← Back to Tools
secretsweep
Zero-config secret scanning for staged git files — catch API keys before you push.
Install
npm install -g @fanioz/secretsweep Zero-config secret scanning for staged git files — catch API keys, tokens, and credentials before they leave your machine.
Setup
No configuration needed. Works out of the box.
Usage
# Scan staged files (pre-commit friendly)
secretsweep
# Scan a directory
secretsweep scan ./src
# Scan a specific file
secretsweep scan ./config/production.jsonPre-commit hook
Add to .husky/pre-commit (or .git/hooks/pre-commit):
npx secretsweep stagedWhat It Detects
| Category | Patterns |
|---|---|
| AWS | Access Keys (AKIA…), Secret Keys |
| GitHub | Personal Access Tokens, OAuth, App Tokens |
| GCP | API Keys, OAuth tokens, Service Account keys |
| Azure | Connection Strings |
| Stripe | Secret and Publishable Keys |
| Slack | Bot tokens, Webhooks |
| Database | MongoDB, PostgreSQL, MySQL, Redis URIs |
| Generic | Bearer tokens, API keys, passwords, private keys |
| Entropy | High-entropy strings that look like secrets |
Ignore False Positives
Create a .secretsweepignore file:
test/fixtures/
*.test.js
examples/demo.jsHow It Works
- Scans staged files in your git index (or specified paths)
- Matches against patterns for common secret formats
- Flags high-entropy strings that look like secrets
- Reports findings before you push
Features
- Zero config — works immediately, no setup files needed
- Fast — under 2 seconds for typical repos
- Git-aware — scans staged files by default, not your whole history
- Pre-commit ready — drop it into your hooks and forget about it
- Broad detection — AWS, GitHub, GCP, Azure, Stripe, Slack, databases, and more