Fast, configurable, and intelligent secret detection for your source code
Quick Start β’ Documentation β’ Examples β’ Changelog
curl -fsSL https://raw.githubusercontent.com/Zayan-Mohamed/secscan/main/scripts/install-curl.sh | bashirm https://raw.githubusercontent.com/Zayan-Mohamed/secscan/main/scripts/install-windows.ps1 | iexgo install github.com/Zayan-Mohamed/secscan@latestπ‘ More installation options: See Installation Guide
- β Enhanced Detection - 20+ built-in patterns for API keys, tokens, and secrets
- π§ Smart Entropy Analysis - Configurable Shannon entropy detection with reduced false positives
- π― Deduplication - Automatically removes duplicate findings across commits
- π« Allowlist Support - Filter out known false positives
- π Detailed Statistics - Track scan performance and coverage
- π¨ Rich Output - Color-coded severity levels and clean formatting
- π Git History Scanning - Deep scan through your entire git history
- π§ Configurable - Custom rules via TOML configuration
- β‘ Fast - Written in Go for maximum performance
- π JSON Export - Machine-readable output for CI/CD integration
- π Gitignore Support - Automatically respects
.gitignorepatterns to skip irrelevant files - π Cross-Platform - Works on Linux, macOS, and Windows
# Navigate to secscan directory
cd secscan
# Option 1: Using installation script (recommended)
./install.sh
# Option 2: Using Make
make install # System-wide (requires sudo)
# OR
make install-local # User-only (no sudo)# Navigate to secscan directory
cd secscan
# Using PowerShell script (recommended)
.\install.ps1
# For system-wide installation (requires admin):
.\install.ps1 -GlobalNote: Windows doesn't come with
makeby default. Use the PowerShell script instead.
Works on Linux, macOS, and Windows:
cd secscan
go run installer/install.gosecscan -version
which secscan# Scan current directory
secscan
# Scan specific directory
secscan -root /path/to/project
# Scan without git history (faster)
secscan -history=false
# Respect .gitignore files (default behavior)
secscan -respect-gitignore=true
# Disable gitignore (scan all files including ignored ones)
secscan -respect-gitignore=false
# Adjust entropy threshold (higher = fewer false positives)
secscan -entropy 6.0
# Disable entropy detection entirely
secscan -no-entropy
# Export results to JSON
secscan -json report.json
# Verbose output (show all findings)
secscan -verbose
# Quiet mode (for CI/CD)
secscan -quietSecScan detects the following secret types out of the box:
- Cloud Providers: AWS keys, Google API keys
- Payment: Stripe keys (live & restricted)
- Version Control: GitHub tokens (PAT, OAuth, App)
- Communication: Slack tokens & webhooks
- Email: SendGrid, Mailgun API keys
- Database: Connection strings (PostgreSQL, MySQL, MongoDB, Redis)
- Authentication: JWT tokens, Supabase keys
- Generic: API keys, secrets, passwords
- High Entropy: Random-looking strings (configurable)
Create a .secscan.toml file:
# Custom detection rules
custom_api = "mycompany_api_[0-9a-zA-Z]{32}"
internal_token = "int_tok_[A-Za-z0-9]{40}"Use it:
secscan -config .secscan.tomlSecScan automatically respects .gitignore files in your repository, helping to:
- β Skip build artifacts, dependencies, and generated files
- β Reduce false positives from vendor code
- β Speed up scans by skipping irrelevant files
- β Work seamlessly with your existing Git workflow
How it works:
- Automatically finds and loads all
.gitignorefiles in the repository - Supports nested
.gitignorefiles in subdirectories - Handles negation patterns (
!important.txt) - Supports directory-only patterns (
logs/) - Compatible with standard gitignore glob patterns
Examples:
# Default: gitignore is enabled
secscan -root .
# Explicitly enable gitignore (same as default)
secscan -respect-gitignore=true
# Disable gitignore to scan ALL files (useful for security audits)
secscan -respect-gitignore=false
# Verbose mode shows which files are being skipped
secscan -verbose -respect-gitignore=trueWhen to disable gitignore:
- Security audits where you need to scan everything
- Checking if secrets exist in build artifacts
- Debugging scan results
The entropy threshold controls how "random" a string must be to be flagged:
- Default: 5.0 (balanced)
- Strict: 6.0+ (fewer false positives)
- Lenient: 4.0-4.5 (more sensitive)
- Disabled: Use
-no-entropy
# Strict mode - very high confidence
secscan -entropy 6.5
# Lenient mode - catch more potential secrets
secscan -entropy 4.0π SecScan v2.0.0 - Enhanced Secret Scanner
π Scanning: /path/to/project
βοΈ Entropy threshold: 5.0
π Rules loaded: 20
π Git history: enabled
π Secret Scan Results
==================================================
Total findings: 5
Critical (β₯0.9): 2
High (β₯0.8): 1
Medium (β₯0.6): 2
Low (<0.6): 0
==================================================
π΄ [CRITICAL] [AWS_ACCESS_KEY] src/config.js:42
β AKIA****************ABCD (confidence: 0.90)
π [HIGH] [GITHUB_PAT] .env:15
β ghp_********************************WXYZ (confidence: 0.85)
π Scan Statistics
==================================================
Files scanned: 1,234
Commits scanned: 567
Total findings: 12,345
Unique findings: 5
Scan duration: 2.5s
==================================================
{
"findings": [
{
"file": "src/config.js",
"line": 42,
"pattern": "aws_access_key",
"excerpt": "AKIA****************ABCD",
"confidence": 0.9,
"verified": false,
"hash": "a1b2c3d4e5f6g7h8"
}
],
"stats": {
"files_scanned": 1234,
"commits_scanned": 567,
"findings_total": 12345,
"findings_unique": 5,
"scan_duration_ms": 2500
},
"version": "2.0.0"
}name: Secret Scan
on: [push, pull_request]
jobs:
secscan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Full history for git scanning
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: "1.21"
- name: Install SecScan
run: |
cd secscan
make install-local
- name: Run SecScan
run: secscan -quiet -json secscan-report.json
- name: Upload Results
if: always()
uses: actions/upload-artifact@v3
with:
name: secscan-report
path: secscan-report.jsonsecret_scan:
image: golang:1.21
script:
- cd secscan
- make install-local
- export PATH="$HOME/.local/bin:$PATH"
- secscan -quiet -json report.json
artifacts:
reports:
junit: report.json
when: alwaysSecScan uses regex patterns to detect known secret formats (AWS keys, GitHub tokens, etc.)
Calculates Shannon entropy to find high-randomness strings that might be secrets:
Entropy = -Ξ£(p(x) * log2(p(x)))
Strings with entropy > threshold and diverse character sets are flagged.
Uses SHA-256 hashing to identify and remove duplicate findings across different files/commits.
Filters out common false positives:
- All-caps constants
- Test/example values
- Boolean literals
- Masked secrets
secscan -history=falseCreate a minimal config with only the rules you need:
# minimal-rules.toml
aws_access_key = "AKIA[0-9A-Z]{16}"
github_pat = "ghp_[0-9a-zA-Z]{36}"secscan -config minimal-rules.toml# Find secrets and filter by pattern
secscan -json findings.json
jq '.findings[] | select(.pattern == "aws_access_key")' findings.json
# Count secrets by type
jq '.findings | group_by(.pattern) | map({pattern: .[0].pattern, count: length})' findings.json| Feature | v1.0 | v2.0 |
|---|---|---|
| Detection Patterns | 4 | 20+ |
| False Positive Rate | High (511K findings) | Low (~95% reduction) |
| Deduplication | β | β |
| Allowlist Support | β | β |
| Configurable Entropy | β (fixed 4.0) | β (default 5.0) |
| Skip Files/Dirs | Limited | Comprehensive |
| Output Formatting | Basic | Rich with colors |
| Statistics | β | β |
| Performance | Good | Excellent |
Contributions are welcome! Please feel free to submit a Pull Request.
MIT License - see LICENSE file for details
Inspired by:
- π Report Issues
- π¬ Discussions
- π§ Email: Zayan Mohamed
Made with β€οΈ by the SecScan team