@bobfromarcher/leaksweep
v1.0.1
Published
Scan your code for committed secrets (API keys, tokens, private keys, high-entropy strings) before they hit GitHub. Pre-commit hook + CI gate. Zero dependencies.
Downloads
290
Maintainers
Readme
leaksweep
Scans your code for committed secrets: API keys, tokens, private keys and high-entropy strings. Run it as a pre-commit hook to stop a secret before it is committed, or in CI to fail the build if one slips through. No dependencies, no AI.
Secrets are always masked in the output. leaksweep never prints the full value, so the report itself is safe to paste into a ticket or a CI log.
Install
npm install -g @bobfromarcher/leaksweep
# or once:
npx @bobfromarcher/leaksweepUse it as a pre-commit hook
The point is to catch the secret before it is committed:
# .git/hooks/pre-commit
#!/bin/sh
npx @bobfromarcher/leaksweep --staged || exit 1--staged scans only what you have staged, so the hook is fast.
Use it in CI
# .github/workflows/secrets.yml
- run: npx @bobfromarcher/leaksweepA non-zero exit on any finding fails the build.
Usage
leaksweep [path] [options]| Option | Description |
| --- | --- |
| --staged | Scan only git-staged changes (pre-commit hook mode) |
| --all | Walk the filesystem instead of git-tracked files |
| --json | Output JSON |
| --quiet, -q | No output, just the exit code |
| -h, --help | Show help |
| -v, --version | Show version |
What it detects
AWS access keys and secret keys, GitHub tokens and fine-grained PATs, GitLab tokens, Slack tokens and webhooks, Stripe live keys, Google API keys, npm tokens, OpenAI keys, Twilio and SendGrid keys, JWTs, PEM private-key blocks, and a generic high-entropy detector for anything assigned to a secret, token, password or api_key style name.
Obvious placeholders such as your_api_key_here, xxxx, <token> and example, plus low-entropy dummy values, are filtered out to keep the noise down.
leaksweep is a fast first line of defense, not a guarantee. It favors high-signal matches over exhaustive coverage. Pair it with secret rotation and server-side scanning for defense in depth.
Development
git clone https://github.com/bobfromarcher/leaksweep
cd leaksweep
node test/test.jsCI runs the suite on Node 18, 20 and 22 across Linux, macOS and Windows.
License
MIT, bobfromarcher.
