secret-sweep

v1.0.0

Published

7 days ago

🔐 Scan your entire git history for accidentally committed secrets. Rotate, fix, and prevent credential exposure.

0High
0Medium
0Low

mediapronet

security secrets git credentials api-keys secret-scanning env-file devsecops developer-tools git-history pre-commit ci

🔐 secret-sweep

Scan your entire git history for accidentally committed secrets. Find, report, and rotate leaked credentials — before attackers do.

  ██████████████████████████████████████████████████████
  █                                                    █
  █     🔐  secret-sweep — Secret Scanner              █
  █         Protect your git history                   █
  █                                                    █
  ██████████████████████████████████████████████████████

  Repository: /home/user/my-project
  Branch:     main
  Risk Level: ██ CRITICAL RISK ██

  Commits scanned:  1,247
  Files scanned:    3,891
  Scan duration:    4.2s

  Secrets Found
  ──────────────────────────────────────────────────
  🔴 CRITICAL (rotate NOW)        3
  🟠 HIGH     (rotate today)      7
  🟡 MEDIUM   (investigate)       2
  ⚪ LOW      (review)            1

  Currently in HEAD:  ██ 3 ⚠️
  History only:       10

The Problem

You pushed .env to GitHub three months ago. You deleted it in the next commit. But it's still in git history — readable by anyone who clones your repo.

Every secret that was ever committed to git is still there. secret-sweep finds them all.

Features

🔍 Deep History Scan

Walks your entire git commit history — not just the current files. Finds secrets in deleted files, reverted commits, old branches, everything.

🎯 60+ Secret Patterns

Detects credentials across every major platform:

| Platform | Secrets Detected | |---|---| | ☁️ AWS | Access Key ID, Secret Key, Session Token | | 🔵 GCP | API Keys, Service Account JSON, OAuth Secrets | | 🔷 Azure | Storage Keys, Client Secrets, Connection Strings | | 🐙 GitHub | PATs (classic + fine-grained), OAuth Tokens | | 💳 Stripe | Secret Keys, Publishable Keys, Webhook Secrets | | 🤖 OpenAI | API Keys (all formats) | | 🧠 Anthropic | Claude API Keys | | 💬 Slack | Bot Tokens, User Tokens, Webhooks | | 🎮 Discord | Bot Tokens, Webhook URLs | | 📱 Twilio | Account SIDs, Auth Tokens | | 📧 SendGrid | API Keys | | 🔥 Firebase | API Keys, Admin SDK Keys | | 🗄️ Databases | PostgreSQL, MySQL, MongoDB, Redis connection strings | | 🔑 SSH/TLS | Private Keys (RSA, EC, DSA, OpenSSH), PGP Keys | | 🎫 JWT | Secrets, Live Tokens | | 📦 NPM | Access Tokens, .npmrc auth tokens | | + more | Vercel, Netlify, Heroku, Cloudflare, Shopify, Datadog... |

🚦 Severity Classification

Every finding is rated CRITICAL / HIGH / MEDIUM / LOW based on the potential blast radius.

 CRITICAL  AWS Access Keys, Stripe Live Keys, Private SSH Keys
 HIGH      GitHub PATs, Slack Tokens, DB Connection Strings
 MEDIUM    Webhooks, JWT Tokens, Generic API Keys
 LOW       Publishable Keys, Low-confidence Matches

🔄 Exact Rotation Instructions

Every finding includes:

Direct link to the credentials page for that service
Step-by-step instructions for rotating the specific credential
Priority ordering — CRITICAL secrets first

📊 Multi-Format Reports

Console: Beautiful color-coded terminal output
HTML: Shareable visual report for your team
JSON: Machine-readable for automation and SIEM integration

🪝 Pre-commit Hook

Block secrets from being committed in the first place:

secret-sweep install-hook

🤫 Allowlist Support

Mark known false positives in .guardianignore to keep scans clean:

[
  {
    "patternId": "generic-secret",
    "filePath": "tests/fixtures/",
    "reason": "Test fixtures contain fake secrets"
  }
]

Quick Start

Install

npm install -g secret-sweep

Scan your repo

# Full git history scan (recommended)
secret-sweep scan

# Scan a specific repo
secret-sweep scan /path/to/your/repo

# Quick scan of current files only
secret-sweep check

Example output

  ⚠ LIVE IN HEAD   ·  a3f91bc  ·  2024-11-14
  File: config/database.yml
  Commit: Add production database config

    CRITICAL   AWS Access Key ID
    Line 12:  aws_access_key_id: AKIA...MPLE (12 chars)
    Value:    AKIA...MPLE
    Confidence: 99%
    Rotate at: https://console.aws.amazon.com/iam/home#/security_credentials
    Action:   Go to IAM → Security Credentials → Deactivate key → Create new key

  ──────────────────────────────────────────────────────────────────────────

CLI Reference

secret-sweep [command] [options]

Commands:
  scan [path]       Full git history scan (default: current directory)
  check [path]      Quick scan of current files only
  install-hook      Install pre-commit git hook
  init-ignore       Create .guardianignore allowlist file
  patterns          List all 60+ detectable secret patterns

Options (scan):
  -b, --branch <branch>      Branch to scan (default: current)
  --since <commit>           Scan commits after this hash
  --max-commits <n>          Limit number of commits scanned
  --min-severity <level>     LOW | MEDIUM | HIGH | CRITICAL (default: LOW)
  --include <patterns>       Only scan matching file paths
  --exclude <patterns>       Skip matching file paths
  --format <formats>         console,json,html (default: console)
  --output-dir <dir>         Report output directory
  --ci                       Exit code 1 if secrets found (for CI pipelines)
  -q, --quiet                Summary only, no detailed findings
  --allowlist <file>         Custom allowlist file

CI Integration

# GitHub Actions
- name: Scan for secrets
  run: npx secret-sweep scan --ci --min-severity HIGH

# GitLab CI
secret-sweep scan --ci --format console,json --output-dir reports/

Pre-commit Hook

secret-sweep install-hook
# Now secrets are blocked before every commit

How It Works

git log (full history)
      │
      ▼
┌─────────────────┐
│  Git Walker     │  ← iterates every commit, every changed file
│  (git diff-tree)│
└────────┬────────┘
         │  file content at each commit
         ▼
┌─────────────────┐
│  Pattern Engine │  ← 60+ regex patterns with confidence scoring
│  (60+ patterns) │
└────────┬────────┘
         │  raw matches
         ▼
┌─────────────────┐
│  Filter Layer   │  ← false positive removal, allowlist, dedup
│  (confidence +  │
│   allowlist)    │
└────────┬────────┘
         │  verified findings
         ▼
┌─────────────────┐     ┌──────────┐     ┌──────────┐
│  Risk Engine    │────▶│  Console │     │   HTML   │
│  (severity,     │     │  Report  │     │  Report  │
│   rotation,     │────▶│          │     │          │
│   recs)         │     └──────────┘     └──────────┘
└─────────────────┘
         │
         ▼
    JSON / SARIF

Comparison

| Tool | History Scan | 60+ Patterns | Rotation Guide | HTML Report | Pre-commit Hook | Free | |---|:---:|:---:|:---:|:---:|:---:|:---:| | secret-sweep | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | GitHub Secret Scanning | ✅ | ✅ | ❌ | ❌ | ❌ | ⚠️ Teams+ | | truffleHog | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | | gitleaks | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | | detect-secrets | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ |

secret-sweep's edge: Rotation instructions + HTML reports + zero configuration needed.

FAQ

Does it send my code anywhere? No. secret-sweep runs entirely locally. No network calls, no telemetry, no SaaS.

Will it slow down my team's workflow? The pre-commit hook only scans changed files — typically under 0.5s per commit.

What about .env.example files? secret-sweep detects placeholder-looking values and reduces their confidence score. You can also allowlist entire paths in .guardianignore.

How do I purge a secret from git history? secret-sweep will tell you exactly which commits are affected. Use git-filter-repo to rewrite history:

pip install git-filter-repo
git-filter-repo --invert-paths --path .env
git push --force-with-lease

Contributing

git clone https://github.com/SergiuPogor/secret-sweep.git
cd secret-sweep
npm install
npm run dev

PRs welcome — especially new patterns! Add them to src/scanner/patterns.ts with a test.

License

Found a secret in your history? Star the repo after you rotate it. 🔑