{"id":48934713,"url":"https://github.com/thepixelabs/sanitai","last_synced_at":"2026-04-19T17:17:40.900Z","repository":{"id":350779752,"uuid":"1207054188","full_name":"thepixelabs/sanitai","owner":"thepixelabs","description":"Find secrets in your LLM chat history before someone else does.","archived":false,"fork":false,"pushed_at":"2026-04-12T03:15:49.000Z","size":16126,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-12T04:21:09.772Z","etag":null,"topics":["chatgpt","claude","cli","llm","privacy","rust","secret-scanning","security"],"latest_commit_sha":null,"homepage":"https://thepixelabs.github.io/sanitai/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thepixelabs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-10T14:24:18.000Z","updated_at":"2026-04-12T03:15:53.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/thepixelabs/sanitai","commit_stats":null,"previous_names":["thepixelabs/sanitai"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/thepixelabs/sanitai","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thepixelabs%2Fsanitai","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thepixelabs%2Fsanitai/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thepixelabs%2Fsanitai/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thepixelabs%2Fsanitai/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thepixelabs","download_url":"https://codeload.github.com/thepixelabs/sanitai/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thepixelabs%2Fsanitai/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31926260,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-17T10:35:34.458Z","status":"ssl_error","status_checked_at":"2026-04-17T10:35:09.472Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chatgpt","claude","cli","llm","privacy","rust","secret-scanning","security"],"created_at":"2026-04-17T11:01:49.860Z","updated_at":"2026-04-17T11:01:51.338Z","avatar_url":"https://github.com/thepixelabs.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# [SanitAI](https://sanitai.pixelabs.net)\n\n\u003ca href=\"https://sanitai.pixelabs.net\"\u003e\u003cimg src=\"docs/nix-float.svg\" align=\"right\" width=\"200\" alt=\"Nix the Raccoon — SanitAI mascot\"/\u003e\u003c/a\u003e\n\n**Find secrets in your LLM chat history before someone else does.**\n\nSanitAI scans your Claude and ChatGPT conversation exports for leaked API keys, credentials, and personal data — entirely on your machine. No network calls. No cloud. No copies of your data leave the device.\n\n[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)\n[![Platform: Linux macOS](https://img.shields.io/badge/platform-Linux%20%7C%20macOS-lightgrey.svg)](#install)\n\n---\n\n## The problem\n\nYou paste a `.env` file into Claude to debug a config issue. You ask ChatGPT to review a script that contains a database URL. Six months later, you export your conversation history and realise those secrets have been sitting in plain text inside a JSON file on your laptop — and in every backup, sync, and export you've made since.\n\nSanitAI finds them. In seconds.\n\n---\n\n## Install\n\n**Homebrew (macOS and Linux)**\n\n```sh\nbrew install thepixelabs/tap/sanitai\n```\n\n**curl installer (Linux and macOS)**\n\n```sh\ncurl -fsSL https://releases.sanitai.dev/install.sh | sh\n```\n\nVerify the binary signature before running anything (see [Trust model](#trust-model)).\n\n**Cargo (build from source)**\n\n```sh\ncargo install sanitai\n```\n\nRequires Rust 1.78 or later.\n\n---\n\n## Your first scan\n\n```sh\nsanitai scan ~/Downloads/claude_export.zip\n```\n\n```\nSanitAI v0.1.0 — local scan, no network\nParsing: claude_export.zip (Claude format)\n\nScanning 1,842 messages across 94 conversations...\n\nFINDINGS (4)\n────────────────────────────────────────────────────────────────\n HIGH  AWS Access Key        conversation_47.json:line 312\n       AKIA[REDACTED]        matched: aws_access_key_id pattern\n\n HIGH  Generic API Key       conversation_12.json:line 88\n       sk-[REDACTED]         matched: high-entropy bearer token\n\n MED   Email address         conversation_91.json:line 201\n       j****@example.com     matched: RFC 5322 address heuristic\n\n LOW   Internal hostname     conversation_03.json:line 44\n       db.internal.corp      matched: internal TLD heuristic\n────────────────────────────────────────────────────────────────\n4 findings in 1,842 messages (0.8 s)\n\nRun `sanitai redact` to remove findings from a copy of the export.\n```\n\nNo finding left the machine. The original file was not modified.\n\n---\n\n## Supported sources\n\n| Source | Export format | Parser |\n|---|---|---|\n| Claude (claude.ai) | `conversations.json` ZIP export | Built-in |\n| ChatGPT (chat.openai.com) | `conversations.json` ZIP export | Built-in |\n\nAdditional parsers are planned for future releases. The parser is separate from the detector — adding a new source does not change detection logic.\n\n---\n\n## Detection capabilities\n\n| Category | Examples | Method |\n|---|---|---|\n| Cloud provider keys | AWS, GCP, Azure, Stripe, Twilio | Regex against known prefixes |\n| Generic secrets | High-entropy strings in key=value context | Shannon entropy + heuristic |\n| Bearer tokens | `Authorization:` headers, `sk-` prefixes | Regex + context heuristic |\n| Database URLs | `postgres://`, `mysql://`, `mongodb+srv://` | Regex |\n| Private keys | PEM blocks (`BEGIN RSA PRIVATE KEY`, etc.) | Regex |\n| Email addresses | RFC 5322 addresses | Heuristic |\n| Phone numbers | E.164 and regional formats | Regex + heuristic |\n| Custom patterns | User-defined YAML rules | Regex + optional entropy |\n\nDetectors run locally in process. No pattern or matched text is sent anywhere.\n\n---\n\n## Redaction modes\n\n```sh\n# Write a redacted copy alongside the original (default)\nsanitai redact ~/Downloads/claude_export.zip\n\n# Redact in place (replaces the original — use with caution)\nsanitai redact --in-place ~/Downloads/claude_export.zip\n\n# Replace matched text with a fixed mask\nsanitai redact --mask \"***REDACTED***\" ~/Downloads/claude_export.zip\n\n# Replace matched text with the finding type label\nsanitai redact --mask-with-type ~/Downloads/claude_export.zip\n# e.g. \"[AWS_ACCESS_KEY]\", \"[EMAIL_ADDRESS]\"\n```\n\n---\n\n## Configuration\n\nSanitAI reads `~/.config/sanitai/config.toml` (XDG-compliant). All fields are optional.\n\n```toml\n# ~/.config/sanitai/config.toml\n\n[scan]\nmin_severity = \"low\"   # \"low\" | \"medium\" | \"high\"\ndisable_detectors = []\n\n[redact]\nmask = \"[REDACTED]\"\nmask_with_type = false\n\n[rules]\nextra_rules_dirs = [\"~/.config/sanitai/rules\"]\n```\n\nValidate your config:\n\n```sh\nsanitai config validate\n```\n\n---\n\n## Custom rules\n\n```yaml\n# ~/.config/sanitai/rules/acme-api-key.yaml\nid: acme_api_key\nname: \"ACME Corp API Key\"\nseverity: high\npattern: \"acme_[a-zA-Z0-9]{32}\"\nmin_entropy: 3.5\ncontext_keywords: [\"api_key\", \"apikey\", \"token\"]\n```\n\nSee [docs/custom-rules.md](docs/custom-rules.md) for the complete schema and examples.\n\n---\n\n## How it works\n\n```\n1. PARSE                  2. DETECT                  3. REPORT\n─────────────             ─────────────              ─────────────\nRead export ZIP     →     For each message:    →     Print findings\nIdentify format           run regex detectors         by severity\nExtract message           run entropy scorer\ntext per turn             run heuristics\n                          apply custom rules\n```\n\nEverything happens in a single local process. No state is persisted between runs.\n\n---\n\n## Trust model\n\n**Offline by design.** SanitAI makes zero network connections at runtime. Verify:\n\n```sh\n# Linux\nstrace -e trace=network sanitai scan /path/to/export.zip 2\u003e\u00261 | grep -v \"^strace\"\n\n# macOS\nsudo fs_usage -w -f network sanitai\n```\n\nA clean scan produces no output from either command.\n\n**No telemetry.** No analytics, no crash reporting, no usage pinging.\n\n**Signed binaries.** Release binaries are signed with [cosign](https://docs.sigstore.dev/cosign/overview/).\n\n```sh\ncosign verify-blob \\\n  --certificate sanitai-linux-amd64.cert \\\n  --signature sanitai-linux-amd64.sig \\\n  --certificate-identity \\\n    \"https://github.com/sanitai/sanitai/.github/workflows/release.yml@refs/heads/main\" \\\n  --certificate-oidc-issuer \"https://token.actions.githubusercontent.com\" \\\n  sanitai-linux-amd64\n```\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md). Security vulnerabilities: see [SECURITY.md](SECURITY.md).\n\n---\n\n## License\n\nMIT — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthepixelabs%2Fsanitai","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthepixelabs%2Fsanitai","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthepixelabs%2Fsanitai/lists"}