leakguard — fast secret scanner for your codebase

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for xtremebyte from gravatar.com xtremebyte

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Tags security , secrets , scanner , sast , devops
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

leakguard

img.png

leakguard — fast secret scanner for your codebase

A lightweight, zero-config secret scanner written in Rust — available as CLI tool and Python library. Scans source code for accidentally committed secrets, credentials, and sensitive data.

Features

  • 89 built-in detection rules covering cloud providers, LLMs, databases, HTTP auth, and more
  • Multiple output formats — pretty-printed, JSON, and SARIF
  • GitHub Actions integration — writes a formatted Job Summary to $GITHUB_STEP_SUMMARY
  • Inline suppression — annotate lines with # leakguard-ignore to silence known false positives
  • Configurable via leakguard.toml — restrict file extensions, exclude paths, disable rules
  • Sorted output — findings ordered by severity (CRITICAL → HIGH → MEDIUM → LOW → WARNING), then by file and line
  • Smart false-positive filtering — skips template variables, shell variables, and attribute references
  • Binary-safe — skips non-text files automatically
  • Respects .env files — always excluded from scanning

Installation

From source

git clone https://github.com/adrian-lorenz/leakguard.git
cd leakguard
cargo install --path .

via pip

pip install leakguard-secret-leaks
leakguard check .

Pre-built binaries

Download the latest binary for your platform from the Releases page:

Platform File
Linux x86_64 leakguard-linux-amd64
Linux ARM64 leakguard-linux-arm64
Windows x86_64 leakguard-windows-amd64.exe
macOS Apple Silicon leakguard-macos-arm64 
# Linux / macOS — make executable and move to PATH
chmod +x leakguard-linux-amd64
sudo mv leakguard-linux-amd64 /usr/local/bin/leakguard

Python Library

After installing via pip install leakguard-secret-leaks, you can use leakguard directly from Python — e.g. to scan text before sending it to an LLM:

from leakguard import scan_text

findings = scan_text("My API key is sk-proj-abc123xyz...")
for f in findings:
    print(f.rule_id, f.severity, f.secret)

# Disable specific rules:
findings = scan_text(text, disable_rules=["http-insecure-url"])

Each finding has the attributes: rule_id, description, severity, line_number, line, secret, tags.

CLI Usage

# Scan the current directory
leakguard check

# Scan a specific path
leakguard check --source ./src

# JSON output (e.g. for piping)
leakguard check --format json

# SARIF output (e.g. for GitHub Code Scanning)
leakguard check --format sarif

# Verbose mode (shows every file scanned/skipped)
leakguard check --verbose

# Include WARNING-level findings in detail output
leakguard check --warnings

# Limit file size (default: 1024 KB)
leakguard check --max-size 512

# Use a custom config file
leakguard check --config /path/to/leakguard.toml

# Write a GitHub Actions Job Summary
leakguard check --github-summary

# List all built-in rules
leakguard rules

# Generate a default config file
leakguard init-config

Exit codes

Code Meaning
0 No findings (or only LOW/WARNING severity)
1 At least one CRITICAL, HIGH, or MEDIUM finding

Warnings

WARNING-level findings (e.g. plain HTTP URLs) are counted in the summary but suppressed in the detail output by default to reduce noise. Use --warnings to display them:

leakguard check --warnings

The summary line always shows the WARNING count regardless of this flag.

Configuration

Run leakguard init-config to create a leakguard.toml in the current directory:

[scan]
# Leave empty to scan all files (except .env and .git).
# Restrict to specific extensions:
# extensions = ["py", "js", "ts", "go", "yaml", "toml"]
extensions = []
exclude_paths = []
exclude_files = []

[rules]
# Disable specific rules by ID:
# disable = ["jwt-token", "http-insecure-url"]
disable = []

leakguard.toml is auto-loaded from the current directory if present.

Suppression

Add a suppression comment to any line to skip it:

api_url = "http://internal-service/api"  # leakguard-ignore

Supported markers: # leakguard-ignore, # noqa-secrets, # nosec-secrets

leakguard also automatically skips common false positives:

Pattern Example
Python f-strings / Jinja postgresql://{DB_USER}:{DB_PASSWORD}@...
Shell variables $DB_PASSWORD
Python %-format %(password)s
Attribute references settings.DB_PASSWORD, config.secret_key
localhost HTTP URLs http://localhost:8080

Detection Coverage

Category Examples
Cloud / VCS AWS keys, GitHub/GitLab PATs, Google API keys, Stripe, Slack, NPM, Docker Hub
LLM / AI OpenAI, Anthropic, Cohere, Mistral, Hugging Face, Replicate, Groq, Perplexity
Azure / M365 Tenant/Client IDs, Storage keys, Service Bus, Cosmos DB, Teams webhooks, Graph API
Frontend / SaaS Firebase, Mapbox, Sentry DSN, Contentful, Shopify, Algolia, Linear, Postman, PlanetScale, Cloudflare
Databases PostgreSQL, MySQL, MongoDB, Redis, MSSQL, Elasticsearch, RabbitMQ, JDBC
Observability Datadog, New Relic, Grafana, Honeycomb, Lightstep, OTLP endpoints
HTTP Auth Basic Auth headers, Bearer tokens, credentials in URLs, curl commands
Crypto PEM private keys (RSA, EC, DSA, OpenSSH)
Generic High-entropy secrets matching common naming patterns, JWT tokens

Run leakguard rules to see all 89 rules with IDs, severity levels, and tags.

Severity Levels

Level Description
CRITICAL Direct credential exposure — rotate immediately
HIGH Sensitive token or key with significant access
MEDIUM Potentially sensitive, context-dependent
LOW Low-risk exposure (e.g. publishable keys)
WARNING Best-practice violation (e.g. plain HTTP URLs) — shown with --warnings

GitHub Actions

Use leakguard in your own pipeline

Add this job to any workflow to scan for secrets and write the results to the GitHub Job Summary:

jobs:
  leakguard:
    name: leakguard secret scan
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4

      - name: Install leakguard
        run: |
          curl -sSfL \
            https://github.com/adrian-lorenz/leakguard/releases/latest/download/leakguard-linux-amd64 \
            -o /usr/local/bin/leakguard
          chmod +x /usr/local/bin/leakguard

      - name: Run scan
        run: leakguard check --format markdown >> "$GITHUB_STEP_SUMMARY"

Or install via pip:

      - name: Install leakguard
        run: pip install leakguard-secret-leaks

      - name: Run scan
        run: leakguard check --format markdown >> "$GITHUB_STEP_SUMMARY"

Two ready-to-use workflows are also included in .github/workflows/.

Secret scan on every push — scan.yml

Runs leakguard check on every push and pull request, uploads results to GitHub Code Scanning as SARIF.

Replace YOUR_USERNAME in scan.yml with your GitHub username before pushing.

License

MIT — Copyright (c) 2026 Adrian Lorenz <a.lorenz@noa-x.de>

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for xtremebyte from gravatar.com xtremebyte

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Tags security , secrets , scanner , sast , devops
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.0.4

1.0.3

1.0.2

1.0.1

0.5.5

0.5.4

0.5.3

This version

0.5.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

leakguard-0.5.2-cp38-abi3-win_amd64.whl (1.2 MB view details)

Uploaded CPython 3.8+Windows x86-64

leakguard-0.5.2-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.5 MB view details)

Uploaded CPython 3.8+manylinux: glibc 2.17+ x86-64

leakguard-0.5.2-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (1.4 MB view details)

Uploaded CPython 3.8+manylinux: glibc 2.17+ ARM64

leakguard-0.5.2-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl (2.6 MB view details)

Uploaded CPython 3.8+macOS 10.12+ universal2 (ARM64, x86-64)macOS 10.12+ x86-64macOS 11.0+ ARM64

File details

Details for the file leakguard-0.5.2-cp38-abi3-win_amd64.whl.

File metadata

  • Download URL: leakguard-0.5.2-cp38-abi3-win_amd64.whl
  • Upload date:
  • Size: 1.2 MB
  • Tags: CPython 3.8+, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for leakguard-0.5.2-cp38-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 8a0cd8bd97bdf3b97f6990a4e4100e46971d58dc653ec90f73b492c5308b726b
MD5 b20698694992929703de6d085730973b
BLAKE2b-256 e19be829d8945d27147c0072ed7eacecf8266fe1671af283c100939d4cab10e7

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.2-cp38-abi3-win_amd64.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file leakguard-0.5.2-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for leakguard-0.5.2-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 d476e60b178890a0f47b5fd0587b4c869a0f145c7b214616e4519997af463583
MD5 62f80cba106bd3c3705de4ba8466fcf9
BLAKE2b-256 cd70cd5c44b5186d07b31f62f3a080a511b040e50b45e5fb4c783515018d8693

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.2-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file leakguard-0.5.2-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for leakguard-0.5.2-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 f5015adf53c0bf2668877cfce76f0c358907508abbbde190cef49e7648bc2f1a
MD5 b17d855ce5339beef1f1631e64f14bcb
BLAKE2b-256 602d3f4462128f881a68f37f08ad48e3b891089b12791b5a5b12fe7d98d6be2c

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.2-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file leakguard-0.5.2-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl.

File metadata

File hashes

Hashes for leakguard-0.5.2-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl
Algorithm Hash digest
SHA256 2f973f1a647295aa85c3e6760bfd86029a4ceed67767e4bcf3f8ffc31e09a4a5
MD5 03b1d02457b464026ab944e52325104b
BLAKE2b-256 8bb23980e77961a7f9b0f2d9c82b4d1d6b35a860bb216e5aad0fc4d04acf64c7

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.2-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page