Secret Scanner with OCR Superpowers - Finds secrets in code AND screenshots
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
Screenshot Guard
Secret Scanner with OCR Superpowers
The first secret scanner that finds secrets in code AND screenshots.
The Problem
Developers take screenshots. Screenshots of terminals, dashboards, documentation.
And sometimes those screenshots contain secrets:
- AWS keys in terminal output
- API tokens in dashboard screenshots
- "Example" credentials that are actually real
Regular secret scanners miss all of this.
The Solution
Screenshot Guard scans your code AND your images using OCR powered by german-ocr.
# Install
pip install screenshot-guard[ocr]
# Scan
screenshot-guard scan ./your-project
Features
- OCR-powered - Finds secrets in PNG, JPG, GIF, BMP, WebP images
- 50+ patterns - AWS, Azure, GCP, GitHub, Stripe, Slack, and more
- Local processing - No cloud, no data leaves your machine
- GitHub Action - Easy CI/CD integration with SARIF support
- Pre-commit hook - Catch secrets before they're committed
Quick Start
Installation
# Basic (no OCR)
pip install screenshot-guard
# With OCR support (recommended)
pip install screenshot-guard[ocr]
CLI Usage
# Scan current directory
screenshot-guard scan .
# Scan with JSON output
screenshot-guard scan ./src --format json --output report.json
# Only critical and high severity
screenshot-guard scan . --severity high
# Disable OCR (faster, but misses images)
screenshot-guard scan . --no-ocr
# Use Ollama backend for OCR
screenshot-guard scan . --backend ollama
GitHub Action
name: Security Scan
on: [push, pull_request]
jobs:
secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan for secrets
uses: Keyvanhardani/screenshot-guard@v1
with:
path: '.'
severity: 'medium'
ocr: 'true'
fail-on-findings: 'true'
Pre-commit Hook
# .pre-commit-config.yaml
repos:
- repo: https://github.com/Keyvanhardani/screenshot-guard
rev: v1.0.0
hooks:
- id: screenshot-guard
args: ['--severity', 'high', '--no-ocr'] # OCR in pre-commit is slow
Supported Patterns
| Provider | Patterns | Examples |
|---|---|---|
| AWS | 5 | Access Keys, Secret Keys, Session Tokens |
| Azure | 5 | Storage Keys, Connection Strings, SAS Tokens |
| GCP | 5 | API Keys, Service Accounts, OAuth Secrets |
| GitHub | 6 | PATs, OAuth Tokens, App Private Keys |
| Generic | 15+ | Passwords, Private Keys, JWTs, Database URLs |
| Slack | 2 | Bot Tokens, Webhooks |
| Stripe | 2 | Secret Keys, Restricted Keys |
| And more... |
# List all patterns
screenshot-guard patterns
Output Formats
Table (default)
┌──────────────────┬──────┬────────────────────┬──────────┬────────┐
│ File │ Line │ Type │ Severity │ Source │
├──────────────────┼──────┼────────────────────┼──────────┼────────┤
│ screenshot.png │ 3 │ AWS Access Key ID │ CRITICAL │ OCR │
│ config.yaml │ 12 │ Database URL │ CRITICAL │ Text │
└──────────────────┴──────┴────────────────────┴──────────┴────────┘
JSON
screenshot-guard scan . --format json --output report.json
SARIF (GitHub Security)
screenshot-guard scan . --format sarif --output results.sarif
Markdown
screenshot-guard scan . --format markdown --output report.md
OCR Backends
Screenshot Guard uses german-ocr for image analysis:
| Backend | Speed | Setup | GPU |
|---|---|---|---|
llamacpp |
Fast | pip install screenshot-guard[ocr] |
Optional |
ollama |
Fast | Requires Ollama | Optional |
cloud |
Fastest | API key required | N/A |
# Use specific backend
screenshot-guard scan . --backend llamacpp
screenshot-guard scan . --backend ollama
Ignoring Files
Create .screenshotguardignore in your project root:
# Ignore test fixtures
tests/fixtures/*
# Ignore vendor
vendor/
# Ignore specific files
docs/example-config.yaml
API Usage
from screenshot_guard import Scanner, SecretDetector, OCREngine
# Initialize
detector = SecretDetector(min_severity="high")
ocr = OCREngine(backend="llamacpp")
scanner = Scanner(detector=detector, ocr_engine=ocr)
# Scan
findings = scanner.scan("./your-project")
for finding in findings:
print(f"{finding.file_path}:{finding.line_number} - {finding.pattern_name}")
print(f" Severity: {finding.severity}")
print(f" From OCR: {finding.from_ocr}")
Why OCR?
Real examples where OCR would have helped:
-
Terminal screenshot committed to docs
- AWS Access Key visible in output
- Cost: $47,000 cloud bill
-
Dashboard screenshot in README
- "Example" API key was actually real
- Exposed for 2 months
-
Slack screenshot in GitHub issue
- GitHub token visible in chat
- Repository compromised
Contributing
Contributions are welcome! Please see CONTRIBUTING.md.
License
Apache 2.0 - see LICENSE
Author
Keyvan Hardani
- Website: keyvan.ai
- GitHub: @Keyvanhardani
- HuggingFace: Keyven
If this tool helped you, please star the repo!
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
screenshot_guard-0.1.0.tar.gz
(22.8 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file screenshot_guard-0.1.0.tar.gz.
File metadata
- Download URL: screenshot_guard-0.1.0.tar.gz
- Upload date:
- Size: 22.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d55f1071c5f3d20ce29464ab45b9e7ba766eb9ba0eda7c2a7b3f2d4c03e67411
|
|
| MD5 |
8adb3f4a223c11a73565ac28793599f2
|
|
| BLAKE2b-256 |
1077105002e7ca2ad52b87501b4b83cde73854f79c949cf4758eedc5cf4ff994
|
Provenance
The following attestation bundles were made for screenshot_guard-0.1.0.tar.gz:
Publisher:
publish.yml on Keyvanhardani/screenshot-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
screenshot_guard-0.1.0.tar.gz -
Subject digest:
d55f1071c5f3d20ce29464ab45b9e7ba766eb9ba0eda7c2a7b3f2d4c03e67411 - Sigstore transparency entry: 790913467
- Sigstore integration time:
-
Permalink:
Keyvanhardani/screenshot-guard@0ffa7bb22c0a19de188591fa0fa72312f217878d -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/Keyvanhardani
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@0ffa7bb22c0a19de188591fa0fa72312f217878d -
Trigger Event:
release
-
Statement type:
File details
Details for the file screenshot_guard-0.1.0-py3-none-any.whl.
File metadata
- Download URL: screenshot_guard-0.1.0-py3-none-any.whl
- Upload date:
- Size: 26.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ec32d979f3e5697da4b6946ae2456a0ac092b9726f0ff3daf4dd7e6d7830d830
|
|
| MD5 |
dd39780a24151fa41b38d906f4f95e8e
|
|
| BLAKE2b-256 |
a53989e0e72aec874543993e8fa578ff71478f198a53bbfe542122d10575d2f8
|
Provenance
The following attestation bundles were made for screenshot_guard-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on Keyvanhardani/screenshot-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
screenshot_guard-0.1.0-py3-none-any.whl -
Subject digest:
ec32d979f3e5697da4b6946ae2456a0ac092b9726f0ff3daf4dd7e6d7830d830 - Sigstore transparency entry: 790913468
- Sigstore integration time:
-
Permalink:
Keyvanhardani/screenshot-guard@0ffa7bb22c0a19de188591fa0fa72312f217878d -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/Keyvanhardani
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@0ffa7bb22c0a19de188591fa0fa72312f217878d -
Trigger Event:
release
-
Statement type:
