leakguard — fast secret scanner for your codebase

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for xtremebyte from gravatar.com xtremebyte

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Tags security , secrets , scanner , sast , devops
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

leakguard

img.png

leakguard — fast secret scanner for your codebase

A lightweight, zero-config secret scanner written in Rust — available as CLI tool and Python library. Scans source code for accidentally committed secrets, credentials, and sensitive data.

Features

  • 89 built-in detection rules covering cloud providers, LLMs, databases, HTTP auth, and more
  • Multiple output formats — pretty-printed, JSON, and SARIF
  • GitHub Actions integration — writes a formatted Job Summary to $GITHUB_STEP_SUMMARY
  • Inline suppression — annotate lines with # leakguard-ignore to silence known false positives
  • Configurable via leakguard.toml — restrict file extensions, exclude paths, disable rules
  • Sorted output — findings ordered by severity (CRITICAL → HIGH → MEDIUM → LOW → WARNING), then by file and line
  • Smart false-positive filtering — skips template variables, shell variables, and attribute references
  • Binary-safe — skips non-text files automatically
  • Respects .env files — always excluded from scanning

Installation

From source

git clone https://github.com/adrian-lorenz/leakguard.git
cd leakguard
cargo install --path .

via pip

pip install leakguard-secret-leaks
leakguard check .

Pre-built binaries

Download the latest binary for your platform from the Releases page:

Platform File
Linux x86_64 leakguard-linux-amd64
Linux ARM64 leakguard-linux-arm64
Windows x86_64 leakguard-windows-amd64.exe
macOS Apple Silicon leakguard-macos-arm64 
# Linux / macOS — make executable and move to PATH
chmod +x leakguard-linux-amd64
sudo mv leakguard-linux-amd64 /usr/local/bin/leakguard

Python Library

After installing via pip install leakguard-secret-leaks, you can use leakguard directly from Python — e.g. to scan text before sending it to an LLM:

from leakguard import scan_text

findings = scan_text("My API key is sk-proj-abc123xyz...")
for f in findings:
    print(f.rule_id, f.severity, f.secret)

# Disable specific rules:
findings = scan_text(text, disable_rules=["http-insecure-url"])

Each finding has the attributes: rule_id, description, severity, line_number, line, secret, tags.

CLI Usage

# Scan the current directory
leakguard check

# Scan a specific path
leakguard check --source ./src

# JSON output (e.g. for piping)
leakguard check --format json

# SARIF output (e.g. for GitHub Code Scanning)
leakguard check --format sarif

# Verbose mode (shows every file scanned/skipped)
leakguard check --verbose

# Include WARNING-level findings in detail output
leakguard check --warnings

# Limit file size (default: 1024 KB)
leakguard check --max-size 512

# Use a custom config file
leakguard check --config /path/to/leakguard.toml

# Write a GitHub Actions Job Summary
leakguard check --github-summary

# List all built-in rules
leakguard rules

# Generate a default config file
leakguard init-config

Exit codes

Code Meaning
0 No findings (or only LOW/WARNING severity)
1 At least one CRITICAL, HIGH, or MEDIUM finding

Warnings

WARNING-level findings (e.g. plain HTTP URLs) are counted in the summary but suppressed in the detail output by default to reduce noise. Use --warnings to display them:

leakguard check --warnings

The summary line always shows the WARNING count regardless of this flag.

Configuration

Run leakguard init-config to create a leakguard.toml in the current directory:

[scan]
# Leave empty to scan all files (except .env and .git).
# Restrict to specific extensions:
# extensions = ["py", "js", "ts", "go", "yaml", "toml"]
extensions = []
exclude_paths = []
exclude_files = []

[rules]
# Disable specific rules by ID:
# disable = ["jwt-token", "http-insecure-url"]
disable = []

leakguard.toml is auto-loaded from the current directory if present.

Suppression

Add a suppression comment to any line to skip it:

api_url = "http://internal-service/api"  # leakguard-ignore

Supported markers: # leakguard-ignore, # noqa-secrets, # nosec-secrets

leakguard also automatically skips common false positives:

Pattern Example
Python f-strings / Jinja postgresql://{DB_USER}:{DB_PASSWORD}@...
Shell variables $DB_PASSWORD
Python %-format %(password)s
Attribute references settings.DB_PASSWORD, config.secret_key
localhost HTTP URLs http://localhost:8080

Detection Coverage

Category Examples
Cloud / VCS AWS keys, GitHub/GitLab PATs, Google API keys, Stripe, Slack, NPM, Docker Hub
LLM / AI OpenAI, Anthropic, Cohere, Mistral, Hugging Face, Replicate, Groq, Perplexity
Azure / M365 Tenant/Client IDs, Storage keys, Service Bus, Cosmos DB, Teams webhooks, Graph API
Frontend / SaaS Firebase, Mapbox, Sentry DSN, Contentful, Shopify, Algolia, Linear, Postman, PlanetScale, Cloudflare
Databases PostgreSQL, MySQL, MongoDB, Redis, MSSQL, Elasticsearch, RabbitMQ, JDBC
Observability Datadog, New Relic, Grafana, Honeycomb, Lightstep, OTLP endpoints
HTTP Auth Basic Auth headers, Bearer tokens, credentials in URLs, curl commands
Crypto PEM private keys (RSA, EC, DSA, OpenSSH)
Generic High-entropy secrets matching common naming patterns, JWT tokens

Run leakguard rules to see all 89 rules with IDs, severity levels, and tags.

Severity Levels

Level Description
CRITICAL Direct credential exposure — rotate immediately
HIGH Sensitive token or key with significant access
MEDIUM Potentially sensitive, context-dependent
LOW Low-risk exposure (e.g. publishable keys)
WARNING Best-practice violation (e.g. plain HTTP URLs) — shown with --warnings

GitHub Actions

Use leakguard in your own pipeline

Add this job to any workflow to scan for secrets and write the results to the GitHub Job Summary:

jobs:
  leakguard:
    name: leakguard secret scan
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4

      - name: Install leakguard
        run: |
          curl -sSfL \
            https://github.com/adrian-lorenz/leakguard/releases/latest/download/leakguard-linux-amd64 \
            -o /usr/local/bin/leakguard
          chmod +x /usr/local/bin/leakguard

      - name: Run scan
        run: leakguard check --format markdown >> "$GITHUB_STEP_SUMMARY"

Or install via pip:

      - name: Install leakguard
        run: pip install leakguard-secret-leaks

      - name: Run scan
        run: leakguard check --format markdown >> "$GITHUB_STEP_SUMMARY"

Two ready-to-use workflows are also included in .github/workflows/.

Secret scan on every push — scan.yml

Runs leakguard check on every push and pull request, uploads results to GitHub Code Scanning as SARIF.

Replace YOUR_USERNAME in scan.yml with your GitHub username before pushing.

License

MIT — Copyright (c) 2026 Adrian Lorenz <a.lorenz@noa-x.de>

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for xtremebyte from gravatar.com xtremebyte

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Tags security , secrets , scanner , sast , devops
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.0.4

1.0.3

1.0.2

1.0.1

0.5.5

0.5.4

This version

0.5.3

0.5.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

leakguard-0.5.3-cp38-abi3-win_amd64.whl (1.2 MB view details)

Uploaded CPython 3.8+Windows x86-64

leakguard-0.5.3-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.5 MB view details)

Uploaded CPython 3.8+manylinux: glibc 2.17+ x86-64

leakguard-0.5.3-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (1.4 MB view details)

Uploaded CPython 3.8+manylinux: glibc 2.17+ ARM64

leakguard-0.5.3-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl (2.6 MB view details)

Uploaded CPython 3.8+macOS 10.12+ universal2 (ARM64, x86-64)macOS 10.12+ x86-64macOS 11.0+ ARM64

File details

Details for the file leakguard-0.5.3-cp38-abi3-win_amd64.whl.

File metadata

  • Download URL: leakguard-0.5.3-cp38-abi3-win_amd64.whl
  • Upload date:
  • Size: 1.2 MB
  • Tags: CPython 3.8+, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for leakguard-0.5.3-cp38-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 926cb9e9e66bb27ac1a58a69fea0b8c707a67de45c1c12c9857154aab4219acb
MD5 444836a04e9073d180973e1fde1df327
BLAKE2b-256 1482ec6ac940c7d7a21635c08b0a2e8f0035d4dc09acc75294a7ad8afd57425e

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.3-cp38-abi3-win_amd64.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file leakguard-0.5.3-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for leakguard-0.5.3-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 c67a197f1ccb9d8f90f27ff23c169576a49d88845908e90372b95d296735dd32
MD5 c667422fdf69a8e31aff9d400cceafad
BLAKE2b-256 739e603cce98f02576c39fa0a0985ae7b905536ae83ecfd8b274b8c784136b60

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.3-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file leakguard-0.5.3-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for leakguard-0.5.3-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 2390abfb94ed99afd334523b6b9c1f470c089fde6426f2453dd3efc5f0d2cc9c
MD5 81831cb2b9b06daeec9d7ed224ed784b
BLAKE2b-256 04c9756681b1565adc6e559218efecdf477f48a8ff6a8786ed45b3e8c8bb45d8

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.3-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file leakguard-0.5.3-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl.

File metadata

File hashes

Hashes for leakguard-0.5.3-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl
Algorithm Hash digest
SHA256 9838d535db58c14cdd811c04373ce2b3ff4e0f38aba53493303874cc8fa002c5
MD5 0cf82fcf525f185b3652d8f0991e5c70
BLAKE2b-256 e1ac363566da6ba83052051c4dd87feb2420f4f28dd1e01a3009c53b215b80b4

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.3-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page