Unified DLP scanner for SaaS sources — secret detection (trufflehog, gitleaks, native regex) plus PII detection (pleno-anonymize). Bundles saas-retriever for API-driven content collection: GitHub, GitLab, Bitbucket, Slack, Notion, Confluence, Jira.
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
pleno-dlp (Python)
Unified DLP scanner for SaaS content — secrets (trufflehog /
gitleaks / native regex) and PII (delegating to
pleno-anonymize). The
SaaS source layer (formerly the standalone
saas-retriever package) is
vendored in-tree from 0.7.0: pip install pleno-dlp pulls one
wheel that exposes both the pleno-dlp and the saas-retriever
console scripts and lets you from saas_retriever import … without any
extra dependency.
The Go binary in this repo (cmd/pleno-dlp) remains for filesystem-only
scans; the Python package is the path forward for SaaS.
Install
uv tool install pleno-dlp
# or
pipx install pleno-dlp
# Add the PII backend (pulls pleno-anonymize):
uv tool install 'pleno-dlp[pii]'
Usage
# Secret scan over an entire GitHub org (code + issues + PRs across every repo)
GITHUB_TOKEN=ghp_... pleno-dlp scan github --owner plenoai
# Scan a single repo, only code, with trufflehog verification
pleno-dlp scan github --owner plenoai --repo saas-retriever \
--resource code --backend trufflehog
# Issue + PR conversations only, PII detection (requires pleno-anonymize)
pleno-dlp scan github --owner plenoai \
--resource issues --resource prs --backend pii
# SARIF output for GitHub code-scanning ingestion
pleno-dlp scan github --owner plenoai \
--format sarif > findings.sarif
Auth resolution: --token → GITHUB_TOKEN env var → gh auth token.
Anonymous works for public content but is rate-limited to 60 req/h.
Backends
| Backend | Class | Verifies | System dep |
|---|---|---|---|
| trufflehog | secret | yes (per-detector) | trufflehog CLI on PATH |
| gitleaks | secret | no | gitleaks CLI on PATH |
| native | secret | no | none — bundled regex (AWS, GitHub PAT, Slack bot, OpenAI, Anthropic) |
| pii | PII | n/a | pleno-anonymize (installed via pleno-dlp[pii] extra) |
Connectors
Anything saas-retriever provides. Today: github with org-wide
enumeration plus per-repo code / issues / PRs (comments and unified
diffs). Slack / Jira / Confluence / Notion / GitLab / Bitbucket land as
standalone API connectors in subsequent saas-retriever releases.
Release
Tag py-vX.Y.Z triggers PyPI trusted publishing via GitHub Actions.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pleno_dlp-0.7.0.tar.gz.
File metadata
- Download URL: pleno_dlp-0.7.0.tar.gz
- Upload date:
- Size: 73.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6ec2df6afa86ebc60c1f3ea99b476405e0b95ea3394b69c40a73fbf368666a4a
|
|
| MD5 |
dc914ffba7ae061edd7105d3a7ae6fb2
|
|
| BLAKE2b-256 |
6c7882d6be8240c1823d4d7fbf4a92fb419a3c4867c535f643f011b396955496
|
Provenance
The following attestation bundles were made for pleno_dlp-0.7.0.tar.gz:
Publisher:
release-py.yml on plenoai/pleno-dlp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pleno_dlp-0.7.0.tar.gz -
Subject digest:
6ec2df6afa86ebc60c1f3ea99b476405e0b95ea3394b69c40a73fbf368666a4a - Sigstore transparency entry: 1467696212
- Sigstore integration time:
-
Permalink:
plenoai/pleno-dlp@03335a470bed91cac2907af88fd22814d923e207 -
Branch / Tag:
refs/tags/py-v0.7.0 - Owner: https://github.com/plenoai
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-py.yml@03335a470bed91cac2907af88fd22814d923e207 -
Trigger Event:
push
-
Statement type:
File details
Details for the file pleno_dlp-0.7.0-py3-none-any.whl.
File metadata
- Download URL: pleno_dlp-0.7.0-py3-none-any.whl
- Upload date:
- Size: 93.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
08140dc95f18526804e6c72aaa4e4a0623a7b92072899d39c507bae4de01919d
|
|
| MD5 |
44a2965644ace65e7928571ae1ae925b
|
|
| BLAKE2b-256 |
05177f7ac5935382cc5d560eb9def1b3c3ef4308ae2e660c4b7f8731039b0a99
|
Provenance
The following attestation bundles were made for pleno_dlp-0.7.0-py3-none-any.whl:
Publisher:
release-py.yml on plenoai/pleno-dlp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pleno_dlp-0.7.0-py3-none-any.whl -
Subject digest:
08140dc95f18526804e6c72aaa4e4a0623a7b92072899d39c507bae4de01919d - Sigstore transparency entry: 1467696304
- Sigstore integration time:
-
Permalink:
plenoai/pleno-dlp@03335a470bed91cac2907af88fd22814d923e207 -
Branch / Tag:
refs/tags/py-v0.7.0 - Owner: https://github.com/plenoai
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-py.yml@03335a470bed91cac2907af88fd22814d923e207 -
Trigger Event:
push
-
Statement type:
