Production-ready secrets scanner for Git repositories. Detects API keys, passwords, tokens, and credentials accidentally committed to source code.
Project description
๐ Dotenv Secrets Scanner
An open-source security tool that detects accidentally committed secrets before they reach production.
Installation โข Usage โข What Does It Find? โข How It Works โข Configuration
๐ฏ Problem
Developers accidentally commit API keys, database passwords, and tokens to source code. This leads to data leaks, financial losses, and security breaches.
โ ๏ธ Over 6 million secrets were exposed on public GitHub repositories in 2023.
Dotenv Secrets Scanner solves this problem: it scans your code, detects secrets, and warns you โ before you commit.
๐ Why Not Other Tools?
| Feature | This Tool | Gitleaks | TruffleHog |
|---|---|---|---|
| Regional payment providers support | โ | โ | โ |
| Entropy + Regex | โ | โ | โ |
| Baseline support | โ | Limited | โ |
Includes pattern support for region-specific services (e.g., Iyzico, PayTR) in addition to global ones.
โจ What Does It Do?
$ python -m scanner scan .
๐ Scanning: ./config/production.py
๐จ CRITICAL AWS Access Key
Line 12: AWS_KEY = "AKIAโโโโโโโโโโโโโโโโ"
Confidence: 95%
โ ๏ธ HIGH GitHub Personal Access Token
Line 28: TOKEN = "ghp_โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ"
Confidence: 90%
๐ Scan Results
โโโโโโโโโโโโโโโโโโฌโโโโโโโโ
โ Files scanned โ 47 โ
โ Total findings โ 3 โ
โ CRITICAL โ 1 โ
โ HIGH โ 2 โ
โโโโโโโโโโโโโโโโโโดโโโโโโโโ
๐จ Action required: Critical secrets must be rotated!
๐ฆ Installation
# Install from PyPI
pip install dotenv-secrets-scanner
# or from source
git clone https://github.com/Quarrezz/dotenv-secrets-scanner.git
cd dotenv-secrets-scanner
pip install -e .
๐ Usage
Basic Scan
# Scan the current directory
python -m scanner scan .
# Scan a specific file
python -m scanner scan config/settings.py
# Scan a specific folder
python -m scanner scan src/
Output Formats
# Colored output in Terminal (default)
python -m scanner scan .
# JSON format (for CI/CD integration)
python -m scanner scan . --output json
# Plain text
python -m scanner scan . --output text
# HTML report
python -m scanner scan . --output html
# Save results to a file
python -m scanner scan . --output json --output-file report.json
Filtering by Severity
# Show only critical findings
python -m scanner scan . --severity CRITICAL
# High and critical
python -m scanner scan . --severity HIGH
# Break CI if HIGH or above is found
secrets-scan scan . --fail-on-severity HIGH
Performance and Output Control
# Show fewer context lines
secrets-scan scan . --context-lines 1
# Speed up scanning on multi-core machines
secrets-scan scan . --workers 8
Suppressing Old Findings with Baseline
In real projects, there might be secrets committed in the past that you can't clean up immediately. With Baseline, you can save the findings from the first scan and focus only on new secrets thereafter.
# Write current findings to baseline file in the first scan
python -m scanner scan . --write-baseline baseline.json
# Show only findings not in baseline (new) in subsequent scans
python -m scanner scan . --baseline baseline.json
# In CI: break job only if there are new and HIGH/CRITICAL findings
secrets-scan scan . --baseline baseline.json --fail-on-severity HIGH
Git Integration
# Install pre-commit hook (automatic scan before every commit)
python -m scanner install-hook
# Uninstall hook
python -m scanner uninstall-hook
# Create .secretsignore file
python -m scanner init
๐ What Does It Find?
๐ด Critical (CRITICAL)
| Type | Example Format |
|---|---|
| AWS Access Key | 20-character key starting with AKIA |
| AWS Secret Key | aws_secret_access_key = "..." |
| GitHub Token | Tokens starting with ghp_, gho_, ghs_ |
| Stripe Secret Key | Key starting with sk_live_ |
| SSH Private Key | -----BEGIN RSA PRIVATE KEY----- format |
| PostgreSQL/MySQL URL | postgres://user:pass@host format |
| Iyzico API Key | Iyzico/iyzipay payment keys |
| PayTR Merchant Key | PayTR payment keys |
๐ High (HIGH)
| Type | Example Format |
|---|---|
| OpenAI API Key | Key starting with sk- |
| Google API Key | Key starting with AIza |
| Slack Bot Token | Token starting with xoxb- |
| Slack Webhook | https://hooks.slack.com/... |
| JWT Token | Token in eyJ... format |
| SendGrid API Key | Key starting with SG. |
| NPM / PyPI Token | Tokens starting with npm_, pypi- |
๐ก Medium (MEDIUM)
| Type | Example Format |
|---|---|
| Azure Storage Key | AccountKey = "..." |
| Generic API Key | api_key = "...", api_secret = "..." |
| Generic Password | password = "...", passwd = "..." |
| Docker Auth | Docker registry tokens |
๐ต Low (LOW)
| Type | Example Format |
|---|---|
| .env Secret | In SECRET_KEY=value format |
| High Entropy Hex | Long hex strings (potentially secret) |
๐ Total 30+ different secret types are detected. Includes regional provider support (e.g., Iyzico, PayTR, Tรผrk Telekom Cloud, e-Devlet) in addition to global services.
๐ง How It Works
Scanner uses a 3-layer detection system:
Source Code
โ
โผ
โโโโโโโโโโโโโโโโโโโ
โ 1. Regex Match โ โ Searches for known secret formats with 30+ patterns
โโโโโโโโโโฌโโโโโโโโโ
โ match found
โผ
โโโโโโโโโโโโโโโโโโโ
โ 2. Entropy Analysisโ โ Checks randomness with Shannon entropy
โโโโโโโโโโฌโโโโโโโโโ (low entropy = not password, high = likely password)
โ
โผ
โโโโโโโโโโโโโโโโโโโ
โ 3. FP Filtering โ โ Filters out placeholders, templates, and
โโโโโโโโโโฌโโโโโโโโโ example values
โ
โผ
โ
True Finding
(With Confidence score)
Thanks to this 3-layer system:
- โ
API_KEY = "YOUR_API_KEY_HERE"โ Placeholder, skipped - โ
API_KEY = "changeme"โ Known test value, skipped - โ
API_KEY = "${ENV_VAR}"โ Template syntax, skipped - โ
# API_KEY = "sk_live_..."โ Comment line, low confidence score - โ
API_KEY = "sk_live_4eC39Hqโโโโโโโโโโโโ"โ Real secret found!
โ๏ธ Configuration
.secretsignore File
Create a .secretsignore file in the project root to exclude specific files or directories from scanning:
# Create automatically
python -m scanner init
# .secretsignore example
# Skip test files
tests/
test_*.py
test_*.py
# Skip specific files
config/example.env
docs/api-guide.md
# Skip folders
fixtures/
examples/
YAML Configuration
You can make detailed configuration by creating .secretscan.yml in the project root:
# .secretscan.yml
excluded_dirs:
- node_modules
- .git
- vendor
- dist
excluded_extensions:
- .png
- .jpg
- .lock
min_severity: MEDIUM
scan_hidden: false
follow_symlinks: false
max_file_size: 1048576 # 1 MB
๐ Listing All Patterns
To see which secret types the Scanner detects, you can list patterns via CLI:
# List all patterns
python -m scanner patterns
# List only HIGH and CRITICAL patterns
python -m scanner patterns --severity HIGH
This command shows pattern ID, name, severity level, and short description in a table.
๐ Pre-commit Integration
Direct Installation (Recommended)
python -m scanner install-hook
This command automatically adds the scanner hook to .git/hooks/pre-commit. Automatic scan is performed before every git commit.
With pre-commit Framework
Add to your .pre-commit-config.yaml file:
repos:
- repo: https://github.com/Quarrezz/dotenv-secrets-scanner
rev: v1.0.0
hooks:
- id: secrets-scan
๐ CI/CD Integration
GitHub Actions
# .github/workflows/secrets-check.yml
name: Secrets Check
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install dotenv-secrets-scanner
- run: secrets-scan scan . --severity HIGH --output json
๐๏ธ Project Structure
src/scanner/
โโโ __init__.py # Package initialization
โโโ __main__.py # python -m scanner support
โโโ models.py # Data models (Finding, ScanResult, ScanConfig)
โโโ patterns.py # 30+ regex pattern definitions
โโโ entropy.py # Shannon entropy analysis
โโโ validators.py # False positive filtering
โโโ core.py # Main scanning engine
โโโ reports.py # Report generators (JSON, Text, HTML)
โโโ cli/
โ โโโ main.py # CLI commands (Click)
โโโ hooks/
โ โโโ pre_commit.py # Git pre-commit hook
โโโ utils/
โโโ config.py # Configuration management
โโโ git.py # Git integration
๐ Roadmap
- GitHub App version
- Official Docker image
- VSCode Extension
- SARIF output support
๐ License
MIT License โ See LICENSE file for details.
๐น๐ท By Turkish developers, for all developers.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dotenv_secrets_scanner-1.0.0.tar.gz.
File metadata
- Download URL: dotenv_secrets_scanner-1.0.0.tar.gz
- Upload date:
- Size: 34.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0b1aa73cfcea82949a6118be14f41e746b1bcaf6af6087670676d217c39a7218
|
|
| MD5 |
3d7def1c6af6c733eea03245747c875d
|
|
| BLAKE2b-256 |
9e2968cf376e2d25bbae4d79d9efbf6dcd1158485fa82f1c6ec41eced6060900
|
File details
Details for the file dotenv_secrets_scanner-1.0.0-py3-none-any.whl.
File metadata
- Download URL: dotenv_secrets_scanner-1.0.0-py3-none-any.whl
- Upload date:
- Size: 40.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0ebc73cb014cfecc7acd032e11b2d002d7f04e822fa757c6d8cf72a5f85d1274
|
|
| MD5 |
6a0bf02c375e2ec325f27435f8224fbb
|
|
| BLAKE2b-256 |
57526c90a9a6f04c94439894ecf65912ec3d75a95083072db07e02c5ea68640d
|
