secretguard 0.1.0

CLI tool to detect hardcoded secrets and API keys before they leak to git

SecretGuard 🔐

Stop leaking API keys before they cost you.

In 2025, 28.6 million hardcoded secrets were exposed on GitHub — a 34% YoY increase. AI coding assistants make it 2× worse. SecretGuard blocks secrets at commit time.

$ secretguard scan .

config/settings.py:12
  Rule     : [OAI001] OpenAI API Key (legacy)
  Severity : 🔴 CRITICAL
  Match    : sk-aB************lmn
  Line     : OPENAI_API_KEY = "sk-aBcDe..."

Found 1 secret(s) in 43 file(s) scanned
    1  CRITICAL

Install

pip install secretguard

Usage

# Scan current directory
secretguard scan .

# Scan specific file
secretguard scan src/config.py

# Git pre-commit hook (blocks commits with CRITICAL secrets)
secretguard install

# JSON output (CI/CD integration)
secretguard scan . --format json

# HTML report
secretguard scan . --format html --output report.html

# Only fail on HIGH or above
secretguard scan . --fail-on high

# List all 50+ detection rules
secretguard list-rules

What it detects

50+ patterns across all major providers:

Provider	Rules
AWS	Access Key ID, Secret Access Key, MWS Key
OpenAI	Legacy key, Project key, Service account
Anthropic/Claude	API Key
GitHub	PAT (classic + fine-grained), OAuth, Actions tokens
Stripe	Live/test secret keys, restricted keys, webhook secrets
Slack	Bot token, user token, app token, webhook URL
Google	API Key, OAuth token
HuggingFace	API Token
SendGrid	API Key
Azure	Storage connection string, subscription key
Private keys	RSA, OpenSSH, EC, PGP
Generic	API key assignments, hardcoded passwords, DB URLs with creds
+ more	Replicate, DeepSeek, Twilio, Mailgun, npm, Docker Hub, Firebase, Telegram, Supabase

Git pre-commit hook

# Install (one-time per repo)
secretguard install

# Now every git commit is checked automatically:
# git commit -m "feat: add payment"
#   → SecretGuard scans staged files
#   → Blocks commit if CRITICAL secrets found
#   → Shows exactly where secrets are

# Remove
secretguard uninstall

pre-commit framework

Add to .pre-commit-config.yaml:

repos:
  - repo: https://github.com/your-handle/secretguard
    rev: v0.1.0
    hooks:
      - id: secretguard

CI/CD integration

# GitHub Actions
- name: Scan for secrets
  run: |
    pip install secretguard
    secretguard scan . --format json --fail-on high

Options

Flag	Default	Description
--staged	false	Scan only git staged files
--format	terminal	Output: terminal, json, html
--output	—	Output file (for --format html)
--fail-on	critical	Exit 1 when: critical, high, medium, low, any, none
--no-color	false	Disable ANSI colors

Why not GitGuardian or GitHub Advanced Security?

• GitGuardian: Enterprise pricing ($$$), sends your code to their servers
• GitHub Advanced Security: Enterprise plans only (~$49/seat/month)
• SecretGuard: Free, open source, fully local — your code never leaves your machine

License

MIT