Defensive, local-first secret-leak scanner for AI/LLM API keys — finds your own leaks; never validates, pools, or stores a key.
Project description
Holtzman
A local-first secret-leak scanner that finds your own leaked AI/LLM API keys — and never validates, pools, uses, or stores them.
Holtzman scans your own code and repositories for exposed API keys (OpenAI, Anthropic, Google AI, AWS, Groq, and more), reports masked findings with their locations, and hands you a per-provider revoke + rotate playbook. It is deliberately the ethical inverse of credential-harvesting tools: no key validation, no pooling, no stealth/evasion, and it never writes a secret to disk in cleartext.
In Dune, the Holtzman effect generates the defensive shield. Same idea.
Why Holtzman is different
"Find the secret" power can point two ways. Holtzman only points inward:
| Holtzman does | Holtzman never does |
|---|---|
| Scan your own repos + local code | Search the world for other people's keys |
| Store a masked fragment + SHA-256 hash | Store key cleartext |
| Print revoke + rotate guidance | Validate, use, or pool a key |
| Read-only own-asset enumeration | Tor / proxy / evasion |
These are enforced as safety invariants — tests fail the build if any is violated.
Features
- Curated AI-key pack — 12 providers / 15 prefix-anchored patterns (OpenAI, Anthropic, OpenRouter, Perplexity, xAI, Groq, Google AI, AWS, Hugging Face, Replicate, NVIDIA, Fireworks), with
sk-prefix disambiguation and context scoring. Broad prefix-less formats are deliberately excluded to keep precision high. - Own-asset GitHub scanning — your repositories' current code and commit history (deleted lines, where rotated-out keys hide).
- Local path scanning — files or directories, with sensible skip dirs.
- Disclosure reports — Markdown, JSON, and SARIF. Masked fragments only.
- Remediation playbooks — per-provider revoke + rotate steps, git-history purge, and monitoring guidance. Prints; touches nothing.
- Baseline allowlist +
--ci— accept known findings, fail CI only on new leaks. - Pre-commit hook + GitHub Actions — ready-to-use integrations (SARIF upload included).
- Hybrid detection — the precise pattern engine by default, with an optional
gitleaksengine for full-spectrum breadth.
Install
pip install holtzman # once published to PyPI
# or, from source:
git clone https://github.com/r3b3Lli0uskID/holtzman-p
cd holtzman && pip install -e .
Requires Python 3.12+.
Quickstart
# Scan local code (own-asset)
holtzman scan .
# Scan your own GitHub repos, including commit history
export HOLTZMAN_GITHUB_TOKEN=... # a read-only token for your repos
holtzman github --owner <your-login> --include-history
# Reports & remediation
holtzman report --format md # or json | sarif
holtzman disclose --out disclosure.md # responsible-disclosure report
holtzman rotate --provider openai # print the revoke+rotate playbook
# Baseline + CI gating
holtzman baseline --out .holtzman-baseline.json
holtzman scan . --baseline .holtzman-baseline.json --ci # non-zero exit on NEW findings
Configuration
Settings load from the environment or a local .env (prefix HOLTZMAN_):
| Variable | Purpose |
|---|---|
HOLTZMAN_GITHUB_TOKEN |
Read-only token to enumerate your own repos. Only ever sent to the GitHub API; never carries a found secret. |
HOLTZMAN_GITHUB_OWNER |
Default account/org for holtzman github (or pass --owner). |
HOLTZMAN_DB_PATH |
SQLite findings DB (default holtzman.db). |
Safety invariants
These hold in code review and are covered by tests:
- No key cleartext is ever stored — findings keep a masked fragment + SHA-256 hash only; the DB has no cleartext column.
- No outbound call carries a found secret — GitHub enumeration is read-only and sends only your own token.
- No evasion dependencies — no Tor/SOCKS/proxy stack; no stealth config.
- Zero live validations — there is no
validate/rotate/keypool/pool/stealthmodule. Holtzman tells you a key is exposed; it never checks whether it works.
CI & pre-commit
# .pre-commit-config.yaml
- repo: https://github.com/r3b3Lli0uskID/holtzman-p
rev: v0.1.0
hooks:
- id: holtzman
A ready-made GitHub Actions workflow (scan + SARIF upload) lives in .github/workflows/secret-scan.yml.
Responsible use
Holtzman is for scanning assets you own or are explicitly authorized to assess, and for responsible disclosure of exposures you find. It never validates or uses a discovered key — when you find one, revoke and rotate it (the rotate command tells you how). Do not point it at third parties' assets without authorization. See SECURITY.md.
Development
pip install -e ".[dev]"
ruff check holtzman tests
pytest --cov=holtzman
License
MIT.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file holtzman-0.1.0.tar.gz.
File metadata
- Download URL: holtzman-0.1.0.tar.gz
- Upload date:
- Size: 44.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
25a053e38b0c964c097432487a447c5ab402395bfe22cff6fd3c9e160bca13d8
|
|
| MD5 |
5d34b6a28a5f5ea4c678d0a3fb31bd92
|
|
| BLAKE2b-256 |
d5b65ed20f774ca91564f52c2e1c0ab002fa65ac964d90a4bb635bff237b9312
|
Provenance
The following attestation bundles were made for holtzman-0.1.0.tar.gz:
Publisher:
publish.yml on r3b3Lli0uskID/holtzman-p
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
holtzman-0.1.0.tar.gz -
Subject digest:
25a053e38b0c964c097432487a447c5ab402395bfe22cff6fd3c9e160bca13d8 - Sigstore transparency entry: 1700595187
- Sigstore integration time:
-
Permalink:
r3b3Lli0uskID/holtzman-p@6f5f01c82eeb04f975ec31b634fba8b816392954 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/r3b3Lli0uskID
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6f5f01c82eeb04f975ec31b634fba8b816392954 -
Trigger Event:
release
-
Statement type:
File details
Details for the file holtzman-0.1.0-py3-none-any.whl.
File metadata
- Download URL: holtzman-0.1.0-py3-none-any.whl
- Upload date:
- Size: 42.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7f49fbbe13ed0b7109c67753ab88c15e245e88cdae8b1bf779e79a353061e168
|
|
| MD5 |
44b22a3c3480debbf57343d1cac74c9c
|
|
| BLAKE2b-256 |
ed74c09e58f11371aa6bc5780f8f4872d15320b256d944ea8f51ab60371589aa
|
Provenance
The following attestation bundles were made for holtzman-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on r3b3Lli0uskID/holtzman-p
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
holtzman-0.1.0-py3-none-any.whl -
Subject digest:
7f49fbbe13ed0b7109c67753ab88c15e245e88cdae8b1bf779e79a353061e168 - Sigstore transparency entry: 1700595278
- Sigstore integration time:
-
Permalink:
r3b3Lli0uskID/holtzman-p@6f5f01c82eeb04f975ec31b634fba8b816392954 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/r3b3Lli0uskID
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6f5f01c82eeb04f975ec31b634fba8b816392954 -
Trigger Event:
release
-
Statement type: