Skip to main content

CLI scanner for exposed secrets in Git repositories using pattern matching and Shannon entropy detection

Project description

LeakWatch

A simplified credentials and exposed secrets scanner for Git repositories.

Why

This tool exists because I accidentally committed a MongoDB connection string with production credentials to a public repo. That incident showed me how easily a secret can slip through a code review, so I built LeakWatch to catch these before they ever reach GitHub.

Installation

To install LeakWatch in editable mode for development, clone the repository and run:

pip install -e .

To install dev dependencies (such as pytest) as well, run:

pip install -e .[dev]

Usage

LeakWatch provides a command-line interface with three main command groups:

1. Scanning files and Git history

To scan a directory or a specific file:

leakwatch scan /path/to/target

To scan the entire Git commit history across all branches:

leakwatch scan /path/to/repo --history

To format the output (options: console, json, sarif):

leakwatch scan /path/to/target --format json

2. Initializing Configuration

To generate a sample configuration file .leakwatch.yml in the current working directory:

leakwatch config init

3. Installing Pre-Commit Hooks

To configure a Git pre-commit hook (runs automatically before commits):

leakwatch install-hook

Note: This command is currently a placeholder and will be completed in a future release.

How it works

LeakWatch implements a two-pronged scanning strategy:

  1. Pattern Matching: Scans file contents line-by-line using regular expressions configured for specific known services (such as AWS Access Keys, MongoDB, Postgres, MySQL connection strings, Stripe keys, JWT tokens, and PEM private keys).
  2. Entropy Analysis: Evaluates Shannon entropy for long alphanumeric strings (length greater than 20 characters). Candidates that exceed a configurable threshold (default: 4.5) are flagged as potential high-entropy secrets (e.g. random API keys or database passwords).

Paths can be ignored and specific false positives can be allowed by editing .leakwatch.yml.

Roadmap

  • Full Git commit history scanning (Complete)
  • Basic and configurable Shannon entropy analysis (Complete)
  • Extensible SARIF output format support (Stub implemented)
  • Automated pre-commit hook installation
  • Publishing the package to PyPI

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

leakwatch_cli-0.1.0.tar.gz (14.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

leakwatch_cli-0.1.0-py3-none-any.whl (14.9 kB view details)

Uploaded Python 3

File details

Details for the file leakwatch_cli-0.1.0.tar.gz.

File metadata

  • Download URL: leakwatch_cli-0.1.0.tar.gz
  • Upload date:
  • Size: 14.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for leakwatch_cli-0.1.0.tar.gz
Algorithm Hash digest
SHA256 544235435e3b0b725f5a187b566d459fc9668686ebf29f7c2a6a7af99af84fde
MD5 9c3e8c3e03130b26c213ce7c1cd8dc14
BLAKE2b-256 a8324596c4c251fddcb7f697dd9209767403f545ce30cc627ef0b2be3edaeb8a

See more details on using hashes here.

File details

Details for the file leakwatch_cli-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: leakwatch_cli-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 14.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for leakwatch_cli-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7ff0d8af941c9cda8dde6cfd925395e489a1d26df5af2ece80de00cdc7d9e8a9
MD5 a422b3b2ea1324d6f42e3db5b860deba
BLAKE2b-256 125a4e1c7af5a40d37f090bf5ed511bb5cf4c8a4764164fce3f59d765dd2d539

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page