A fast, flexible, and zero-config Git and filesystem secret scanner.
Project description
Keychase
A fast, flexible, zero-config secret scanner for Git repos and filesystems.
Why Keychase?
Leaked API keys cost companies millions every year. Keychase catches hardcoded secrets before they reach production — in your files, in your git history, and in your GitHub repos.
- 78+ built-in detectors — AWS, GCP, Azure, GitHub, Stripe, OpenAI, Slack, databases, private keys, and more
- Zero config —
pip install keychase && keychase scan .— that's it - Git history scanning — catch secrets in old commits that were "deleted" but still exist in history
- CI-friendly — exit code
1when secrets are found,0when clean - Multiple output formats — beautiful terminal tables, JSON, and SARIF (GitHub Code Scanning)
- Python-native — install via pip, extend with custom patterns, no binaries needed
Quick Start
Install
pip install keychase
Scan a local directory
keychase scan .
Scan with git history
keychase scan . --history
Scan a GitHub repository
export KEYCHASE_GITHUB_TOKEN=ghp_your_token_here
keychase scan owner/repo
JSON output (for CI/CD pipelines)
keychase scan . --format json --no-progress
SARIF output (for GitHub Code Scanning)
keychase scan . --format sarif --output results.sarif
CLI Reference
Usage: keychase [OPTIONS] COMMAND [ARGS]...
Commands:
scan Scan a directory or GitHub repo for secrets
detectors List all loaded detectors
version Show the keychase version
Scan Options:
--history, -H Also scan git commit history
--depth, -d INTEGER Max commits to scan (default: all)
--branch, -b TEXT Branch to scan
--format, -f TEXT Output format: table, json, sarif
--token, -t TEXT GitHub token for remote scans
--patterns, -p TEXT Path to custom regex patterns file
--output, -o TEXT Write report to file
--no-progress Disable progress bars (CI mode)
Supported Detectors
Keychase ships with 78 detectors across 9 categories:
| Category | Examples | Count |
|---|---|---|
| AWS | Access Key ID, Secret Key, MWS Key, Session Token | 5 |
| GCP | API Key, Service Account JSON, OAuth Secrets, Firebase | 5 |
| GitHub | PAT (classic + fine-grained), OAuth, Server Tokens | 7 |
| Cloud Providers | Azure, DigitalOcean, Heroku, Alibaba | 9 |
| Payments | Stripe, PayPal, Square, Shopify | 12 |
| Messaging | Slack, Discord, Twilio, SendGrid, Mailgun, Telegram | 12 |
| AI/ML | OpenAI, Anthropic, Hugging Face, Cohere, Replicate, Gemini, Pinecone | 8 |
| Databases | MongoDB, PostgreSQL, MySQL, Redis, JDBC | 6 |
| Generic | Passwords, Tokens, Private Keys, Bearer Auth, URLs with creds | 14 |
List all detectors:
keychase detectors
Custom Patterns
Create a file with one regex per line:
# my_patterns.txt
MYCOMPANY_API_[A-Za-z0-9]{32}
internal_token_[0-9a-f]{64}
keychase scan . --patterns my_patterns.txt
Ignoring False Positives
Create a .keychaseignore file in your project root:
# Files to exclude from scanning
test_fixtures/
*.test.js
legacy_config.py
CI/CD Integration
GitHub Actions
- name: Secret Scan
run: |
pip install keychase
keychase scan . --no-progress --format sarif --output keychase.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: keychase.sarif
Exit Codes
| Code | Meaning |
|---|---|
0 |
No secrets found |
1 |
Secrets detected |
2 |
Configuration/runtime error |
Development
# Clone the repo
git clone https://github.com/Iflal/keychase.git
cd keychase
# Install in editable mode with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# Lint
ruff check keychase/ tests/
Roadmap
- Pre-commit hook integration (
keychase hook install) - Secret verification (check if leaked keys are still active)
- Entropy-based detection for unknown secret formats
- Docker image (
docker run keychase scan .) - SaaS dashboard (scan orgs, scheduled scans, PDF reports)
Contributing
Contributions welcome! The easiest way to help:
- Add new detectors — see
keychase/detectors/for examples - Report false positives — open an issue with the line that triggered it
- Improve patterns — submit a PR with a test case
License
MIT License — see LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
keychase-0.1.1.tar.gz
(48.1 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
keychase-0.1.1-py3-none-any.whl
(36.7 kB
view details)
File details
Details for the file keychase-0.1.1.tar.gz.
File metadata
- Download URL: keychase-0.1.1.tar.gz
- Upload date:
- Size: 48.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b1a6cc6141f72ca2311840eab4d6f4c845fef3a28dc3d9af1c4487b28394526d
|
|
| MD5 |
7deb329bb78807e1f17fbdcea4e51647
|
|
| BLAKE2b-256 |
8666ad13acd909e9bbc267766cb6c8575ff441eb1feee55833989f6c062a8815
|
Provenance
The following attestation bundles were made for keychase-0.1.1.tar.gz:
Publisher:
release.yml on Iflal/keychase
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keychase-0.1.1.tar.gz -
Subject digest:
b1a6cc6141f72ca2311840eab4d6f4c845fef3a28dc3d9af1c4487b28394526d - Sigstore transparency entry: 1317291948
- Sigstore integration time:
-
Permalink:
Iflal/keychase@21f23f997bb8120e36339f933895a4354a4970da -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/Iflal
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@21f23f997bb8120e36339f933895a4354a4970da -
Trigger Event:
release
-
Statement type:
File details
Details for the file keychase-0.1.1-py3-none-any.whl.
File metadata
- Download URL: keychase-0.1.1-py3-none-any.whl
- Upload date:
- Size: 36.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5831bdfc8dafbc9b33e1cf66ea73c0844c27d481534fd617f8f705d523b95846
|
|
| MD5 |
675f1b6d9533ab10a25a0c7b8d45cb48
|
|
| BLAKE2b-256 |
9ff15f5302369b85527bcf89a9316dc6c6244b49732a7473016bf02f6f7d12c6
|
Provenance
The following attestation bundles were made for keychase-0.1.1-py3-none-any.whl:
Publisher:
release.yml on Iflal/keychase
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keychase-0.1.1-py3-none-any.whl -
Subject digest:
5831bdfc8dafbc9b33e1cf66ea73c0844c27d481534fd617f8f705d523b95846 - Sigstore transparency entry: 1317292016
- Sigstore integration time:
-
Permalink:
Iflal/keychase@21f23f997bb8120e36339f933895a4354a4970da -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/Iflal
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@21f23f997bb8120e36339f933895a4354a4970da -
Trigger Event:
release
-
Statement type:
