections (for example, a `.git` directory detection).
• host_permissions: http://*/* and https://*/* — required to fetch and analyze referenced resources across pages you visit. These permissions are used only to enable the extension's scanning functionality and are not used for data exfiltration.

Storage and retention

Findings and settings stored in chrome.storage.sync remain until the user clears them via the popup UI, disables the extension, or removes the extension from their browser. If Chrome Sync is enabled in the user's profile, stored items may be synced across signed-in browser instances according to the user's Chrome Sync configuration.

User controls

• All detection categories can be toggled on or off from the extension popup.
• Users may clear findings for the current origin or clear all stored findings via the popup UI.
• There is a download/export feature that creates a CSV in the browser for the user to save — the extension does not keep copies of exported files.

Security and responsible use

While the extension does not transmit findings externally, detected strings may contain sensitive information. Review and handle findings carefully. Do not share exported findings unless you have confirmed they are safe to share.

Third-party sharing

The extension does not share detected findings, page contents, or user data with third parties. There are no external endpoints that receive findings from the extension.

Changes to this policy

This page may be updated from time to time. The "Last updated" date at the top will reflect material changes. For transparency, consider linking to repository release notes when updating this page.

Contact

For questions about privacy or data handling, contact the extension maintainer at pingpwnsec@gmail.com.