Pre-commit secret scanner: catches AWS keys, GitHub PATs, Stripe tokens, private keys, and more before they hit your repo
Project description
zak-guard
A pre-commit secret scanner. Catches AWS keys, GitHub PATs, Stripe tokens, private keys, and other credentials before they land in your repo.
Works standalone as a CLI tool and as a hook in the pre-commit framework.
What it catches
| Rule | Examples |
|---|---|
| AWS access key ID | AKIA... (20-char, high entropy) |
| AWS secret access key | AWS_SECRET_ACCESS_KEY=... env var assignments |
| GitHub PATs (classic + fine-grained) | ghp_..., github_pat_... |
| GitHub OAuth / Actions / refresh tokens | gho_, ghs_, ghr_ |
| OpenAI keys (legacy + project) | sk-..., sk-proj-... |
| Anthropic keys | sk-ant-... |
DeepSeek / generic sk- keys |
sk- prefix with high entropy |
| Stripe live keys | sk_live_..., rk_live_... |
| Slack tokens | xoxb-, xoxp-, xoxa- |
| Google API keys | AIza... |
| PEM private key blocks | -----BEGIN ... PRIVATE KEY----- |
| JWTs | Three base64url segments |
Generic .env assignments |
PASSWORD=..., SECRET=..., TOKEN=... with high entropy |
Every finding shows file:line, the rule name, and a redacted match (AKIA...Y01). The full value is never printed.
Install
pip install zak-guard
# or
pipx install zak-guard
Use as a CLI
Scan staged changes (what you're about to commit):
zak-guard --staged
Scan everything in the current directory:
zak-guard --all
Scan a specific path:
zak-guard --all ./src
Suppress known false positives with an allowlist:
zak-guard --staged --allowlist .zak-guard-allowlist
Wire it as a git pre-commit hook:
zak-guard install
Use with the pre-commit framework
Add to your .pre-commit-config.yaml:
repos:
- repo: https://github.com/molloyzak13/zak-guard
rev: v0.1.0
hooks:
- id: zak-guard
Then install:
pre-commit install
Allowlist
Create a text file with one entry per line. Any detected value that contains an allowlist entry is suppressed. Lines starting with # are comments.
# .zak-guard-allowlist
AKIAEXAMPLE # known-fake key in test fixtures
sk_live_test_ # Stripe test mode prefix used in integration tests
Pass it with --allowlist <file> or set the ZAK_GUARD_ALLOWLIST environment variable.
How detectors work
Each rule combines a regex pattern with a Shannon entropy minimum. The entropy gate cuts false positives on placeholder values like YOUR_API_KEY_HERE or xxxxxxxxxxxx that match the pattern shape but are obviously not real credentials.
The staged scanner (--staged) parses git diff --cached and flags only added lines. It won't block you for secrets that were already in the repo before your change.
Exit codes
| Code | Meaning |
|---|---|
| 0 | Clean, no findings |
| 1 | One or more secrets detected |
| 2 | Error (not inside a git repo, git not found, etc.) |
Development
git clone https://github.com/molloyzak13/zak-guard
cd zak-guard
pip install -e ".[dev]"
pytest -v
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file zak_guard-0.1.0.tar.gz.
File metadata
- Download URL: zak_guard-0.1.0.tar.gz
- Upload date:
- Size: 14.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a900495a2e11e5afb902f299c366ed442cff68e752320dc2d2552f962ef20e21
|
|
| MD5 |
84a3320902be1fd50db6519c1b5cde87
|
|
| BLAKE2b-256 |
4f6ffb8bfa7acf768ab86d8ce4b700b2cf941edb112682c71781f9f5abfeb34d
|
Provenance
The following attestation bundles were made for zak_guard-0.1.0.tar.gz:
Publisher:
release.yml on molloyzak13/zak-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
zak_guard-0.1.0.tar.gz -
Subject digest:
a900495a2e11e5afb902f299c366ed442cff68e752320dc2d2552f962ef20e21 - Sigstore transparency entry: 1825731905
- Sigstore integration time:
-
Permalink:
molloyzak13/zak-guard@2717d50073af3f573ddce367f08af7a2f62d4dd9 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/molloyzak13
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@2717d50073af3f573ddce367f08af7a2f62d4dd9 -
Trigger Event:
push
-
Statement type:
File details
Details for the file zak_guard-0.1.0-py3-none-any.whl.
File metadata
- Download URL: zak_guard-0.1.0-py3-none-any.whl
- Upload date:
- Size: 10.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fef3645a7e645a6bdc6a7d09e32df7f2a90d59f177be8b2138c855f467b0eaf7
|
|
| MD5 |
2173eecfff26f4c9eda3073d20531b0f
|
|
| BLAKE2b-256 |
c52971e2b3b6595f65c612ceef03cfcc122a36ad97c58a0881685e99d2b4f056
|
Provenance
The following attestation bundles were made for zak_guard-0.1.0-py3-none-any.whl:
Publisher:
release.yml on molloyzak13/zak-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
zak_guard-0.1.0-py3-none-any.whl -
Subject digest:
fef3645a7e645a6bdc6a7d09e32df7f2a90d59f177be8b2138c855f467b0eaf7 - Sigstore transparency entry: 1825731931
- Sigstore integration time:
-
Permalink:
molloyzak13/zak-guard@2717d50073af3f573ddce367f08af7a2f62d4dd9 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/molloyzak13
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@2717d50073af3f573ddce367f08af7a2f62d4dd9 -
Trigger Event:
push
-
Statement type: