Skip to main content

Defensive-security / responsible-disclosure platform that scans public GitHub repos for exposed secrets.

Project description

Open Source Secret Watcher

A defensive-security and responsible-disclosure platform that discovers public GitHub repositories, scans them for potentially exposed secrets using the official TruffleHog CLI, classifies and scores findings (reducing false positives with regex + entropy analysis), and helps repository maintainers remediate.

Built for education, portfolio use, defensive security, and responsible disclosure.


⚠️ Safety principles (enforced in code, not just documented)

This tool is deliberately constrained so it cannot be misused as an attack tool:

  • Public repositories only.
  • It never uses, authenticates with, sends requests using, or tests a discovered credential, and never tries to determine whether one is active.
  • The regex/entropy layers only decide whether a string resembles a known credential format. They make no network calls.
  • Raw secrets are never stored. Only a masked preview (prefix…last4) and a one-way SHA-256 fingerprint are persisted. There is no config flag and no database column that holds the raw value — the capability does not exist in this build. The raw string lives in memory only long enough to compute the preview/fingerprint and run format checks.
  • Raw secrets are never logged.
  • Disclosure reports are written to disk for a human to review and send — nothing is emailed or posted automatically.

The intent is to help owners fix leaks, not to collect or exploit credentials.


Features

Area What it does
Discovery GitHub Search API across configurable keywords, recent-creation window, pagination, rate-limit backoff, concurrent queries. Dry-run by default.
Scanning Programmatic TruffleHog execution (async), JSON parsing, concurrent scans, retries, scan history, already-scanned tracking.
Classification OpenAI, Anthropic, AWS, GitHub, Google, Stripe, Slack, Azure, generic, unknown.
Regex validation Format/length/prefix checks per provider; rejects obvious placeholders; assigns confidence.
Entropy analysis Shannon entropy with hex/base64-aware thresholds; combined entropy + regex confidence score.
Risk scoring Critical / High / Medium / Low from category, confidence, exposure location, repo popularity, commit age, and exposure history.
Storage SQLite + SQLAlchemy. Repo metadata, scan records, findings (masked).
Notifications Email + Markdown responsible-disclosure templates with remediation guidance. Files only.
Dashboard Live Rich terminal dashboard.
Export CSV export of findings (masked).

Architecture

discover → queue(DB) → scan(TruffleHog) → parse(JSON) → validate(regex+entropy)
        → score(confidence + risk) → store(DB) → notify(files) / dashboard / export
secret_watcher/
├── config/        # Pydantic settings (TOML + env)
├── discovery/     # GitHub Search API client (+ offline mock) and orchestrator
├── scanner/       # TruffleHog runner (+ offline mock) and scan manager
├── parser/        # TruffleHog JSON → normalised findings
├── validators/    # regex_validator.py, entropy_validator.py, scoring.py
├── database/      # SQLAlchemy models, session, data-access helpers
├── notifications/ # remediation guidance, Jinja2 templates, reporter
├── dashboard/     # Rich terminal dashboard
├── cli/           # Typer CLI
├── security.py    # masking + fingerprint (the only code that touches a raw secret)
└── export.py      # CSV export
tests/             # pytest suite (pure modules + mocked adapters)

Stages communicate through the database, so they are decoupled and resumable. Pure logic (validators, scoring, parser) does no I/O and is unit-tested. Network/process stages sit behind interfaces with offline mocks, so the whole pipeline runs without a token or TruffleHog via --mock.


Installation

See INSTALL.md for full details. Quick version:

python3 -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
# Install TruffleHog v3 (for real scans): https://github.com/trufflesecurity/trufflehog
cp config.example.toml config.toml         # edit as needed
export GITHUB_TOKEN=ghp_your_token         # for the GitHub Search API

Requires Python 3.12+.


Usage

Every command accepts --config PATH and --mock (offline mocks, no token/TruffleHog).

# 1. Discover public repos (dry-run; add --queue to enqueue them)
secretwatch discover --queue

# 2. Scan the queue with TruffleHog
secretwatch scan

# 3. Generate responsible-disclosure reports (email + markdown) into reports/
secretwatch report

# 4. Live dashboard
secretwatch dashboard            # --once to render a single frame

# 5. Export findings to CSV (masked previews only)
secretwatch export findings.csv

# 6. Aggregate statistics
secretwatch stats

Try it offline (no token, no TruffleHog)

secretwatch discover --mock --queue
secretwatch scan --mock
secretwatch dashboard --mock --once

Sample disclosure report

See reports/samples/ for a full email + Markdown example. Excerpt:

  Repository:   https://github.com/example/env-sample
  File:         .env (line 3)
  Category:     AWS credential
  Confidence:   0.34 (CRITICAL risk)
  Reference:    AKIAIOS…MPLE   (masked — the full value is not stored)

Sample dashboard

A captured render is in reports/samples/dashboard.txt:

╭───── Overview ──────╮ ╭─────── By Severity ───────╮ ╭───── By Type ─────╮
│ Repositories  2     │ │ CRITICAL    1             │ │ AWS credential  2 │
│      Scanned  2     │ │ HIGH        3             │ │ Stripe key      2 │
│        Queue  0     │ │ MEDIUM      0             │ ╰───────────────────╯
│     Findings  4     │ │ LOW         0             │
╰─────────────────────╯ ╰───────────────────────────╯
Recent Detections: example/env-sample | Stripe key | HIGH | sk_live…LE12

Testing

pytest -q

The suite covers regex/entropy/scoring/parser logic, database helpers, and a full mock-driven pipeline that asserts no raw secret is ever persisted to the database, reports, or CSV.


Configuration

All behaviour is driven by config.toml (see config.example.toml). Notable knobs:

  • discovery.keywords, discovery.created_within_days, discovery.max_results
  • scanner.trufflehog_path, scanner.max_concurrent_scans, scanner.max_retries
  • entropy.* thresholds, scoring.* weights and scoring.min_confidence
  • reports.reporter_name / reports.reporter_contact for the disclosure signature

The GitHub token is read from GITHUB_TOKEN in the environment, never from the file.


License

MIT. Use responsibly. You are responsible for complying with GitHub's Terms of Service and all applicable laws when using this tool.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

open_source_secret_watcher-0.1.1.tar.gz (46.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

open_source_secret_watcher-0.1.1-py3-none-any.whl (53.0 kB view details)

Uploaded Python 3

File details

Details for the file open_source_secret_watcher-0.1.1.tar.gz.

File metadata

File hashes

Hashes for open_source_secret_watcher-0.1.1.tar.gz
Algorithm Hash digest
SHA256 1750ff011e863ed8bae57dd5d501b3b14276e8e9b08f679118de6f9736dd2bb8
MD5 bde806aa110f1bb99c0309e4b32fe2b0
BLAKE2b-256 aebc63c643d3c5fa5a803b7066504348523f21a7ba4f870c474629d8fd5f9c3a

See more details on using hashes here.

File details

Details for the file open_source_secret_watcher-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for open_source_secret_watcher-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 be875aff2073b08bbb78c48fe8100030f11bb6fded9802287b768d93133d2b76
MD5 60e69541bdca5431c943079aa0be9b49
BLAKE2b-256 9ac8ec9a778b5828f395c281b6d3e72c894b704c5b2de2326a4a8b3243a50a93

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page