{"id":43460427,"url":"https://github.com/varalys/redactyl","last_synced_at":"2026-02-03T05:46:02.883Z","repository":{"id":329187854,"uuid":"1034091105","full_name":"varalys/redactyl","owner":"varalys","description":"Deep artifact scanner for cloud-native environments. Find secrets hiding in container images, Helm charts, Kubernetes manifests, and nested archives.","archived":false,"fork":false,"pushed_at":"2025-12-31T15:29:42.000Z","size":9069,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-03T12:38:58.245Z","etag":null,"topics":["artifact-scanning","cli","cloud-native","containers","cybersecurity","devsecops","devtools","docker","gitleaks","golang","helm","kubernetes","oci","secret-management","secret-scanner","secrets-detection","security"],"latest_commit_sha":null,"homepage":"https://redactyl.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/varalys.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":"COPYRIGHT","agents":null,"dco":null,"cla":null}},"created_at":"2025-08-07T20:35:48.000Z","updated_at":"2025-12-31T15:29:46.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/varalys/redactyl","commit_stats":null,"previous_names":["redactyl/redactyl","varalys/redactyl"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/varalys/redactyl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/varalys%2Fredactyl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/varalys%2Fredactyl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/varalys%2Fredactyl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/varalys%2Fredactyl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/varalys","download_url":"https://codeload.github.com/varalys/redactyl/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/varalys%2Fredactyl/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29034799,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T02:28:16.591Z","status":"ssl_error","status_checked_at":"2026-02-03T02:27:48.904Z","response_time":96,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifact-scanning","cli","cloud-native","containers","cybersecurity","devsecops","devtools","docker","gitleaks","golang","helm","kubernetes","oci","secret-management","secret-scanner","secrets-detection","security"],"created_at":"2026-02-03T05:46:02.002Z","updated_at":"2026-02-03T05:46:02.878Z","avatar_url":"https://github.com/varalys.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Redactyl\n\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)\n[![Tests](https://github.com/varalys/redactyl/actions/workflows/test.yml/badge.svg)](https://github.com/varalys/redactyl/actions/workflows/test.yml)\n[![Lint](https://github.com/varalys/redactyl/actions/workflows/lint.yml/badge.svg)](https://github.com/varalys/redactyl/actions/workflows/lint.yml)\n[![Vuln](https://github.com/varalys/redactyl/actions/workflows/vuln.yml/badge.svg)](https://github.com/varalys/redactyl/actions/workflows/vuln.yml)\n[![Release](https://github.com/varalys/redactyl/actions/workflows/release.yml/badge.svg)](https://github.com/varalys/redactyl/actions/workflows/release.yml)\n\n**Deep artifact scanner for cloud-native environments** - Find secrets hiding in container images, Helm charts, Kubernetes manifests, and nested archives without extracting to disk.\n\nPowered by [Gitleaks](https://github.com/gitleaks/gitleaks) for detection, enhanced with intelligent artifact streaming and context-aware analysis.\n\n![Redactyl TUI](docs/images/tui-screenshot.png)\n\n## Why Redactyl?\n\nSecrets don't just live in Git history - they hide in **container images, Helm charts, CI/CD artifacts, and nested archives** where traditional scanners can't reach them. Redactyl finds secrets in complex cloud-native artifacts without extracting them to disk.\n\n**Key differentiators:**\n- **Deep artifact scanning** - Stream archives, containers, Helm charts, and K8s manifests without disk extraction\n- **Virtual paths** - Track secrets through nested artifacts: `chart.tgz::templates/secret.yaml::line-123`\n- **Powered by Gitleaks** - Uses Gitleaks' detection engine; we focus on artifact intelligence\n- **Privacy-first** - Zero telemetry; self-hosted friendly\n- **Complete remediation** - Forward fixes and history rewriting with safety guardrails\n\n## Installation\n\n```sh\n# Homebrew (macOS/Linux)\nbrew install varalys/tap/redactyl\n\n# Go install\ngo install github.com/varalys/redactyl@latest\n\n# Build from source\nmake build \u0026\u0026 ./bin/redactyl --help\n```\n\n## Quick Start\n\n```sh\nredactyl scan                    # Interactive TUI (default)\nredactyl scan --no-tui           # Non-interactive for CI/CD\nredactyl scan --json             # JSON output\nredactyl scan --sarif            # SARIF output for GitHub Code Scanning\nredactyl scan --guide            # Include remediation suggestions\n```\n\n**Scope control:**\n\n```sh\nredactyl scan --staged           # Staged changes only\nredactyl scan --history 5        # Last N commits\nredactyl scan --base main        # Diff vs base branch\n```\n\n## Deep Scanning\n\nScan cloud-native artifacts with configurable guardrails:\n\n```sh\nredactyl scan --archives         # zip, tar, tgz (nested supported)\nredactyl scan --containers       # Docker tarballs, OCI format\nredactyl scan --helm             # Helm charts (.tgz and directories)\nredactyl scan --k8s              # Kubernetes manifests\nredactyl scan --registry alpine  # Remote OCI images (no pull required)\n```\n\n**With guardrails:**\n\n```sh\nredactyl scan --archives --containers --helm --k8s \\\n  --max-archive-bytes 67108864 \\\n  --max-depth 3 \\\n  --scan-time-budget 10s\n```\n\nSee [docs/deep-scanning.md](docs/deep-scanning.md) for details.\n\n## Configuration\n\nRedactyl reads configuration in order of precedence:\n1. CLI flags\n2. `.redactyl.yml` at repo root\n3. `~/.config/redactyl/config.yml`\n\n```sh\nredactyl config init                      # Generate starter config\nredactyl config init --preset minimal     # Critical detectors only\n```\n\nSee [.redactyl.example.yaml](.redactyl.example.yaml) for all options.\n\n## Interactive TUI\n\nThe TUI opens by default and provides real-time findings with severity color-coding, vim-style navigation, syntax-highlighted context preview, and quick actions for baseline, ignore, and export.\n\nPress `?` in the TUI for all keyboard shortcuts.\n\n```sh\nredactyl scan              # Opens TUI\nredactyl scan --view-last  # View last scan without rescanning\nredactyl scan --no-tui     # Disable for scripts/CI\n```\n\nThe TUI auto-disables when output is piped or `--json`/`--sarif` is used.\n\n## Baseline \u0026 Ignore\n\n```sh\nredactyl baseline update   # Suppress current findings in future scans\n```\n\nCreate `.redactylignore` at repo root (gitignore syntax) to skip paths:\n\n```\nnode_modules/\ndist/\ntestdata/**\n```\n\n## Filtering Results\n\nFilter by Gitleaks rule IDs:\n\n```sh\nredactyl scan --enable \"github-pat,aws-access-key\"\nredactyl scan --disable \"generic-api-key\"\nredactyl detectors         # List common rule IDs\n```\n\nFor custom detection rules, use a `.gitleaks.toml` file. See [Gitleaks configuration](https://github.com/gitleaks/gitleaks#configuration).\n\n## Remediation\n\n**Forward-only fixes:**\n\n```sh\nredactyl fix path .env --add-ignore                    # Remove and ignore file\nredactyl fix dotenv --from .env --to .env.example      # Generate example file\n```\n\n**History rewrite (dangerous; requires force-push):**\n\n```sh\nredactyl purge path secrets.json --yes                 # Remove from all history\nredactyl purge pattern --glob '**/*.pem' --yes         # Remove by pattern\n```\n\nAdd `--dry-run` to preview commands without executing.\n\n## Output \u0026 Exit Codes\n\n| Exit | Meaning |\n|------|---------|\n| 0 | No findings (or below `--fail-on` threshold) |\n| 1 | Findings at or above threshold |\n| 2 | Scan error |\n\nJSON and SARIF schemas are documented in [docs/schemas/](docs/schemas/).\n\n## CI/CD Integration\n\n```yaml\n# GitHub Actions\n- run: redactyl scan --sarif \u003e redactyl.sarif.json\n- uses: github/codeql-action/upload-sarif@v3\n  with:\n    sarif_file: redactyl.sarif.json\n```\n\n```sh\n# Pre-commit hook\nredactyl hook install --pre-commit\n\n# Generate CI templates\nredactyl ci init --provider gitlab  # or bitbucket, azure\n```\n\n## Audit Logging\n\nRedactyl maintains an append-only audit log at `.git/redactyl_audit.jsonl` for compliance tracking. Logs are redacted by default.\n\nSee [docs/audit-logging.md](docs/audit-logging.md) for format and usage.\n\n## Privacy\n\nNo telemetry by default. Optional `--upload` can omit metadata with `--no-upload-metadata`.\n\n## Public Go API\n\n```go\nimport \"github.com/varalys/redactyl/pkg/core\"\n\ncfg := core.Config{...}\nfindings, err := core.Scan(cfg)\n```\n\n## Updates\n\n```sh\nredactyl update  # Update from GitHub Releases\n```\n\nSee [CHANGELOG.md](CHANGELOG.md) for release notes.\n\n## Acknowledgments\n\nBuilt with [Gitleaks](https://github.com/gitleaks/gitleaks), [Bubbletea](https://github.com/charmbracelet/bubbletea), [go-containerregistry](https://github.com/google/go-containerregistry), [go-git](https://github.com/go-git/go-git), and [Chroma](https://github.com/alecthomas/chroma).\n\n## License\n\nApache-2.0. See [LICENSE](LICENSE).\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md). To add detection rules, contribute to [Gitleaks](https://github.com/gitleaks/gitleaks) or create custom rules in `.gitleaks.toml`.\n\n## Enterprise\n\nCommercial offerings (dashboard, policies, SSO) available. Open a GitHub Discussion titled \"Enterprise inquiry\".\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvaralys%2Fredactyl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvaralys%2Fredactyl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvaralys%2Fredactyl/lists"}