March 26, 2026
Secrets found, egos leaked
Show HN: Layerleak – Like Trufflehog, but for Docker Hub
Docker “secret sniffer” drops — but name‑dropping sparks a branding brawl
TLDR: Layerleak scans public Docker images for leaked passwords and keys, aiming to fill a gap the author couldn’t find covered elsewhere. The crowd loved the utility but roasted the “Like Trufflehog” branding, sparking a naming debate that overshadowed the features—and flagged concern about storing unredacted results if users enable the database.
A new tool called layerleak just landed, pitching itself as a scanner that hunts for leaked passwords and keys inside public Docker Hub images—the little packages people use to run apps. Think: it looks through the layers and notes of those packages and flags any “oops, we leaked a password.” The author says he built it because nothing quite like it existed: “I couldn’t find anything comparable… so I built my own.” Check it out here: layerleak.
But forget the code—the comments are all about the tagline. One early reply side‑eyed the “Like Trufflehog” intro (Trufflehog is another secret‑finding tool), saying it confuses newcomers and drags in someone else’s brand. The vibe: great idea, but don’t advertise with another tool’s name. Cue the classic internet split—half the crowd loves a quick comparison, the other half wants a clean identity. Meanwhile, quiet gasps popped up over the README’s spicy warning: results can store unredacted secrets if you enable a database—cue nervous laughter and “please use a safe setup” energy.
So the thread became a two‑act show: Act I: useful tool with smart design (no Docker engine needed, scans image layers and history). Act II: branding beef over that “like X, but…” opener. Bonus memes? “Hog vs Leak” and “name your tool like it’s 2009 SEO” jokes. Internet, don’t ever change.
Key Points
- •Layerleak scans public Docker Hub/OCI images for secrets by analyzing layers, config metadata, env vars, labels, and history.
- •It is read-only, does not verify secrets, and operates without a Docker daemon; scanning is manifest- and layer-aware, including deleted-layer artifacts.
- •Findings are deduplicated by secret fingerprint per manifest and saved as unredacted JSON; optional PostgreSQL persistence is available with manual migrations.
- •Installation requires Go 1.24+; environment variables configure output directory, tag pagination, and database connection.
- •Operational defaults keep deduplicated current state with first_seen_at/last_seen_at, refresh tag mappings, and warn that DB persistence stores raw secrets.