explaingit

doggy8088/leak-hunter

Analysis updated 2026-06-24

57RustAudience · ops devopsComplexity · 3/5Setup · easy

TLDR

A Rust CLI that scans local folders, GitHub repos, or git URLs for accidentally committed secrets like API keys and private keys, with text, JSON, or Markdown reports for CI use.

Mindmap

mindmap
  root((leak-hunter))
    Inputs
      Local folder
      GitHub URL
      Owner repo shorthand
      Git SSH address
    Outputs
      Text report
      JSON for CI
      Markdown report
      Risk score table
    Use Cases
      Pre-commit secret scan
      CI gate on pull requests
      Audit a third-party repo
    Tech Stack
      Rust
      Cargo
      npm wrapper
      Glob
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a local repo for AWS keys, OpenAI tokens, and database URLs before pushing

USE CASE 2

Add leak-hunter as a CI step that fails the build on findings above a risk threshold

USE CASE 3

Audit an unfamiliar GitHub repo by owner slash repo shorthand without cloning

USE CASE 4

Generate a Markdown report of detected secrets for a security review document

What is it built with?

RustCargonpm

How does it compare?

doggy8088/leak-huntercorrode/refactoring-rustisaac-mason/compilecat
Stars576165
LanguageRustRustRust
Setup difficultyeasyeasymoderate
Complexity3/52/54/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Install via cargo or npm global, the npm wrapper downloads a platform binary and verifies a SHA-256 on postinstall.

In plain English

Leak-hunter is a command-line tool that scans code for accidentally committed secrets, things like API keys, database passwords, and private cryptographic keys. The README calls it local-first and defensive: the idea is to catch leaks in your own code before they end up published. It ships as a single binary that runs on the major platforms and can scan a local folder, a GitHub repository URL, the shorthand owner/repo form, or a git SSH address. The core is written in Rust. There is also an npm package by the same name, but the README is clear that the npm package is only a wrapper: when you install it, a postinstall script downloads the right native binary for your platform from GitHub Releases, verifies a SHA-256 checksum, and unpacks it. You can install either way: cargo install from the source folder, or npm install -g leak-hunter. Reports can be written as plain text, JSON, or Markdown, and either printed to the terminal or saved to a file. The text format includes a banner, the target, scan time, file counts, a risk-bucket summary, and a table of findings. JSON is meant for CI pipelines and tools like jq, and the README shows an example jq query that pulls out findings with a risk score of 75 or higher. A min-risk option lets you suppress low-confidence hits, and include or exclude glob patterns let you narrow the scan. By default, secret values are redacted in the output, a no-redact flag exists but is documented as only for local manual review. The scanner walks files while respecting gitignore rules and a project-specific .leakhunterignore file with the same syntax. It skips binaries and files above a configurable size, applies a built-in pattern inventory with a context-aware risk score, and reduces common noise such as npm integrity hashes in lock files and Firebase public keys. The detection rules cover OpenAI, Google, GitHub, Stripe, Slack, Sentry, and Docker Hub tokens, AWS access key pairs, Azure storage connection strings, framework secrets for Django, Flask, Rails, Laravel, NextAuth, Nuxt, Spring, and ASP.NET, database connection strings for SQL Server, PostgreSQL, MongoDB, and Redis, plus JWTs, PEM private keys, and GCP service account JSON. The README also notes safety practices: npm publishing uses OIDC Trusted Publishing instead of a long-lived token, and test fixtures use synthetic strings stitched together so GitHub push protection does not fire.

Copy-paste prompts

Prompt 1
Install leak-hunter via cargo and run it against my current repo with JSON output piped into jq for findings above risk 75
Prompt 2
Add leak-hunter to my GitHub Actions workflow so PRs fail when new secrets are introduced
Prompt 3
Write a .leakhunterignore file that excludes my test fixtures and locked dependency files from leak-hunter
Prompt 4
Extend leak-hunter's pattern inventory with a custom rule for our internal Vault token format
Prompt 5
Use leak-hunter to scan a remote repo by owner slash repo shorthand and save a Markdown report

Frequently asked questions

What is leak-hunter?

A Rust CLI that scans local folders, GitHub repos, or git URLs for accidentally committed secrets like API keys and private keys, with text, JSON, or Markdown reports for CI use.

What language is leak-hunter written in?

Mainly Rust. The stack also includes Rust, Cargo, npm.

How hard is leak-hunter to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is leak-hunter for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.