Scan any project directory for exposed secrets, hardcoded credentials, and sensitive data leaks. Produces a severity-ranked report with remediation steps.
# Full project scan
python3 scripts/scan_secrets.py /path/to/project
# Scan with git history check
python3 scripts/scan_secrets.py /path/to/project --git-history
# Scan specific file types only
python3 scripts/scan_secrets.py /path/to/project --extensions .py,.js,.ts,.env,.yml,.json
# JSON output for CI integration
python3 scripts/scan_secrets.py /path/to/project --format json
.env files with populated secretsThe scanner produces a structured report:
=== Secrets Audit Report ===
Project: /path/to/project
Scanned: 247 files | Skipped: 1,203 files
Time: 2.3s
--- HIGH SEVERITY (3 findings) ---
[H1] AWS Access Key ID
File: src/config/aws.js:14
Match: AKIA...EXAMPLE
Context: const accessKey = "AKIA..."
Fix: Move to environment variable AWS_ACCESS_KEY_ID
[H2] Database Password
File: config/database.yml:8
Match: password: "pr0duction_p@ss"
Fix: Use DATABASE_URL env var or secrets manager
--- MEDIUM SEVERITY (5 findings) ---
...
--- SUMMARY ---
High: 3 | Medium: 5 | Low: 2 | Total: 10
Recommendation: Rotate all HIGH severity credentials immediately
Run scripts/scan_secrets.py against the target directory. The script:
references/secret-patterns.mdPresent findings grouped by severity. For each finding:
For each confirmed finding, provide specific remediation:
.gitignoreAfter remediation:
When --git-history flag is used, the script also checks:
Important: if a secret was ever committed to git, it must be rotated even if later removed — it exists in git history.
The script returns exit codes for CI pipelines:
0 — No findings1 — Low/medium findings only2 — High severity findings (should block deployment)JSON output (--format json) can be parsed by CI tools for automated reporting.
After an audit, recommend setting up a pre-commit hook. See references/prevention-guide.md for hook installation and configuration.
共 1 个版本