checsum 0.1.0

Scan repositories for potential usernames, passwords, tokens, and other secrets.

checsum

checsum scans your project for potential secrets before code is pushed to Git. It detects common patterns such as usernames, passwords, API tokens, private keys, and authorization headers, then generates a full HTML report with:

• file name
• exact location (line and column)
• finding type
• matched value (or preview)

Install

pip install checsum

For local development:

pip install -e .

Usage

Scan the current directory and create an HTML report:

checsum --path . --output checsum-report.html

Fail CI if possible secrets are found:

checsum --path . --fail-on-findings

Ignore additional globs:

checsum --path . --ignore "*.pem" --ignore "docs/*"

Example Output

The report includes:

• scan timestamp
• root path scanned
• total files and findings
• grouped breakdown by finding type
• detailed table of each hit with path, line, column, severity, and extracted snippet

Use as a pre-push safety check

Create .git/hooks/pre-push:

#!/usr/bin/env bash
set -euo pipefail
checsum --path . --output checsum-report.html --fail-on-findings

Then make it executable:

chmod +x .git/hooks/pre-push

Build and publish to PyPI

python -m pip install --upgrade build twine
python -m build
python -m twine check dist/*
python -m twine upload dist/*

Before uploading, update:

• project.urls in pyproject.toml
• author metadata
• version number

Notes

checsum is a heuristic scanner. It can produce false positives and should be used as an early warning signal, not a replacement for secret management best practices.