DEV.co
Open-Source Security · praetorian-inc

titus

Titus is a high-performance secrets scanner written in Go that detects leaked credentials, API keys, and tokens across source code, git history, container images, and binary files. It provides multiple interfaces (CLI, Go library, Burp Suite extension, Chrome extension) and validates discovered secrets against live APIs to confirm active compromises.

Source: GitHub — github.com/praetorian-inc/titus
603
GitHub stars
68
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorypraetorian-inc/titus
Ownerpraetorian-inc
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars603
Forks68
Open issues6
Latest releasev1.2.6 (2026-06-24)
Last updated2026-07-07
Sourcehttps://github.com/praetorian-inc/titus

What titus is

Titus uses Hyperscan/Vectorscan-accelerated regex matching with 487 detection rules covering hundreds of services, offers live credential validation to reduce false positives, and supports scanning GitHub/GitLab repositories, Docker/OCI images, and extracting secrets from Office documents, PDFs, archives, and mobile apps. It includes risk-based severity scoring (0–100) and supports multiple output formats (JSON, SARIF, human-readable).

Quickstart

Get the titus source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/praetorian-inc/titus.gitcd titus# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Pre-commit and CI/CD secrets detection

Embed as a Go library or CLI in CI/CD pipelines to prevent secrets from being committed; supports JSON and SARIF output for integration with GitHub Advanced Security and other SIEM platforms.

Offensive security and penetration testing

Red teams and penetration testers can use the CLI for rapid codebase reconnaissance, the Burp Suite extension for passive HTTP traffic scanning, and the Chrome extension for live web application testing.

Container image supply-chain scanning

Scan OCI images directly from registries or local tarballs without a Docker daemon; detects secrets in image layers, manifests, and config metadata for supply-chain security.

Implementation considerations

  • Live validation requires configurable worker concurrency (default 4) and API rate-limit awareness; tune --validate-workers based on target service capacity.
  • Binary extraction supports zip, tar, 7z, APK, IPA, Office, PDF, and more; configure --extract-max-size, --extract-max-total, and --extract-max-depth for large datasets to avoid memory/CPU overhead.
  • Custom rules can be supplied via --rules flag; understand YAML rule format from the README to tailor detection to internal credential patterns.
  • Datastore (titus.ds) persists findings across runs; use --datastore flag to manage multiple scan contexts and avoid overwrites.
  • GitHub/GitLab scanning works without tokens for public repos; set GITHUB_TOKEN or GITLAB_TOKEN environment variables for private repos and higher rate limits.

When to avoid it — and what to weigh

  • High false-positive tolerance required — While live validation reduces false positives, 487 rules may still flag non-secret patterns in certain codebases; requires tuning via --rules-include, --rules-exclude, or custom rule files.
  • Offline-only environments without internet access — Live credential validation requires outbound API calls to source services (AWS, GitHub, etc.); air-gapped environments must disable validation or maintain credential endpoints locally.
  • Proprietary or closed-source integration mandates — Apache 2.0 license requires attribution and derivative works to publish modified source; incompatible with strict proprietary licenses or closed-source-only deployment policies.
  • Windows-primary development shops without Go toolchain — Primary distribution is CLI binary; Burp Suite extension may have platform-specific limitations; Go library integration requires Go knowledge.

License & commercial use

Apache License 2.0 is a permissive OSI-approved license. Permits commercial use, modification, and distribution under the condition of license and copyright notice retention and liability/warranty disclaimer.

Apache 2.0 explicitly permits commercial use and derivative works. Ensure modified or extended versions include the Apache 2.0 license and attribution. No warranty or liability indemnity provided by the project; assess your own risk tolerance.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Live credential validation requires sending detected secrets to external APIs (AWS, GitHub, etc.) for confirmation; ensure compliance with data exfiltration policies and credential handling practices. Validate external dependencies (Hyperscan/Vectorscan) for supply-chain risk. The tool itself is a security scanner; verify its own scanning coverage, rule accuracy, and false-negative rates before relying on it as a sole secrets detection solution. Custom rules should be reviewed for regex denial-of-service (ReDoS) vulnerabilities.

Alternatives to consider

TruffleHog (Truffle Security)

Popular open-source secrets scanner with entropy detection and live validation; stronger community adoption and integrations. Titus differentiates with Hyperscan acceleration and Burp/Chrome extensions.

GitGuardian (commercial)

Commercial SaaS platform with extensive credential database, real-time GitHub/GitLab monitoring, and incident management. Titus is self-hosted and open-source; GitGuardian is for teams preferring managed service.

NoseyParker (Praetorian, open-source)

Praetorian's own predecessor project; Titus incorporates NoseyParker rules and extends them with a multi-interface model (Burp, Chrome, Go library) and container scanning capabilities.

Software development agency

Build on titus with DEV.co software developers

Download Titus from the Releases page or embed it in your CI/CD pipeline. Apache 2.0 licensed and open-source.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

titus FAQ

Can I scan private GitHub/GitLab repositories?
Yes. Set GITHUB_TOKEN or GITLAB_TOKEN environment variables (or use --token flag) to authenticate; public repository scanning requires no token.
Does Titus require Docker or a Docker daemon to scan container images?
No. Titus pulls OCI images directly from registries over HTTPS or reads local tarballs/OCI layout directories. No Docker daemon or binary is required.
How do I reduce false positives?
Use --rules-include and --rules-exclude to filter detection rules; enable live validation (--validate) to confirm secrets are active; configure custom rules with --rules to match your environment.
Is the Go library stable and documented?
The README mentions a Go library interface but does not provide detailed API documentation in the excerpt. Review source code or GoDoc for API stability and structure.

Software developers & web developers for hire

From first prototype to production, DEV.co delivers software development services around tools like titus. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Ready to scan for leaked secrets?

Download Titus from the Releases page or embed it in your CI/CD pipeline. Apache 2.0 licensed and open-source.