{"id":50744343,"url":"https://github.com/chintanshah35/secretguard","last_synced_at":"2026-06-10T19:30:29.051Z","repository":{"id":361917388,"uuid":"1255415421","full_name":"chintanshah35/secretguard","owner":"chintanshah35","description":"Scan source code for secrets, credentials, and PII — CLI and Node.js API","archived":false,"fork":false,"pushed_at":"2026-06-01T19:22:06.000Z","size":55,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-01T21:17:32.866Z","etag":null,"topics":["cli","credentials","devsecops","nodejs","pii","secret-scanning","security","typescript"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chintanshah35.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-31T19:55:47.000Z","updated_at":"2026-06-01T19:22:10.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/chintanshah35/secretguard","commit_stats":null,"previous_names":["chintanshah35/secretguard"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/chintanshah35/secretguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chintanshah35%2Fsecretguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chintanshah35%2Fsecretguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chintanshah35%2Fsecretguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chintanshah35%2Fsecretguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chintanshah35","download_url":"https://codeload.github.com/chintanshah35/secretguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chintanshah35%2Fsecretguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34168086,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","credentials","devsecops","nodejs","pii","secret-scanning","security","typescript"],"created_at":"2026-06-10T19:30:28.234Z","updated_at":"2026-06-10T19:30:29.044Z","avatar_url":"https://github.com/chintanshah35.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# secretguard\n\nScan your source code for secrets, credentials, and PII before they reach production.\n\n```bash\nnpx secretguard .\n```\n\nExits with code `1` if any CRITICAL findings are detected — drop it into your CI pipeline and it just works.\n\n## What it detects\n\n30 patterns across credentials and PII, grouped by severity.\n\n**Credentials — CRITICAL**\n- AWS access keys (`AKIA...`) and secret keys\n- OpenAI API keys (`sk-...`)\n- Anthropic API keys (`sk-ant-...`)\n- GitHub tokens (`ghp_`, `ghs_`, `gho_`, `github_pat_`)\n- GitLab personal access tokens (`glpat-`)\n- Slack bot and user tokens (`xoxb-`, `xoxp-`)\n- SendGrid API keys (`SG.`)\n- npm access tokens (`npm_`)\n- Stripe live secret keys (`sk_live_`)\n- Twilio auth tokens\n- Database URLs (PostgreSQL, MySQL, MongoDB — credentials in URL)\n- RSA, EC, OpenSSH, and PGP private keys\n\n**Credentials — HIGH**\n- JWT tokens\n- Stripe live publishable keys (`pk_live_`)\n- Google API keys (`AIzaSy...`)\n- Twilio Account SIDs\n- Generic API keys (high-entropy strings assigned to `api_key`, `API_KEY`, etc.)\n\n**PII — CRITICAL**\n- Social Security Numbers (SSN)\n- Credit card numbers (Visa, Mastercard, Amex, Discover)\n\n**PII — MEDIUM**\n- Email addresses\n- US and international phone numbers\n\n**PII — LOW**\n- Public IPv4 addresses (private ranges excluded)\n\nAll findings are shown **masked** in output — raw secrets are never printed.\n\n## PII and false positives\n\nPII scanning is tuned for production source, not test fixtures.\n\n**Skipped in test-like paths** — email, phone, SSN, credit card, and public IP patterns do not run in:\n\n- `*.test.*`, `*.spec.*`\n- `__tests__/`, `__mocks__/`\n- `fixtures/`, `mocks/`, `stubs/`\n\n**Filtered fake values** — in other files, obvious placeholders are ignored (e.g. `user@example.com`, `test@test.com`, US `555-` numbers, all-same-digit phones).\n\n**Credentials are always scanned** — API keys and tokens in test files are still reported. A real `ghp_` or `sk_live_` in a test is still a leak risk.\n\n## Install\n\n```bash\nnpm install -g secretguard\n```\n\nOr use without installing:\n\n```bash\nnpx secretguard .\n```\n\n## Usage\n\n```bash\n# Scan current directory\nsecretguard .\n\n# Scan a specific path\nsecretguard ./src\n\n# Ignore additional paths (repeatable, -i shorthand works too)\nsecretguard . --ignore tests --ignore fixtures\nsecretguard . -i tests -i fixtures\n\n# Output as JSON\nsecretguard . --json\n\n# Save HTML report (-o shorthand works too)\nsecretguard . --output report.html\nsecretguard . -o report.html\n\n# Combine flags\nsecretguard . -i tests --json\n```\n\n## Defaults\n\nThe following paths are ignored automatically — no configuration needed:\n\n```\nnode_modules  .git  dist  build  coverage\n.next  .nuxt  .turbo  .cache  vendor  __pycache__  .venv\n```\n\nBinary files (images, PDFs, archives, compiled binaries) are skipped automatically.\n\n## CI/CD\n\n```yaml\n# GitHub Actions\n- name: Scan for secrets and PII\n  run: npx secretguard . --ignore tests\n```\n\n```bash\n# Pre-commit hook (in .git/hooks/pre-commit)\nsecretguard . \u0026\u0026 git commit\n```\n\nThe exit code is `0` when no CRITICAL findings are detected, `1` otherwise. This makes it straightforward to block CI on real secrets while still reporting HIGH/MEDIUM findings.\n\n## Output formats\n\n**Terminal (default)** — colored output, grouped by severity (CRITICAL first), values masked\n\n**JSON (`--json`)** — structured output with summary counts, useful for piping to other tools or parsing in scripts\n\n**HTML (`--output report.html`)** — shareable self-contained report with a severity summary and full findings table\n\n## Programmatic API\n\n```typescript\nimport { scan, piiPatterns, credentialPatterns } from 'secretguard'\nimport type { ScanResult, Finding } from 'secretguard'\n\n// Scan with defaults\nconst result = await scan('./src')\n\n// Scan with options\nconst result = await scan('./src', {\n  ignore: ['tests', 'fixtures'],\n  patterns: [...credentialPatterns],  // credentials only, skip PII\n})\n\nconsole.log(result.findings)  // Finding[]\nconsole.log(result.scanned)   // number of files scanned\nconsole.log(result.duration)  // ms\n```\n\n## Requirements\n\nNode.js 18 or later.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchintanshah35%2Fsecretguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchintanshah35%2Fsecretguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchintanshah35%2Fsecretguard/lists"}