titus
Titus is a high-performance secrets scanner written in Go that detects leaked credentials, API keys, and tokens across source code, git history, container images, and binary files. It provides multiple interfaces (CLI, Go library, Burp Suite extension, Chrome extension) and validates discovered secrets against live APIs to confirm active compromises.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | praetorian-inc/titus |
| Owner | praetorian-inc |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 603 |
| Forks | 68 |
| Open issues | 6 |
| Latest release | v1.2.6 (2026-06-24) |
| Last updated | 2026-07-07 |
| Source | https://github.com/praetorian-inc/titus |
What titus is
Titus uses Hyperscan/Vectorscan-accelerated regex matching with 487 detection rules covering hundreds of services, offers live credential validation to reduce false positives, and supports scanning GitHub/GitLab repositories, Docker/OCI images, and extracting secrets from Office documents, PDFs, archives, and mobile apps. It includes risk-based severity scoring (0–100) and supports multiple output formats (JSON, SARIF, human-readable).
Get the titus source
Clone the repository and explore it locally.
git clone https://github.com/praetorian-inc/titus.gitcd titus# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Live validation requires configurable worker concurrency (default 4) and API rate-limit awareness; tune --validate-workers based on target service capacity.
- Binary extraction supports zip, tar, 7z, APK, IPA, Office, PDF, and more; configure --extract-max-size, --extract-max-total, and --extract-max-depth for large datasets to avoid memory/CPU overhead.
- Custom rules can be supplied via --rules flag; understand YAML rule format from the README to tailor detection to internal credential patterns.
- Datastore (titus.ds) persists findings across runs; use --datastore flag to manage multiple scan contexts and avoid overwrites.
- GitHub/GitLab scanning works without tokens for public repos; set GITHUB_TOKEN or GITLAB_TOKEN environment variables for private repos and higher rate limits.
When to avoid it — and what to weigh
- High false-positive tolerance required — While live validation reduces false positives, 487 rules may still flag non-secret patterns in certain codebases; requires tuning via --rules-include, --rules-exclude, or custom rule files.
- Offline-only environments without internet access — Live credential validation requires outbound API calls to source services (AWS, GitHub, etc.); air-gapped environments must disable validation or maintain credential endpoints locally.
- Proprietary or closed-source integration mandates — Apache 2.0 license requires attribution and derivative works to publish modified source; incompatible with strict proprietary licenses or closed-source-only deployment policies.
- Windows-primary development shops without Go toolchain — Primary distribution is CLI binary; Burp Suite extension may have platform-specific limitations; Go library integration requires Go knowledge.
License & commercial use
Apache License 2.0 is a permissive OSI-approved license. Permits commercial use, modification, and distribution under the condition of license and copyright notice retention and liability/warranty disclaimer.
Apache 2.0 explicitly permits commercial use and derivative works. Ensure modified or extended versions include the Apache 2.0 license and attribution. No warranty or liability indemnity provided by the project; assess your own risk tolerance.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Live credential validation requires sending detected secrets to external APIs (AWS, GitHub, etc.) for confirmation; ensure compliance with data exfiltration policies and credential handling practices. Validate external dependencies (Hyperscan/Vectorscan) for supply-chain risk. The tool itself is a security scanner; verify its own scanning coverage, rule accuracy, and false-negative rates before relying on it as a sole secrets detection solution. Custom rules should be reviewed for regex denial-of-service (ReDoS) vulnerabilities.
Alternatives to consider
TruffleHog (Truffle Security)
Popular open-source secrets scanner with entropy detection and live validation; stronger community adoption and integrations. Titus differentiates with Hyperscan acceleration and Burp/Chrome extensions.
GitGuardian (commercial)
Commercial SaaS platform with extensive credential database, real-time GitHub/GitLab monitoring, and incident management. Titus is self-hosted and open-source; GitGuardian is for teams preferring managed service.
NoseyParker (Praetorian, open-source)
Praetorian's own predecessor project; Titus incorporates NoseyParker rules and extends them with a multi-interface model (Burp, Chrome, Go library) and container scanning capabilities.
Build on titus with DEV.co software developers
Download Titus from the Releases page or embed it in your CI/CD pipeline. Apache 2.0 licensed and open-source.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
titus FAQ
Can I scan private GitHub/GitLab repositories?
Does Titus require Docker or a Docker daemon to scan container images?
How do I reduce false positives?
Is the Go library stable and documented?
Software developers & web developers for hire
From first prototype to production, DEV.co delivers software development services around tools like titus. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Ready to scan for leaked secrets?
Download Titus from the Releases page or embed it in your CI/CD pipeline. Apache 2.0 licensed and open-source.