A local secret leak detection tool for developers and DevOps teams.
Project description
๐ apikeyscanner
A local secret leak detection tool for developers and DevOps teams.
Detect leaked API keys, tokens, passwords, and secrets inside your files and projects โ before they reach production or get pushed to GitHub.
โจ What It Does
apikeyscanner scans local files and directories for hardcoded secrets like:
- OpenAI, Anthropic, HuggingFace API keys
- AWS, Google Cloud, Azure credentials
- GitHub, GitLab personal access tokens
- Stripe, PayPal payment keys
- Slack, Discord, Telegram bot tokens
- Database connection strings (PostgreSQL, MySQL, MongoDB, Redis)
- Hardcoded passwords, secrets, and tokens
- JWT tokens and Bearer tokens
- Private key blocks (RSA, EC, OpenSSH, PGP)
.envfile sensitive values
๐ฆ Installation
# Install from PyPI
pip install apikeyscanner
# Clone the repository
git clone https://github.com/devxyasir/apikeyscanner.git
cd apikeyscanner
# Install in development mode
pip install -e .
# Or install with dev tools
pip install -e ".[dev]"
โก Quick Start
CLI
# Scan the current project
apikeyscanner scan .
# Scan a specific file
apikeyscanner scan ./config.py
# Scan a directory
apikeyscanner scan ./src
# Only show HIGH severity findings
apikeyscanner scan . --severity HIGH
# Save a JSON report
apikeyscanner scan . --output reports/report.json
# Ignore specific directories
apikeyscanner scan . --ignore node_modules --ignore venv
# Print raw JSON output (great for CI/CD)
apikeyscanner scan . --json
Python Library
import apikeyscanner as aks
# Scan a file
result = aks.scan("./config.py")
# Scan a directory
result = aks.scan("./src")
# Scan the full project
result = aks.scan(".")
# Check for high-risk secrets
if result.has_high_risk:
print(f"โ {result.high_count} HIGH-risk secrets found!")
else:
print("โ
No high-risk secrets found.")
# Access findings
for finding in result.findings:
print(f"[{finding.severity}] {finding.type} in {finding.file}:{finding.line}")
# Save a JSON report
result.save_json("reports/report.json")
๐ฅ๏ธ CLI Examples
# Full project scan with verbose output
apikeyscanner scan . --verbose
# Scan and fail CI if HIGH secrets found (exit code 1)
apikeyscanner scan . --severity HIGH --json && echo "Safe" || echo "SECRETS FOUND"
# Scan a .env file
apikeyscanner scan .env
# Check version
apikeyscanner version
๐ Example Terminal Output
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ API Key Scanner โ
โ Local Secret Leak Detection Tool โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Target: ./myproject
Found 4 possible secret(s)
Severity Type File Line Match
โโโโโโโโโ โโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โโโโโ โโโโโโโโโโโโโโโโโ
HIGH OpenAI API Key config.py 12 sk-a********890
HIGH AWS Access Key ID .env 4 AKIA********XMP
MEDIUM Hardcoded Token backend/auth.py 33 tok-a********456
MEDIUM Database URL docker-compose.yml 18 post********3/db
โญโโโโโโโโโโโโโโโโโโโโโโ Summary โโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Scanned files: 58 โ
โ Skipped files: 12 โ
โ High findings: 2 โ
โ Medium findings: 2 โ
โ Low findings: 0 โ
โ โ
โ Security Status: FAILED โ โ
โ Fix the detected secrets before pushing or deploying.โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
๐ Python Library API
import apikeyscanner as aks
result = aks.scan(
path=".",
severity=["HIGH", "MEDIUM"], # filter by severity
ignore=["node_modules", "venv"],
recursive=True,
)
# Properties
result.total_findings # int: total number of secrets found
result.high_count # int: count of HIGH severity findings
result.medium_count # int: count of MEDIUM severity findings
result.low_count # int: count of LOW severity findings
result.has_findings # bool: True if any secrets found
result.has_high_risk # bool: True if any HIGH findings
result.is_clean # bool: True if no secrets found
result.scan_mode # str: "file", "directory", or "project"
result.scanned_files # int: number of files scanned
result.skipped_files # int: number of files skipped
# Methods
result.summary # dict: compact summary
result.to_dict() # dict: full result as dictionary
result.to_json() # str: full result as JSON string
result.save_json("path") # save report to disk
๐ FastAPI Integration
from fastapi import FastAPI, HTTPException
import apikeyscanner as aks
app = FastAPI()
@app.post("/security/scan")
def scan_project():
result = aks.scan(
path="/srv/backend-app",
severity=["HIGH"],
ignore=["venv", "node_modules"],
)
if result.has_high_risk:
raise HTTPException(
status_code=403,
detail={
"message": "Deployment blocked. Secrets detected.",
"findings": [f.to_dict() for f in result.findings],
}
)
return {"message": "Safe to deploy.", "summary": result.summary}
๐งช Running Tests
# Install dev dependencies
pip install -e ".[dev]"
# Run all tests
pytest
# Run with coverage
pytest --cov=apikeyscanner
# Run a specific test class
pytest tests/test_scanner.py::TestOpenAIKeyDetection -v
๐ Project Structure
apikeyscanner/
โโโ apikeyscanner/
โ โโโ __init__.py # Public API: exposes scan()
โ โโโ scanner.py # Core scanning engine
โ โโโ patterns.py # All detection patterns (regex + metadata)
โ โโโ result.py # ScanResult and Finding classes
โ โโโ reporter.py # JSON report generation
โ โโโ cli.py # Typer CLI + Rich terminal UI
โ โโโ logger.py # Structured logging
โ โโโ utils.py # File filtering, masking, path helpers
โโโ tests/
โ โโโ test_scanner.py # Pytest test suite
โ โโโ sample_files/ # Test fixtures
โโโ examples/
โ โโโ basic_usage.py # Library usage examples
โ โโโ fastapi_usage.py # FastAPI integration
โโโ reports/ # Generated reports (gitignored)
โโโ README.md
โโโ DOCUMENTATION.md
โโโ pyproject.toml
โโโ requirements.txt
๐ก๏ธ Severity Levels
| Level | Color | Meaning |
|---|---|---|
| HIGH | ๐ด Red | Critical secrets: API keys, passwords, private keys. Rotate immediately. |
| MEDIUM | ๐ก Yellow | Tokens, URLs with credentials, JWT tokens. Review and move to env vars. |
| LOW | ๐ต Cyan | Informational patterns that may indicate sensitive configuration. |
โ ๏ธ Ethical Note
This tool is defensive only. It is designed to protect your own projects.
- It only scans local files on your own machine.
- It does not send data to any server.
- It does not exploit or exfiltrate secrets.
- It masks secret values in all output.
- It is intended for use by developers, DevOps teams, and security teams to protect their own codebases.
Never use this tool on files or systems you do not own or have explicit permission to scan.
๐ค Author
- Author: devxyasir
- Email: jamyasir0534@gmail.com
- GitHub: https://github.com/devxyasir
- LinkedIn: https://www.linkedin.com/in/devxyasir/
- X: https://x.com/devxyasir
- Instagram: https://www.instagram.com/devxyasir/
๐ License
MIT ยฉ devxyasir
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
apikeyscanner-1.0.0.tar.gz
(24.3 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file apikeyscanner-1.0.0.tar.gz.
File metadata
- Download URL: apikeyscanner-1.0.0.tar.gz
- Upload date:
- Size: 24.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2bcb662ff6756f7a1cd1139f136f405d48ad7d857a645cec132425571f56d2e8
|
|
| MD5 |
a6afa722766b8abc3e099e64500ba0e9
|
|
| BLAKE2b-256 |
a42377e502cc6eb06fc0ee161c21c7d37638a89b0efd9054a5bceaa4c822d8ec
|
File details
Details for the file apikeyscanner-1.0.0-py3-none-any.whl.
File metadata
- Download URL: apikeyscanner-1.0.0-py3-none-any.whl
- Upload date:
- Size: 20.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
70605abc185188d8a6c2d52404cff9742691637630c1dff312971129bed03f7c
|
|
| MD5 |
f0c2341568b9bdc69f8c384f1dfe06cc
|
|
| BLAKE2b-256 |
b7ecdd1e904d4ee59970405e6d8f489ccbde60829dff60bd429d017766b653f5
|
