Defensive secret scanning for Git repositories
Catch tokens, keys & passwords before they leak into your Git history
Quick Start β’ Features β’ Usage β’ Pre-commit β’ CI/SARIF
One leaked token can compromise an entire environment.
SecretScout is your last line of defense before secrets get committed.
Unlike reactive scanners that alert you after the damage is done, SecretScout is built for prevention-first workflows:
- π Pre-commit protection β scan staged changes before commit
- π§Ό Clean Git history β avoid painful βoops, rotate keysβ moments
- β‘ Fast β multi-thread scanning + caching
- π¨ Clear reporting β redacted output, severity levels, actionable context
- 𧩠CI-friendly β JSON / SARIF / HTML outputs
python -m venv .venv
# Windows PowerShell:
.venv\Scripts\Activate.ps1
# Linux/macOS:
# source .venv/bin/activate
pip install -U pip
pip install -e ".[dev]"secretscout init .# Scan git-tracked files (default)
secretscout scan .
# Scan everything under the folder
secretscout scan . --all
# Scan only staged changes (perfect for pre-commit)
secretscout scan --staged --format minimal --fail-on highecho "token=ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" > test_leak.txt
secretscout scan . --all
rm test_leak.txt # Windows: del test_leak.txtSecretScout identifies common secret patterns:
- Provider tokens: GitHub (
ghp_...), Google (AIza...), Slack, Telegram, etc. - Generic assignments:
password=...,api_key: ...,token=... - High-entropy strings (token-like heuristics)
- Private key headers (PEM)
- Multi-thread scanning
- Smart cache to skip unchanged files
- Git-aware modes: tracked / staged / all
- Pretty Rich table output (default)
- Minimal output for hooks/CI
- Machine formats: JSON / SARIF / HTML
- Redaction: secrets are never printed in full
- Pre-commit ready (
--staged) - Baseline mode (ignore legacy findings)
- Flexible ignore patterns + inline suppressions
- Severity thresholds (
--fail-on)
secretscout scan . --format table
secretscout scan . --format minimal
secretscout scan . --format json --output secretscout.json
secretscout scan . --format sarif --output secretscout.sarif
secretscout scan . --format html --output secretscout_report.htmlsecretscout baseline . --output .secretscout.baseline.json
secretscout scan . --baseline .secretscout.baseline.jsonsecretscout rules list
secretscout rules show github-tokenPre-commit runs checks automatically on git commit.
pip install pre-commit
pre-commit installRun hooks manually:
pre-commit run --all-filesThe default hook configuration uses
--stagedby design: it scans exactly what will be committed.
Generate SARIF locally:
secretscout scan . --format sarif --output secretscout.sarifUpload SARIF in GitHub Actions (snippet):
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: |
pip install -e .
secretscout scan . --format sarif --output secretscout.sarif --fail-on high || true
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: secretscout.sarifView results: Repo β Security β Code scanning alerts
SecretScout uses TOML + ignore file:
.secretscout.tomlβ configuration.secretscoutignoreβ glob ignore patterns.secretscout-cache/β cache (do not commit)
Example .secretscout.toml:
[scan]
max_file_size = 1048576
exclude = [".git/**", ".venv/**", "node_modules/**", "dist/**", "build/**", ".secretscout-cache/**"]
threads = 8
first_lines_ignore_file_marker = 5
[report]
fail_on = "high"
max_findings = 200
redact_head = 4
redact_tail = 4
[rules]
disable = []
allowlist = ["(?i)example_token", "(?i)dummy_key", "(?i)changeme"]
path_allowlist = ["(^|/)tests?/fixtures(/|$)"]Ignore a file (must appear within first N lines):
# secretscout:ignore-fileIgnore a single line:
token = "ghp_..." # secretscout:ignore0β no findings at/above--fail-on1β findings at/above--fail-on2β runtime error
- Offline by default β no network calls required
- Redaction β secrets are never printed fully
- Defensive tooling β helps prevent accidental exposure
pip install -e ".[dev]"
ruff check .
pytestMIT
Made for secure development workflows
SecretScout β because prevention beats remediation.