secret-detection is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and sensitive information. secret-detection can run in the CLI or you can integrate it in your CI/CD pipeline.
- Using regex rules to scan, and help identify the following types of secrets:
- API Keys
- AWS Keys
- OAuth Client Secrets
- SSH Private Keys
- ...
- Supports whitelisting files
- Supports custom rules
- Lightweight
- Easy to customize to your needs
python3 secret-detection.py --rule /path/to/pattern.json --path /path/to/scan
Ex: python3 secret-detection.py --rule pattern.json --path test/
- The ignored list: add patterns for filenames that you want to ignore. Default:
ignored = ['.git', 'node_modules', 'bower_components', '.sass-cache', '.png', '.ico', '.mov', '.jpeg', 'jpg', '.avi', '.gif', '.apk', '.exe', '.jar', '.dmg', '.pdf', '.ipa', '.svg']
Reason: API KEY
<string name="newrelic_key">HSUFAHSIUYCd7491274LFCAdgdsdgdgdgasdg</string>
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
Filepath: test/test.txt : Line 18
Reason: Sendgrid API
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
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
Filepath: test/test.txt : Line 20
Reason: Sendgrid API
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
~~~~~~~~~~~~~~~~~~~~~
- Json Ouput
- Entropy
- Integrate to Git
- Integrate with BurpSuite/ZAP/Jenkins/SonarQube
- ...