Skip to main content

The Secrets Scanner that respects your time

Project description

Secrets Hunter

PyPI Python

Secrets Hunter is a lightweight, fully autonomous, and dependency-free scanner that detects secrets across filesystems, git history, and exposed domain paths.

It is language agnostic and works on text content rather than language-specific syntax, which makes it suitable for finding secrets in mixed repositories, configuration files, scripts, and infrastructure code.

[!WARNING] Secrets Hunter is intended for defensive security work. Do not use it to scan third-party systems, domains, repositories, or infrastructure without permission.

Scans do not require external dependencies to run, though git must be installed to scan git history. You can run scans from the command line, wire them into git hooks for local development, or automate them in CI to act as a security gate.

Save Time With Smarter Secret Detection

Secrets Hunter is built around a simple principle: only surface findings that are actually worth reviewing.

Consider these two lines:

api_token = "79ffdc174191ed0f2d01d465c10c80c8c9542cb9"
hash = "79ffdc174191ed0f2d01d465c10c80c8c9542cb9"

The first line looks extremely suspicious: it is a high-entropy hex string assigned to the api_token variable, whose name suggests the value is a secret. And most likely, it is. The second line is just a random hash, so it is not even worth considering.

However, in this line:

api_token = "123abc456def"

even though the variable name suggests it is a secret, the assigned value suggests that it is not. Despite having high hex entropy, this is a placeholder or fake secret, not something worth attention. Therefore, it should not be reported as an actionable finding.

Secrets are detected using a combined regex and entropy approach, though the list of built-in regex patterns is intentionally kept short for three reasons:

  • The number of existing secret formats is huge, so large regex catalogs can slow down scans and become hard to maintain.
  • Secret formats often overlap, so the provider cannot always be identified reliably.
  • Most such secrets are high-entropy strings anyway.

There are a few exceptions to this, such as PEM keys, database connection strings, secrets with unusual character sets, or low-entropy secrets. This is where regex patterns come in handy.

A good example is an AWS access key ID, which has a recognizable AKIA... shape but may fall below the entropy threshold:

aws_access_key_id = "AKIA9Z4X7Q2M8V6N3P1L"

In this case, entropy alone may not be enough, so Secrets Hunter uses a regex pattern to catch the fixed AKIA... format.

Regex matches still go through the same context and rejection checks. For example:

aws_access_key_id = "AKIAIOSFODNN7EXAMPLE"

matches the AWS access key ID shape, but is rejected because it contains a known example placeholder. It is not treated as an actionable finding.

For a deeper explanation of how regex patterns, entropy checks, assignment context, rejection rules, and scan modes work together, see the Scan Modes and Detection Process docs.

Installation

Requires Python 3.11 or newer.

Secrets Hunter can be installed via PyPI, from source, or using Docker. For a quick start, install directly from PyPI:

pip install secrets-hunter

For installation from source or Docker, see the Installation docs.

Quick Start

Use secrets-hunter with a local target for filesystem scans, --git-revset for git history, or --domain for exposed domain paths.

Scan the current directory:

secrets-hunter .

Scan a specific file:

secrets-hunter path/to/file.py

Scan git history using a git revision expression:

secrets-hunter . --git-revset main..HEAD

Scan commonly exposed domain paths:

secrets-hunter --domain example.com

Findings are masked by default. To reveal them, use --reveal-findings:

secrets-hunter . --reveal-findings

Export results to JSON or SARIF:

secrets-hunter . --json results.json
secrets-hunter . --sarif results.sarif

Fail with exit code 2 when actionable findings are present:

secrets-hunter . --min-confidence 75 --fail-on-findings

See the Usage and Examples docs for all flags and more examples.

Configuration

Secrets Hunter ships with built-in packaged defaults. You can display them using the CLI:

secrets-hunter showconfig

The detection behavior described above is configurable. Secret patterns, secret keywords, false-positive rules, and ignore rules can be adjusted with TOML configuration overlays.

Example team baseline overlay:

secrets-hunter . --config team.toml

Multiple overlays are applied in the order provided:

secrets-hunter . --config ci.toml --config local.toml

A full description and usage examples are available in Configuration docs.

License

Secrets Hunter is released under the MIT License, meaning you are free to use, modify, and distribute it for both personal and commercial purposes.

Acknowledgments

This project was made possible by whitespots.io.

Special thanks to @Shandriuk for implementing the end-to-end functional testing suite.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secrets_hunter-0.8.1.tar.gz (339.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

secrets_hunter-0.8.1-py3-none-any.whl (352.0 kB view details)

Uploaded Python 3

File details

Details for the file secrets_hunter-0.8.1.tar.gz.

File metadata

  • Download URL: secrets_hunter-0.8.1.tar.gz
  • Upload date:
  • Size: 339.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for secrets_hunter-0.8.1.tar.gz
Algorithm Hash digest
SHA256 076c659c32f59d7b87c11d5b0d189cdb02482c045d94cb2ccb98c2bd8f566da5
MD5 2a5cdb7c9b5234beddb36d98bac1f01d
BLAKE2b-256 cd9242bbc1b59f5d9a10237ca4e8130554d9f2d86a8b24d8ecbaac3c7e77c4af

See more details on using hashes here.

Provenance

The following attestation bundles were made for secrets_hunter-0.8.1.tar.gz:

Publisher: pypi.yml on FVLCN/secrets-hunter

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file secrets_hunter-0.8.1-py3-none-any.whl.

File metadata

  • Download URL: secrets_hunter-0.8.1-py3-none-any.whl
  • Upload date:
  • Size: 352.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for secrets_hunter-0.8.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5f888c4ffbed5771f2f244273d9c8ab2c7bb45aa3cc7ded799b0edb4fe501c37
MD5 05556f7b3a7359461278bdba89134473
BLAKE2b-256 b64211f6b51413a8cfff11617e1c3d9efec31e0317649cd467ee41384f046558

See more details on using hashes here.

Provenance

The following attestation bundles were made for secrets_hunter-0.8.1-py3-none-any.whl:

Publisher: pypi.yml on FVLCN/secrets-hunter

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page