https://github.com/afterdarksys/env-leak-scanner
Scan your codebase for exposed secrets and environment variables
https://github.com/afterdarksys/env-leak-scanner
ci-cd cli credentials devops environment-variables leak-detection python scanning secrets security
Last synced: 5 months ago
JSON representation
Scan your codebase for exposed secrets and environment variables
- Host: GitHub
- URL: https://github.com/afterdarksys/env-leak-scanner
- Owner: afterdarksys
- License: mit
- Created: 2026-01-12T11:17:49.000Z (6 months ago)
- Default Branch: main
- Last Pushed: 2026-01-12T11:21:10.000Z (6 months ago)
- Last Synced: 2026-01-12T19:20:29.455Z (5 months ago)
- Topics: ci-cd, cli, credentials, devops, environment-variables, leak-detection, python, scanning, secrets, security
- Language: Python
- Size: 8.79 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Env Leak Scanner
[](https://pypi.org/project/env-leak-scanner/)
[](https://pepy.tech/project/env-leak-scanner)
[](https://opensource.org/licenses/MIT)
**Scan your codebase for exposed secrets and environment variables in seconds!**
Prevent security breaches by detecting hardcoded API keys, passwords, tokens, and other sensitive data before they reach production.
## Features
- Fast recursive directory scanning
- Detects 12+ types of common secrets (AWS keys, GitHub tokens, API keys, passwords, etc.)
- Beautiful terminal output with severity levels
- Detailed recommendations for each finding
- Zero configuration needed
- CI/CD integration ready
- Exit codes for automation (0=safe, 1=warning, 2=critical)
## Installation
```bash
pip install env-leak-scanner
```
## Quick Start
### Scan current directory
```bash
env-scan .
```
### Scan specific project
```bash
env-scan /path/to/project
```
### Quick summary only
```bash
env-scan . --no-details
```
### Scan without recursion
```bash
env-scan . --no-recursive
```
## What It Detects
- AWS Access Keys & Secret Keys
- GitHub Personal Access Tokens
- Generic API Keys
- Private SSH/RSA Keys
- Hardcoded Passwords
- Database Connection Strings (PostgreSQL, MySQL, MongoDB)
- Slack Tokens
- Bearer Tokens
- Hardcoded IP addresses with credentials
- And more...
## Example Output
```
╭─────────────── Scan Results ───────────────╮
│ 🚨 CRITICAL │
│ │
│ 📁 Files Scanned: 247 │
│ 🔍 Secrets Found: 5 │
│ 🔴 High Severity: 3 │
│ 🟡 Medium Severity: 2 │
│ 🟢 Low Severity: 0 │
╰────────────────────────────────────────────╯
╭────────────── 🔓 Exposed Secrets ──────────────╮
│ Severity Type File Line │
├────────────────────────────────────────────────┤
│ 🔴 HIGH AWS Access Key config.py 12 │
│ 🔴 HIGH Private Key keys/id_rsa 1 │
│ 🔴 HIGH GitHub Token deploy.sh 45 │
│ 🟡 MEDIUM API Key app.py 89 │
│ 🟡 MEDIUM Generic Secret .env.example 3 │
╰────────────────────────────────────────────────╯
```
## Use Cases
### Pre-commit Hook
Add to `.git/hooks/pre-commit`:
```bash
#!/bin/bash
env-scan .
if [ $? -eq 2 ]; then
echo "❌ Critical secrets detected! Commit blocked."
exit 1
fi
```
### CI/CD Pipeline
```yaml
# GitHub Actions example
- name: Scan for secrets
run: |
pip install env-leak-scanner
env-scan .
```
### Docker Build Security Check
```dockerfile
RUN pip install env-leak-scanner && env-scan /app
```
## CLI Options
```
usage: env-scan [-h] [--no-recursive] [--no-details]
[--ignore IGNORE] [-v] [path]
positional arguments:
path Directory to scan (default: current directory)
options:
-h, --help show this help message and exit
--no-recursive Do not scan subdirectories
--no-details Show summary only, hide detailed findings
--ignore IGNORE Additional patterns to ignore (can be used multiple times)
-v, --version show program's version number and exit
```
## Python API
```python
from env_leak_scanner import SecretScanner
scanner = SecretScanner()
result = scanner.scan_directory("/path/to/project")
print(f"Files scanned: {result.total_files_scanned}")
print(f"Secrets found: {len(result.secrets_found)}")
print(f"High severity: {result.high_severity_count}")
# Check status
if result.has_secrets:
print("⚠️ Secrets detected!")
for secret in result.secrets_found:
print(f"{secret.severity}: {secret.secret_type} in {secret.file_path}:{secret.line_number}")
```
## Why Use This?
**Before deployment:**
- Prevent accidental credential leaks
- Enforce security best practices
- Protect your infrastructure
**During development:**
- Get immediate feedback on security issues
- Learn secure coding practices
- Avoid costly security incidents
**Perfect for:**
- DevOps engineers
- Security teams
- Development teams
- CI/CD pipelines
- Open source projects
## Security Best Practices
1. **Never commit secrets to git** - Use .gitignore for .env files
2. **Use environment variables** - Store secrets outside code
3. **Use secret management** - AWS Secrets Manager, HashiCorp Vault, etc.
4. **Rotate exposed credentials** - Immediately revoke and regenerate
5. **Add pre-commit hooks** - Prevent future leaks automatically
6. **Scan git history** - Check for previously committed secrets
## Contributing
Contributions welcome! This project is part of [After Dark Systems](https://afterdarksys.com)' security initiative.
1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Submit a pull request
## License
MIT License - see [LICENSE](LICENSE) for details.
## Links
- **PyPI**: https://pypi.org/project/env-leak-scanner/
- **GitHub**: https://github.com/afterdarksys/env-leak-scanner
- **Issues**: https://github.com/afterdarksys/env-leak-scanner/issues
- **After Dark Systems**: https://afterdarksys.com
- **More Security Tools**: https://pypi.org/user/afterdarksys/
## Star Us!
If you find this tool useful, please star the repository on GitHub!
---
**Made with by [After Dark Systems](https://afterdarksys.com)**
**Check out our other 12+ production-ready Python packages:** https://pypi.org/user/afterdarksys/