leakguard — fast secret scanner for your codebase

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for xtremebyte from gravatar.com xtremebyte

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Tags security , secrets , scanner , sast , devops
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

leakguard

leakguard banner

Fast, lightweight secret scanner for codebases (Rust CLI + Python package).

leakguard scans source files for accidentally committed credentials, tokens, and sensitive config values.

Why leakguard

  • 104 built-in rules across cloud, LLM, database, HTTP auth, observability, and SaaS ecosystems
  • Fast local scanning with sensible defaults
  • CI-friendly outputs: pretty, json, sarif, markdown
  • GitHub Actions summary support via --github-summary
  • False-positive controls: inline ignore markers + rule-level disable in config
  • Binary-safe scanning: non-text files are skipped
  • Safe defaults: .env files are excluded

Quickstart

Install from source

git clone https://github.com/adrian-lorenz/leakguard.git
cd leakguard
cargo install --path .

Install via pip

pip install leakguard-secret-leaks
leakguard check .

Use prebuilt binaries

Download the latest release from GitHub Releases.

Platform Binary
Linux x86_64 leakguard-linux-amd64
Linux ARM64 leakguard-linux-arm64
Windows x86_64 leakguard-windows-amd64.exe
macOS Apple Silicon leakguard-macos-arm64 
chmod +x leakguard-linux-amd64
sudo mv leakguard-linux-amd64 /usr/local/bin/leakguard

CLI

Common commands

# Scan current directory
leakguard check

# Scan specific path
leakguard check --source ./src

# JSON for automation
leakguard check --format json

# SARIF for GitHub code scanning
leakguard check --format sarif

# Markdown report (useful for CI summaries)
leakguard check --format markdown

# Show warning-level findings in details
leakguard check --warnings

# Verbose file-level logging
leakguard check --verbose

# Max file size in KB (default: 1024)
leakguard check --max-size 512

# Use custom config file
leakguard check --config /path/to/leakguard.toml

# Write GitHub Actions job summary
leakguard check --github-summary

# Show all built-in rules
leakguard rules

# Create default config
leakguard init-config

Exit codes

Code Meaning
0 No findings, or only LOW / WARNING findings
1 At least one CRITICAL, HIGH, or MEDIUM finding

Python API

Use leakguard as a library, for example before sending text to an LLM:

from leakguard import scan_text

findings = scan_text("My API key is sk-proj-abc123xyz...")
for f in findings:
    print(f.rule_id, f.severity, f.secret)

# Disable specific rules for this call
findings = scan_text("...", disable_rules=["http-insecure-url"])

Finding fields: rule_id, description, severity, line_number, line, secret, tags

Configuration

Generate a config file:

leakguard init-config

Default leakguard.toml:

[scan]
# Empty means all files except .env and .git
extensions = []
exclude_paths = []
exclude_files = []

[rules]
# Example: disable = ["jwt-token", "http-insecure-url"]
disable = []

Auto-loading behavior:

  • leakguard.toml in the current working directory is loaded automatically.

Suppression and false positives

Inline suppression markers on a line:

api_url = "http://internal-service/api"  # leakguard-ignore

Supported markers:

  • # leakguard-ignore
  • # noqa-secrets
  • # nosec-secrets

Built-in false-positive filtering includes patterns such as:

  • templated values ({DB_PASSWORD}, %(password)s)
  • shell variable references ($DB_PASSWORD)
  • attribute references (settings.DB_PASSWORD)
  • localhost URLs (http://localhost:8080)

Detection coverage

Current built-in categories include:

  • Cloud / VCS: AWS, GitHub/GitLab, Google, Stripe, Slack, NPM, Docker Hub
  • LLM / AI: OpenAI, Anthropic, Cohere, Mistral, Hugging Face, Groq, Perplexity, xAI, and related env leaks
  • Azure / M365: tenant/app credentials, storage/service keys, Graph, Teams webhooks
  • Databases / BaaS: PostgreSQL/MySQL/Mongo/Redis/MSSQL/JDBC, Supabase
  • Observability: Datadog, New Relic, Grafana, Honeycomb, OTLP-related patterns
  • HTTP/Auth: Bearer/Basic headers, credentialed URLs
  • Crypto / Generic: PEM keys, JWT-like tokens, high-entropy secret assignments

Use leakguard rules for the complete, authoritative list.

GitHub Actions

Example workflow job:

jobs:
  leakguard:
    name: leakguard secret scan
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4

      - name: Install leakguard
        run: |
          curl -sSfL \
            https://github.com/adrian-lorenz/leakguard/releases/latest/download/leakguard-linux-amd64 \
            -o /usr/local/bin/leakguard
          chmod +x /usr/local/bin/leakguard

      - name: Run scan
        run: leakguard check --format markdown >> "$GITHUB_STEP_SUMMARY"

Alternative install method:

- name: Install leakguard
  run: pip install leakguard-secret-leaks

License

MIT — Copyright (c) 2026 Adrian Lorenz a.lorenz@noa-x.de

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for xtremebyte from gravatar.com xtremebyte

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Tags security , secrets , scanner , sast , devops
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.0.4

1.0.3

1.0.2

1.0.1

0.5.5

This version

0.5.4

0.5.3

0.5.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

leakguard-0.5.4-cp38-abi3-win_amd64.whl (1.2 MB view details)

Uploaded CPython 3.8+Windows x86-64

leakguard-0.5.4-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.5 MB view details)

Uploaded CPython 3.8+manylinux: glibc 2.17+ x86-64

leakguard-0.5.4-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (1.4 MB view details)

Uploaded CPython 3.8+manylinux: glibc 2.17+ ARM64

leakguard-0.5.4-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl (2.6 MB view details)

Uploaded CPython 3.8+macOS 10.12+ universal2 (ARM64, x86-64)macOS 10.12+ x86-64macOS 11.0+ ARM64

File details

Details for the file leakguard-0.5.4-cp38-abi3-win_amd64.whl.

File metadata

  • Download URL: leakguard-0.5.4-cp38-abi3-win_amd64.whl
  • Upload date:
  • Size: 1.2 MB
  • Tags: CPython 3.8+, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for leakguard-0.5.4-cp38-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 a0d9b65b31af4f1f3b00d6f9b5b9279c01c7bf3d2cd30df20a9f10757d94eb17
MD5 34ba413c7ed87458a00cb8357c7caa3e
BLAKE2b-256 f792203edda58da346e49b4cdc2ea8832fe8b5487a830bba54b14d9c56c097c6

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.4-cp38-abi3-win_amd64.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file leakguard-0.5.4-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for leakguard-0.5.4-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 b13df4a9ab9c0c5d5aa1fc5c52637126cfbd2eb09be44b4e18790ef0af38961e
MD5 a61d1321aa70946cead7bcd906dd8cbb
BLAKE2b-256 0df3c97a3dfa199c9554d66860862944b70f9ba23bf23018be03b594ac9a1259

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.4-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file leakguard-0.5.4-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for leakguard-0.5.4-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 6256b665094f70b13783c934f2d19f4bc388b4ceb7c72175d4a058194055c618
MD5 2666a8e6e989ba19671a1ba2930c20bc
BLAKE2b-256 d52b5a9d4631cce73637aabb1d507b7789799f3bd3b6f897f2e6c282602d0a8f

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.4-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file leakguard-0.5.4-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl.

File metadata

File hashes

Hashes for leakguard-0.5.4-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl
Algorithm Hash digest
SHA256 4e8ab0a8fe122c2f21f393409f017a5f773e8bb7d4db49004caddd6cd8ebdc8a
MD5 781781a1accf4f6cf22cead214ab85f1
BLAKE2b-256 69a9bd18ab581dded030e7c42ab9b18c57ac813915cdcba20854e0425b418e34

See more details on using hashes here.

Provenance

The following attestation bundles were made for leakguard-0.5.4-cp38-abi3-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl:

Publisher: release.yml on adrian-lorenz/leakguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page