Analysis updated 2026-06-24
Scan a local repo for AWS keys, OpenAI tokens, and database URLs before pushing
Add leak-hunter as a CI step that fails the build on findings above a risk threshold
Audit an unfamiliar GitHub repo by owner slash repo shorthand without cloning
Generate a Markdown report of detected secrets for a security review document
| doggy8088/leak-hunter | corrode/refactoring-rust | isaac-mason/compilecat | |
|---|---|---|---|
| Stars | 57 | 61 | 65 |
| Language | Rust | Rust | Rust |
| Setup difficulty | easy | easy | moderate |
| Complexity | 3/5 | 2/5 | 4/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Install via cargo or npm global, the npm wrapper downloads a platform binary and verifies a SHA-256 on postinstall.
Leak-hunter is a command-line tool that scans code for accidentally committed secrets, things like API keys, database passwords, and private cryptographic keys. The README calls it local-first and defensive: the idea is to catch leaks in your own code before they end up published. It ships as a single binary that runs on the major platforms and can scan a local folder, a GitHub repository URL, the shorthand owner/repo form, or a git SSH address. The core is written in Rust. There is also an npm package by the same name, but the README is clear that the npm package is only a wrapper: when you install it, a postinstall script downloads the right native binary for your platform from GitHub Releases, verifies a SHA-256 checksum, and unpacks it. You can install either way: cargo install from the source folder, or npm install -g leak-hunter. Reports can be written as plain text, JSON, or Markdown, and either printed to the terminal or saved to a file. The text format includes a banner, the target, scan time, file counts, a risk-bucket summary, and a table of findings. JSON is meant for CI pipelines and tools like jq, and the README shows an example jq query that pulls out findings with a risk score of 75 or higher. A min-risk option lets you suppress low-confidence hits, and include or exclude glob patterns let you narrow the scan. By default, secret values are redacted in the output, a no-redact flag exists but is documented as only for local manual review. The scanner walks files while respecting gitignore rules and a project-specific .leakhunterignore file with the same syntax. It skips binaries and files above a configurable size, applies a built-in pattern inventory with a context-aware risk score, and reduces common noise such as npm integrity hashes in lock files and Firebase public keys. The detection rules cover OpenAI, Google, GitHub, Stripe, Slack, Sentry, and Docker Hub tokens, AWS access key pairs, Azure storage connection strings, framework secrets for Django, Flask, Rails, Laravel, NextAuth, Nuxt, Spring, and ASP.NET, database connection strings for SQL Server, PostgreSQL, MongoDB, and Redis, plus JWTs, PEM private keys, and GCP service account JSON. The README also notes safety practices: npm publishing uses OIDC Trusted Publishing instead of a long-lived token, and test fixtures use synthetic strings stitched together so GitHub push protection does not fire.
A Rust CLI that scans local folders, GitHub repos, or git URLs for accidentally committed secrets like API keys and private keys, with text, JSON, or Markdown reports for CI use.
Mainly Rust. The stack also includes Rust, Cargo, npm.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.