doggy8088/leak-hunter

Leak-hunter is a command-line tool that scans code for accidentally committed secrets, things like API keys, database passwords, and private cryptographic keys. The README calls it local-first and defensive: the idea is to catch leaks in your own code before they end up published. It ships as a single binary that runs on the major platforms and can scan a local folder, a GitHub repository URL, the shorthand owner/repo form, or a git SSH address. The core is written in Rust. There is also an npm package by the same name, but the README is clear that the npm package is only a wrapper: when you install it, a postinstall script downloads the right native binary for your platform from GitHub Releases, verifies a SHA-256 checksum, and unpacks it. You can install either way: cargo install from the source folder, or npm install -g leak-hunter. Reports can be written as plain text, JSON, or Markdown, and either printed to the terminal or saved to a file. The text format includes a banner, the target, scan time, file counts, a risk-bucket summary, and a table of findings. JSON is meant for CI pipelines and tools like jq, and the README shows an example jq query that pulls out findings with a risk score of 75 or higher. A min-risk option lets you suppress low-confidence hits, and include or exclude glob patterns let you narrow the scan. By default, secret values are redacted in the output; a no-redact flag exists but is documented as only for local manual review. The scanner walks files while respecting gitignore rules and a project-specific .leakhunterignore file with the same syntax. It skips binaries and files above a configurable size, applies a built-in pattern inventory with a context-aware risk score, and reduces common noise such as npm integrity hashes in lock files and Firebase public keys. The detection rules cover OpenAI, Google, GitHub, Stripe, Slack, Sentry, and Docker Hub tokens, AWS access key pairs, Azure storage connection strings, framework secrets for Django, Flask, Rails, Laravel, NextAuth, Nuxt, Spring, and ASP.NET, database connection strings for SQL Server, PostgreSQL, MongoDB, and Redis, plus JWTs, PEM private keys, and GCP service account JSON. The README also notes safety practices: npm publishing uses OIDC Trusted Publishing instead of a long-lived token, and test fixtures use synthetic strings stitched together so GitHub push protection does not fire.