{"id":51624100,"url":"https://github.com/acunningham-ship-it/leakproof","last_synced_at":"2026-07-12T22:32:22.409Z","repository":{"id":365548209,"uuid":"1272609670","full_name":"acunningham-ship-it/leakproof","owner":"acunningham-ship-it","description":"Local secret firewall for AI coding assistants (Claude Code/Cursor/aider) — scans + redacts secrets before anything leaves the machine. Local-first, zero cloud. MIT.","archived":false,"fork":false,"pushed_at":"2026-07-06T23:16:43.000Z","size":227,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-07-12T22:32:20.538Z","etag":null,"topics":["ai-coding","aider","claude-code","cursor","data-loss-prevention","devsecops","dlp","hipaa","local-first","pre-commit","privacy","python","secret-detection","secrets","security","soc2"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/acunningham-ship-it.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-17T19:23:08.000Z","updated_at":"2026-07-06T23:16:48.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/acunningham-ship-it/leakproof","commit_stats":null,"previous_names":["acunningham-ship-it/leakproof"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/acunningham-ship-it/leakproof","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acunningham-ship-it%2Fleakproof","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acunningham-ship-it%2Fleakproof/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acunningham-ship-it%2Fleakproof/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acunningham-ship-it%2Fleakproof/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/acunningham-ship-it","download_url":"https://codeload.github.com/acunningham-ship-it/leakproof/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acunningham-ship-it%2Fleakproof/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35404819,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-12T02:00:06.386Z","response_time":87,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-coding","aider","claude-code","cursor","data-loss-prevention","devsecops","dlp","hipaa","local-first","pre-commit","privacy","python","secret-detection","secrets","security","soc2"],"created_at":"2026-07-12T22:32:21.209Z","updated_at":"2026-07-12T22:32:22.401Z","avatar_url":"https://github.com/acunningham-ship-it.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# leakproof\n\n**Local-first secret firewall for AI coding assistants.**\n\nYour security team banned Claude Code or Cursor over data egress. Here's the local technical control that lets you turn them back on.\n\nleakproof sits between the tool and the model API and reads every outbound request before it leaves the machine. Finds a secret, it redacts it or kills the request. Nothing hits the cloud. The decision happens on your laptop, which is the only setup that isn't self-defeating — you don't hand a key to a stranger to ask them whether it's a key.\n\nTwo ways to run it:\n\n```bash\n# wrap your AI tool: everything it sends gets scanned + cleaned first\nleakproof run -- claude\nleakproof run -- aider\n\n# guard the repo itself: stop secrets before they reach a commit\nleakproof install-hook\n```\n\n## Who it's for\n\nCompliance-bound teams under SOC 2 / HIPAA / ITAR / GDPR whose security team blocked AI coding tools because the tools exfiltrate working-tree context — including any secrets in open files — to a cloud API. leakproof is the local technical control and audit trail that satisfies the objection.\n\nThe alternative tools (GitGuardian's ggshield recently added Claude Code and Cursor hooks) require a cloud account: scan metadata leaves the machine. That's structurally off the table for the shops that most need this. leakproof has zero cloud dependency — no account, no API key, no telemetry, nothing leaves the building.\n\n## What it catches\n\n163 tests, including a 23-case adversarial suite. Rules-only pass: 14/14 planted leaks caught, 0/9 false-positives on decoys (AWS doc-example keys, git SHAs, env *reads* without literals — all correctly ignored).\n\nCatches on the first pass (no local model needed): AWS access keys and secret keys, GitHub/OpenAI/Anthropic/Stripe tokens, JWTs, PEM private keys, raw `.env` values, high-entropy blobs, email, phone, card numbers.\n\nThe second pass is optional — a local-model semantic check (qwen2.5:1.5b via ollama) that reads the value rather than the variable name. That's where keyword scanners break down.\n\n### Compared to detect-secrets\n\ndetect-secrets is a common pre-commit baseline. It uses keyword matching plus entropy on a per-line basis.\n\n| Scenario | detect-secrets | leakproof |\n|---|---|---|\n| `AWS_SECRET_ACCESS_KEY=abc123…` in config | ✅ caught | ✅ caught |\n| AWS-shaped 40-char string in a prose comment (no `=` anchor, no keyword) | ❌ missed | ✅ caught (entropy) |\n| Live DB connection string in a test fixture with a neutral var name | ❌ missed | ✅ caught (entropy) |\n| Base64-wrapped token, benign-looking variable name | ❌ missed | ✅ caught (entropy) |\n| Bulk source paste containing a buried credential | ❌ missed | ✅ caught |\n| `AWS_ACCESS_KEY_ID = \"AKIAIOSFODNN7EXAMPLE\"` (AWS doc placeholder) | ⚠️ may flag | ✅ ignored (EXAMPLE marker) |\n| `sha256:e3b0c44298fc…` git SHA | ✅ ignored | ✅ ignored |\n\nThe honest framing: leakproof catches what keyword scanners miss **when the variable name is benign**. The local-model semantic pass is opt-in and additive — you get the full regex+entropy layer with or without it.\n\n## Install\n\n```bash\n# install the CLI (zero-dependency core)\npipx install leakproof\n\n# …or run it without installing anything:\nuvx leakproof run -- claude\n```\n\nPython 3.10+. The proxy surface needs `aiohttp`:\n\n```bash\npipx install \"leakproof[proxy]\"\n```\n\nPrefer the bleeding edge? Install straight from the repo — the source *is* the package:\n\n```bash\npipx install git+https://github.com/acunningham-ship-it/leakproof.git\n```\n\n## How it works\n\n`leakproof run -- claude` sets `ANTHROPIC_BASE_URL` (or `OPENAI_API_BASE` for aider) to a local proxy on `127.0.0.1:8747`, then launches the tool. The proxy reads each request body, runs the scanner, forwards a redacted copy upstream, and streams the response back untouched. No certificate to install, no system-wide proxy, no interception of anything you didn't ask it to wrap.\n\nEvery catch lands in an append-only audit log at `~/.local/share/leakproof/audit.jsonl`. `leakproof watch` tails it:\n\n```\n$ leakproof watch\n  14:02:11  claude-code → api.anthropic.com   redacted   aws_secret_key (critical)\n  14:02:11  claude-code → api.anthropic.com   redacted   STRIPE_SECRET_KEY from .env\n  14:06:48  aider       → api.openai.com      blocked    private_key (PEM)\n\n  this session: 3 secrets stopped, 0 reached the cloud\n```\n\n## Modes\n\n`monitor` — logs only, nothing changes. Use this first to see what's been leaving without disrupting your workflow.\n\n`redact` — swaps each finding for a placeholder and forwards the cleaned request. Default.\n\n`block` — rejects the request outright with a 403 and names what would have leaked.\n\n## Free\n\nApache-2.0, no paid tier, no account, no wall. One developer or a whole compliance team, same binary.\n\n## Status\n\nWorks today: Claude Code and aider (any tool that honors a base-URL env var). Cursor and Copilot use proprietary backends that need a real HTTPS intercept proxy and a cert install — that's v1.1, not v1. One machine, no daemon, no telemetry.\n\nApache-2.0. Built by [hamstudios](https://github.com/hamstudios). Issues and PRs welcome.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facunningham-ship-it%2Fleakproof","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Facunningham-ship-it%2Fleakproof","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facunningham-ship-it%2Fleakproof/lists"}