Scan your codebase for leaked API keys and secrets before they reach production

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mamatta from gravatar.com mamatta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Tags security , secrets , api-keys , developer-tools , devops , git
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

env-leak

Scan your codebase for leaked API keys, tokens, and secrets before they reach production.

PyPI Python License: MIT

Install

pip install env-leak

Usage

# Scan current directory
env-leak .

# Scan a specific path, skip test fixtures
env-leak ./src --exclude tests --exclude fixtures

# Disable entropy detection (pattern-only)
env-leak . --no-entropy

# Output JSON for CI pipelines
env-leak . --json > report.json

What it detects

Type Examples
OpenAI / Anthropic API keys sk-..., sk-ant-...
AWS credentials AKIA... access key IDs, secret key assignments
GitHub tokens ghp_, gho_, github_pat_
Stripe keys sk_live_, pk_live_
Google / Firebase AIza..., Firebase server keys
Slack tokens xoxb-, xoxp-
JWT tokens Any eyJ...eyJ... pattern
Private keys PEM headers in source files
Passwords in URLs https://user:pass@host
Generic assignments api_key = "...", secret = "..."
High-entropy strings Statistically random strings ≥ 20 chars

CI integration

# .github/workflows/secret-scan.yml
- name: Scan for secrets
  run: pip install env-leak && env-leak . --no-entropy --json

Exit code 1 when secrets are found — makes it a natural CI gate.

How entropy detection works

env-leak computes Shannon entropy for tokens longer than 20 characters. Real API keys and tokens are nearly random (entropy ≥ 4.5 bits/char). Normal English words and code identifiers score ~3.5. This catches secrets that don't match any known pattern.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mamatta from gravatar.com mamatta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Tags security , secrets , api-keys , developer-tools , devops , git
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

env_leak-0.1.0.tar.gz (5.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

env_leak-0.1.0-py3-none-any.whl (6.7 kB view details)

Uploaded Python 3

File details

Details for the file env_leak-0.1.0.tar.gz.

File metadata

  • Download URL: env_leak-0.1.0.tar.gz
  • Upload date:
  • Size: 5.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for env_leak-0.1.0.tar.gz
Algorithm Hash digest
SHA256 fc58ca39f92af6004d6d80d3bfa60c7c4683581aef20bb7c00124d6db7a10e7b
MD5 e463df94601c070afcf3fa0997a2af90
BLAKE2b-256 a030f213508ad8d66520aaf6b4ba02d7303875815aad4eebe579b58d198a89c0

See more details on using hashes here.

File details

Details for the file env_leak-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: env_leak-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 6.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for env_leak-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 95e6934406c5024ea108a6cd9bbf59ff4e768f057cdcbe7fe166820004c2e98e
MD5 f6c731003203cbee9ed9fa502ab75fe6
BLAKE2b-256 85b6016e056d86ac62d9fb2c56fd692a9a155ca98068157570274c341af1f7b5

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page