CLI scanner for exposed secrets in Git repositories using pattern matching and Shannon entropy detection
Project description
LeakWatch
A simplified credentials and exposed secrets scanner for Git repositories.
Why
This tool exists because I accidentally committed a MongoDB connection string with production credentials to a public repo. That incident showed me how easily a secret can slip through a code review, so I built LeakWatch to catch these before they ever reach GitHub.
Installation
To install LeakWatch in editable mode for development, clone the repository and run:
pip install -e .
To install dev dependencies (such as pytest) as well, run:
pip install -e .[dev]
Usage
LeakWatch provides a command-line interface with three main command groups:
1. Scanning files and Git history
To scan a directory or a specific file:
leakwatch scan /path/to/target
To scan the entire Git commit history across all branches:
leakwatch scan /path/to/repo --history
To format the output (options: console, json, sarif):
leakwatch scan /path/to/target --format json
2. Initializing Configuration
To generate a sample configuration file .leakwatch.yml in the current working directory:
leakwatch config init
3. Installing Pre-Commit Hooks
To configure a Git pre-commit hook (runs automatically before commits):
leakwatch install-hook
Note: This command is currently a placeholder and will be completed in a future release.
How it works
LeakWatch implements a two-pronged scanning strategy:
- Pattern Matching: Scans file contents line-by-line using regular expressions configured for specific known services (such as AWS Access Keys, MongoDB, Postgres, MySQL connection strings, Stripe keys, JWT tokens, and PEM private keys).
- Entropy Analysis: Evaluates Shannon entropy for long alphanumeric strings (length greater than 20 characters). Candidates that exceed a configurable threshold (default: 4.5) are flagged as potential high-entropy secrets (e.g. random API keys or database passwords).
Paths can be ignored and specific false positives can be allowed by editing .leakwatch.yml.
Roadmap
- Full Git commit history scanning (Complete)
- Basic and configurable Shannon entropy analysis (Complete)
- Extensible SARIF output format support (Stub implemented)
- Automated pre-commit hook installation
- Publishing the package to PyPI
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file leakwatch_cli-0.1.0.tar.gz.
File metadata
- Download URL: leakwatch_cli-0.1.0.tar.gz
- Upload date:
- Size: 14.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
544235435e3b0b725f5a187b566d459fc9668686ebf29f7c2a6a7af99af84fde
|
|
| MD5 |
9c3e8c3e03130b26c213ce7c1cd8dc14
|
|
| BLAKE2b-256 |
a8324596c4c251fddcb7f697dd9209767403f545ce30cc627ef0b2be3edaeb8a
|
File details
Details for the file leakwatch_cli-0.1.0-py3-none-any.whl.
File metadata
- Download URL: leakwatch_cli-0.1.0-py3-none-any.whl
- Upload date:
- Size: 14.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7ff0d8af941c9cda8dde6cfd925395e489a1d26df5af2ece80de00cdc7d9e8a9
|
|
| MD5 |
a422b3b2ea1324d6f42e3db5b860deba
|
|
| BLAKE2b-256 |
125a4e1c7af5a40d37f090bf5ed511bb5cf4c8a4764164fce3f59d765dd2d539
|