Scan codebases, git history, and Docker images for accidentally exposed secrets
Project description
ExploitCraft ยท Bangladesh ยท Building tools that matter ๐ Full documentation at doc.emonpersonal.xyz
๐พ envleaks
Scan your codebase, git history, and CI pipelines for accidentally exposed secrets, API keys, and credentials.
Features
- ๐ 100+ detection patterns โ AWS, GitHub, OpenAI, Stripe, Slack, Twilio, GCP, Azure, and more
- ๐ Git history scanning โ finds secrets in past commits, not just the current state
- ๐ณ Docker-ready โ works inside containers and CI/CD pipelines
- ๐ Multiple output formats โ terminal (Rich), JSON, and SARIF (GitHub Advanced Security)
- โ๏ธ CI mode โ exits with code
1if secrets are found, blocking the pipeline - ๐ฏ Severity filtering โ focus on
criticalandhighonly, skip the noise - โก Fast โ skips binaries, large files, and
node_modulesautomatically
Installation
pip install envleaks
Or install from source:
git clone https://github.com/ExploitCraft/envleaks
cd envleaks
pip install -e .
Quick Start
# Scan current directory
envleaks scan .
# Scan a specific project
envleaks scan /path/to/project
# Scan a single file
envleaks scan config.py
# Only show critical and high findings
envleaks scan . --severity critical,high
# Also scan all past git commits
envleaks scan . --git-history
# Output as JSON
envleaks scan . --format json --output report.json
# CI mode โ exits 1 if findings, SARIF output for GitHub
envleaks scan . --ci --format sarif --output envleaks.sarif
Example Output
โญโ envleaks โ secret & credential scanner โโฎ
๐ config/settings.py
LINE SEVERITY RULE NAME MATCH
12 ๐ CRITICAL AWS001 AWS Access Key ID AKIA...MPLE
18 ๐ด HIGH GH001 GitHub Personal Access... ghp_...9012
34 ๐ก MEDIUM GEN001 Generic Secret Assignment secr...word
๐ .env.backup
1 ๐ CRITICAL DB001 Database connection URL post...b"
โญโ Scan Summary โโโโโโโโโโโโโโโโโโโฎ
Files scanned 47
Files skipped 12
Total findings 4
Critical 2
High 1
Medium 1
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
GitHub Actions Integration
Add this step to your workflow to block PRs that introduce secrets:
- name: Scan for secrets
run: |
pip install envleaks
envleaks scan . --ci --severity critical,high
For full SARIF integration with GitHub's Security tab:
- name: Scan for secrets (SARIF)
run: |
pip install envleaks
envleaks scan . --format sarif --output envleaks.sarif
- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: envleaks.sarif
Detection Rules
| Category | Rules | Examples |
|---|---|---|
| AWS | 3 | Access Key, Secret Key, Session Token |
| GitHub | 5 | PAT, OAuth, Fine-Grained PAT |
| Google / GCP | 3 | API Key, Service Account |
| OpenAI | 2 | API Key, Org ID |
| Stripe | 4 | Live/Test Secret, Webhook |
| Slack | 4 | Bot Token, Webhook URL |
| Database URLs | 2 | PostgreSQL, MongoDB Atlas |
| Private Keys | 5 | RSA, EC, OpenSSH, PGP |
| Generic | 3 | Bearer tokens, Basic Auth in URLs |
| + more | 70+ | Twilio, Discord, Firebase, Azure... |
View all rules:
envleaks list-rules
envleaks list-rules --severity critical
CLI Reference
Usage: envleaks [OPTIONS] COMMAND [ARGS]...
Commands:
scan Scan PATH for secrets and credentials
list-rules List all built-in detection rules
Options for scan:
--format terminal | json | sarif (default: terminal)
--output, -o Write to file
--severity critical,high,medium,low (comma-separated)
--git-history Also scan all past git commits
--max-commits Limit commits scanned with --git-history
--ci Exit code 1 on findings (for pipelines)
--include Glob pattern to include
--exclude Glob pattern to exclude
Part of the LeakHound Ecosystem
envleaks is part of LeakHound โ a unified secret hunting toolkit.
| Tool | Description |
|---|---|
| envleaks | Codebase & git history scanner (this repo) |
| gitdork | Google/Shodan dork generator |
| wifi-passview | Cross-platform WiFi credential dumper |
| leakhound | Unified CLI wrapping all three |
Contributing
PRs welcome! To add a new detection pattern, edit envleaks/patterns.py and add a Pattern(...) entry. Please include a test in tests/test_scanner.py.
pip install -e ".[dev]"
pytest tests/
ruff check envleaks/
License
MIT ยฉ ExploitCraft
ExploitCraft ยท Bangladesh ยท Building tools that matter ๐ Full documentation at doc.emonpersonal.xyz
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file envleaks-1.1.0.tar.gz.
File metadata
- Download URL: envleaks-1.1.0.tar.gz
- Upload date:
- Size: 18.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
730aa98fce6d58afa26110841066bfcb52829855a2d2c2c3e05a9bb11326ea52
|
|
| MD5 |
d7bd03dd9d9422dfa2f63047bc8d58c9
|
|
| BLAKE2b-256 |
93c3e7199d291cffdeb23b4023887d7a11fc6b61e27570ac66571a489fe5833d
|
File details
Details for the file envleaks-1.1.0-py3-none-any.whl.
File metadata
- Download URL: envleaks-1.1.0-py3-none-any.whl
- Upload date:
- Size: 16.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2552c884505cfcccadfaffcf52fda1d5d4dd9fe9cb79183779bde40d0306b292
|
|
| MD5 |
897c74f2191fffdbf745edcc24f3bf71
|
|
| BLAKE2b-256 |
46531a1b8a6151a56db9939433d112aeef95e6507ac2d3a05b83b7b2f05314b6
|
