Scan SaaS sources for leaked secrets. Backend-agnostic (trufflehog, gitleaks, native regex), source-agnostic (every connector saas-scraper provides — incl. GitHub issues + PRs from saas-scraper 0.5).
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
pleno-secret-scanner (Python)
Python CLI that scans SaaS content for leaked secrets, backed by saas-scraper for source collection and a pluggable detection backend (trufflehog, gitleaks, or a tiny built-in regex set).
The Go binary in this repo (cmd/pleno-secret-scanner) remains for
filesystem-only scans; the Python package is the path forward for any
SaaS source.
Install
uv tool install pleno-secret-scanner
# or
pipx install pleno-secret-scanner
playwright install chromium
Usage
# Scan a Slack workspace using the trufflehog backend (requires trufflehog on PATH)
pleno-secret-scanner scan slack --workspace acme --backend trufflehog
# Scan a GitHub repo (code only, default)
pleno-secret-scanner scan github --owner plenoai --repo saas-scraper
# Also scan issues + PR conversations and diffs
pleno-secret-scanner scan github --owner plenoai --repo saas-scraper \
--resource code --resource issues --resource prs
# Output formats
pleno-secret-scanner scan slack --workspace acme --format sarif > findings.sarif
Backends
| Backend | Verifies | System dep |
|---|---|---|
| trufflehog | yes (per-detector) | trufflehog CLI on PATH |
| gitleaks | no | gitleaks CLI on PATH |
| native | no | none — bundled regex set (AWS, GitHub PAT, Slack bot, OpenAI, Anthropic) |
Connectors
Anything saas-scraper provides: filesystem, slack, github, gitlab,
bitbucket, jira, confluence, notion. New connectors land in saas-scraper
and become immediately available here.
Release
Tag py-vX.Y.Z triggers PyPI trusted publishing via GitHub Actions.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pleno_secret_scanner-0.3.0.tar.gz.
File metadata
- Download URL: pleno_secret_scanner-0.3.0.tar.gz
- Upload date:
- Size: 10.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2dd596bf61edda763d5b377cdc9f45d8bd373628c2a7749fe51310f7c579ac13
|
|
| MD5 |
7ad67bb930df886b8df0382d5fff938d
|
|
| BLAKE2b-256 |
250712e3835a5062df597360283b2cbd3bf4b679597a8c7778ded8140cc3565e
|
Provenance
The following attestation bundles were made for pleno_secret_scanner-0.3.0.tar.gz:
Publisher:
release-py.yml on plenoai/pleno-secret-scanner
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pleno_secret_scanner-0.3.0.tar.gz -
Subject digest:
2dd596bf61edda763d5b377cdc9f45d8bd373628c2a7749fe51310f7c579ac13 - Sigstore transparency entry: 1449731395
- Sigstore integration time:
-
Permalink:
plenoai/pleno-secret-scanner@8c9d783798a2cb933a5dc366a10c87bd715c9a8b -
Branch / Tag:
refs/tags/py-v0.3.0 - Owner: https://github.com/plenoai
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-py.yml@8c9d783798a2cb933a5dc366a10c87bd715c9a8b -
Trigger Event:
push
-
Statement type:
File details
Details for the file pleno_secret_scanner-0.3.0-py3-none-any.whl.
File metadata
- Download URL: pleno_secret_scanner-0.3.0-py3-none-any.whl
- Upload date:
- Size: 15.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4ac931d82be1e814a0082758ac98db26cd67bf9c16c7d8bf77e6f019476d57db
|
|
| MD5 |
5f46152aecba514ccd7934c11f0ab8de
|
|
| BLAKE2b-256 |
8602889d68f64beecb1f44a37afe512524547cf5db94c793d3289a604bd08e7a
|
Provenance
The following attestation bundles were made for pleno_secret_scanner-0.3.0-py3-none-any.whl:
Publisher:
release-py.yml on plenoai/pleno-secret-scanner
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pleno_secret_scanner-0.3.0-py3-none-any.whl -
Subject digest:
4ac931d82be1e814a0082758ac98db26cd67bf9c16c7d8bf77e6f019476d57db - Sigstore transparency entry: 1449731430
- Sigstore integration time:
-
Permalink:
plenoai/pleno-secret-scanner@8c9d783798a2cb933a5dc366a10c87bd715c9a8b -
Branch / Tag:
refs/tags/py-v0.3.0 - Owner: https://github.com/plenoai
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-py.yml@8c9d783798a2cb933a5dc366a10c87bd715c9a8b -
Trigger Event:
push
-
Statement type:
