A fast, flexible, and zero-config Git and filesystem secret scanner.
Project description
Keychase
A fast, flexible, zero-config secret scanner for Git repos and filesystems.
Why Keychase?
Leaked API keys cost companies millions every year. Keychase catches hardcoded secrets before they reach production — in your files, in your git history, and in your GitHub repos.
- 78+ built-in detectors — AWS, GCP, Azure, GitHub, Stripe, OpenAI, Slack, databases, private keys, and more
- Zero config —
pip install keychase && keychase scan .— that's it - Git history scanning — catch secrets in old commits that were "deleted" but still exist in history
- CI-friendly — exit code
1when secrets are found,0when clean - Multiple output formats — beautiful terminal tables, JSON, and SARIF (GitHub Code Scanning)
- Python-native — install via pip, extend with custom patterns, no binaries needed
Quick Start
Install
pip install keychase
Scan a local directory
keychase scan .
Scan with git history
keychase scan . --history
Scan a GitHub repository
export KEYCHASE_GITHUB_TOKEN=ghp_your_token_here
keychase scan owner/repo
JSON output (for CI/CD pipelines)
keychase scan . --format json --no-progress
SARIF output (for GitHub Code Scanning)
keychase scan . --format sarif --output results.sarif
CLI Reference
Usage: keychase [OPTIONS] COMMAND [ARGS]...
Commands:
scan Scan a directory or GitHub repo for secrets
detectors List all loaded detectors
version Show the keychase version
Scan Options:
--history, -H Also scan git commit history
--depth, -d INTEGER Max commits to scan (default: all)
--branch, -b TEXT Branch to scan
--format, -f TEXT Output format: table, json, sarif
--token, -t TEXT GitHub token for remote scans
--patterns, -p TEXT Path to custom regex patterns file
--output, -o TEXT Write report to file
--no-progress Disable progress bars (CI mode)
Supported Detectors
Keychase ships with 78 detectors across 9 categories:
| Category | Examples | Count |
|---|---|---|
| AWS | Access Key ID, Secret Key, MWS Key, Session Token | 5 |
| GCP | API Key, Service Account JSON, OAuth Secrets, Firebase | 5 |
| GitHub | PAT (classic + fine-grained), OAuth, Server Tokens | 7 |
| Cloud Providers | Azure, DigitalOcean, Heroku, Alibaba | 9 |
| Payments | Stripe, PayPal, Square, Shopify | 12 |
| Messaging | Slack, Discord, Twilio, SendGrid, Mailgun, Telegram | 12 |
| AI/ML | OpenAI, Anthropic, Hugging Face, Cohere, Replicate, Gemini, Pinecone | 8 |
| Databases | MongoDB, PostgreSQL, MySQL, Redis, JDBC | 6 |
| Generic | Passwords, Tokens, Private Keys, Bearer Auth, URLs with creds | 14 |
List all detectors:
keychase detectors
Custom Patterns
Create a file with one regex per line:
# my_patterns.txt
MYCOMPANY_API_[A-Za-z0-9]{32}
internal_token_[0-9a-f]{64}
keychase scan . --patterns my_patterns.txt
Ignoring False Positives
Create a .keychaseignore file in your project root:
# Files to exclude from scanning
test_fixtures/
*.test.js
legacy_config.py
CI/CD Integration
Pre-Commit Hook
Keychase natively supports pre-commit. To prevent secrets from ever being committed to your repository, add the following to your .pre-commit-config.yaml:
repos:
- repo: https://github.com/Iflal/keychase
rev: v0.1.3 # Use the latest release tag
hooks:
- id: keychase
GitHub Actions
- name: Secret Scan
run: |
pip install keychase
keychase scan . --no-progress --format sarif --output keychase.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: keychase.sarif
Exit Codes
| Code | Meaning |
|---|---|
0 |
No secrets found |
1 |
Secrets detected |
2 |
Configuration/runtime error |
Development
# Clone the repo
git clone https://github.com/Iflal/keychase.git
cd keychase
# Install in editable mode with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# Lint
ruff check keychase/ tests/
Roadmap
- Pre-commit hook integration (
keychase hook install) - Secret verification (check if leaked keys are still active)
- Entropy-based detection for unknown secret formats
- Docker image (
docker run keychase scan .) - SaaS dashboard (scan orgs, scheduled scans, PDF reports)
Contributing
Contributions welcome! The easiest way to help:
- Add new detectors — see
keychase/detectors/for examples - Report false positives — open an issue with the line that triggered it
- Improve patterns — submit a PR with a test case
License
MIT License — see LICENSE for details.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
keychase-0.1.3.tar.gz
(33.7 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
keychase-0.1.3-py3-none-any.whl
(37.2 kB
view details)
File details
Details for the file keychase-0.1.3.tar.gz.
File metadata
- Download URL: keychase-0.1.3.tar.gz
- Upload date:
- Size: 33.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f07518eec781b977dc39caa944ce914a53c977679bf97c20a401a75e5b9b8dbd
|
|
| MD5 |
10ad820e5dce05fa6e092ff3eb2f3197
|
|
| BLAKE2b-256 |
92975b13b97ee36301a1f58b716a4ef8bc8ea136ced79368663e9c2d123a0396
|
Provenance
The following attestation bundles were made for keychase-0.1.3.tar.gz:
Publisher:
release.yml on Iflal/keychase
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keychase-0.1.3.tar.gz -
Subject digest:
f07518eec781b977dc39caa944ce914a53c977679bf97c20a401a75e5b9b8dbd - Sigstore transparency entry: 1387630405
- Sigstore integration time:
-
Permalink:
Iflal/keychase@748857e4b067370d92f86c9dfa56269ce7d53d8b -
Branch / Tag:
refs/tags/v0.1.3 - Owner: https://github.com/Iflal
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@748857e4b067370d92f86c9dfa56269ce7d53d8b -
Trigger Event:
release
-
Statement type:
File details
Details for the file keychase-0.1.3-py3-none-any.whl.
File metadata
- Download URL: keychase-0.1.3-py3-none-any.whl
- Upload date:
- Size: 37.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8aaf4e25d79674cdf8b4f27933c30e40cf61477acdacf85ed5df21b6d4c95d75
|
|
| MD5 |
864a87ed664a3e653fe9e95e5f476abf
|
|
| BLAKE2b-256 |
4a5cbcff6ec78d85e1184a3f32af39a37ad0b27bdd5ac64ce4469810037807f1
|
Provenance
The following attestation bundles were made for keychase-0.1.3-py3-none-any.whl:
Publisher:
release.yml on Iflal/keychase
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keychase-0.1.3-py3-none-any.whl -
Subject digest:
8aaf4e25d79674cdf8b4f27933c30e40cf61477acdacf85ed5df21b6d4c95d75 - Sigstore transparency entry: 1387630492
- Sigstore integration time:
-
Permalink:
Iflal/keychase@748857e4b067370d92f86c9dfa56269ce7d53d8b -
Branch / Tag:
refs/tags/v0.1.3 - Owner: https://github.com/Iflal
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@748857e4b067370d92f86c9dfa56269ce7d53d8b -
Trigger Event:
release
-
Statement type:
