Skip to main content

Pre-commit secret scanner: catches AWS keys, GitHub PATs, Stripe tokens, private keys, and more before they hit your repo

Project description

zak-guard

A pre-commit secret scanner. Catches AWS keys, GitHub PATs, Stripe tokens, private keys, and other credentials before they land in your repo.

Works standalone as a CLI tool and as a hook in the pre-commit framework.


What it catches

Rule Examples
AWS access key ID AKIA... (20-char, high entropy)
AWS secret access key AWS_SECRET_ACCESS_KEY=... env var assignments
GitHub PATs (classic + fine-grained) ghp_..., github_pat_...
GitHub OAuth / Actions / refresh tokens gho_, ghs_, ghr_
OpenAI keys (legacy + project) sk-..., sk-proj-...
Anthropic keys sk-ant-...
DeepSeek / generic sk- keys sk- prefix with high entropy
Stripe live keys sk_live_..., rk_live_...
Slack tokens xoxb-, xoxp-, xoxa-
Google API keys AIza...
PEM private key blocks -----BEGIN ... PRIVATE KEY-----
JWTs Three base64url segments
Generic .env assignments PASSWORD=..., SECRET=..., TOKEN=... with high entropy

Every finding shows file:line, the rule name, and a redacted match (AKIA...Y01). The full value is never printed.


Install

pip install zak-guard
# or
pipx install zak-guard

Use as a CLI

Scan staged changes (what you're about to commit):

zak-guard --staged

Scan everything in the current directory:

zak-guard --all

Scan a specific path:

zak-guard --all ./src

Suppress known false positives with an allowlist:

zak-guard --staged --allowlist .zak-guard-allowlist

Wire it as a git pre-commit hook:

zak-guard install

Use with the pre-commit framework

Add to your .pre-commit-config.yaml:

repos:
  - repo: https://github.com/molloyzak13/zak-guard
    rev: v0.1.0
    hooks:
      - id: zak-guard

Then install:

pre-commit install

Allowlist

Create a text file with one entry per line. Any detected value that contains an allowlist entry is suppressed. Lines starting with # are comments.

# .zak-guard-allowlist
AKIAEXAMPLE         # known-fake key in test fixtures
sk_live_test_       # Stripe test mode prefix used in integration tests

Pass it with --allowlist <file> or set the ZAK_GUARD_ALLOWLIST environment variable.


How detectors work

Each rule combines a regex pattern with a Shannon entropy minimum. The entropy gate cuts false positives on placeholder values like YOUR_API_KEY_HERE or xxxxxxxxxxxx that match the pattern shape but are obviously not real credentials.

The staged scanner (--staged) parses git diff --cached and flags only added lines. It won't block you for secrets that were already in the repo before your change.


Exit codes

Code Meaning
0 Clean, no findings
1 One or more secrets detected
2 Error (not inside a git repo, git not found, etc.)

Development

git clone https://github.com/molloyzak13/zak-guard
cd zak-guard
pip install -e ".[dev]"
pytest -v

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

zak_guard-0.1.0.tar.gz (14.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

zak_guard-0.1.0-py3-none-any.whl (10.5 kB view details)

Uploaded Python 3

File details

Details for the file zak_guard-0.1.0.tar.gz.

File metadata

  • Download URL: zak_guard-0.1.0.tar.gz
  • Upload date:
  • Size: 14.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for zak_guard-0.1.0.tar.gz
Algorithm Hash digest
SHA256 a900495a2e11e5afb902f299c366ed442cff68e752320dc2d2552f962ef20e21
MD5 84a3320902be1fd50db6519c1b5cde87
BLAKE2b-256 4f6ffb8bfa7acf768ab86d8ce4b700b2cf941edb112682c71781f9f5abfeb34d

See more details on using hashes here.

Provenance

The following attestation bundles were made for zak_guard-0.1.0.tar.gz:

Publisher: release.yml on molloyzak13/zak-guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file zak_guard-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: zak_guard-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 10.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for zak_guard-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 fef3645a7e645a6bdc6a7d09e32df7f2a90d59f177be8b2138c855f467b0eaf7
MD5 2173eecfff26f4c9eda3073d20531b0f
BLAKE2b-256 c52971e2b3b6595f65c612ceef03cfcc122a36ad97c58a0881685e99d2b4f056

See more details on using hashes here.

Provenance

The following attestation bundles were made for zak_guard-0.1.0-py3-none-any.whl:

Publisher: release.yml on molloyzak13/zak-guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page