DEV Community

Cover image for A lightweight secrets scanner that catches exposed keys before they reach GitHub
Amogetswe Mashele
Amogetswe Mashele

Posted on

A lightweight secrets scanner that catches exposed keys before they reach GitHub

#devops #security #python #opensource

Hi,
I’ve been experimenting with DevSecOps tools lately, and noticed that
most secret scanners only alert you after you’ve already pushed to GitHub — when the damage is done.

So I decided to build a different kind of scanner.
Something fast, lightweight, and developer-first — that runs locally before you even commit code.

The Problem

Every year, thousands of API keys and credentials get accidentally committed to public repos.
Even with GitHub’s built-in secret scanning and tools like GitGuardian, leaks still happen because:

Developers forget to run scans before pushing.

Most scanners are CI-only (post-commit).

Setup is overcomplicated for solo devs and small teams.

I wanted a local-first tool that fits naturally into a workflow — no cloud sync, no telemetry, no “trust us” backend.

The Solution: Secrets Scanner

Secrets Scanner is a simple Python + FastAPI tool that:

Scans repos for hardcoded secrets, keys, and tokens.

Runs as a pre-commit hook locally (python -m app.cli --staged).

Works as a CLI or self-hosted web app.

Integrates with CI pipelines for an extra safety layer.

Sends optional alerts to Slack when secrets are detected.

Everything runs on your machine or your server — no data leaves your environment.

Quick Demo

Local use:

python -m app.cli --staged

If a secret is found, it blocks your commit with a clear message:

Secret found in .env (STRIPE_SECRET_KEY)

Otherwise:

No secrets found.

You can also deploy the web version (I used Render):

docker build -t secrets-scanner .
docker run -p 8000:8000 --env-file .env secrets-scanner

Then visit:

https://yourdomain.com/ui

to scan any repo (public or private, via OAuth).

Prevent Leaks with Pre-Commit

To integrate with Git hooks:

macOS/Linux

echo '#!/usr/bin/env bash
set -e
python -m app.cli --staged' > .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

Windows (PowerShell)

echo 'python -m app.cli --staged
if ($LASTEXITCODE -ne 0) { exit 1 }' > .git/hooks/pre-commit.ps1

Now, every time you run git commit, your secrets get scanned automatically.

Why Local-First Matters

There’s a big trust gap in third-party scanning tools.
By keeping everything local and open source, you stay in control of your code.

No API calls, no logging, no vendor lock-in.
You can even host the full service yourself if you want to integrate with a team Slack or private CI setup.

Tech Stack

FastAPI for backend

Python CLI for pre-commit and local scans

httpx for async GitHub API calls

Slack webhooks for alerts

Dockerized for easy self-hosting

Try It Yourself

GitHub: https://github.com/AMOSFinds/secrets-scanner

Live demo: https://secrets-scanner-jlw2.onrender.com/ui or if you want to find out more, visit the homepage: https://secrets-scanner-jlw2.onrender.com

If you’re into DevSecOps or pre-commit automation, I’d love feedback — especially from anyone who’s used GitGuardian or similar SAST tools.

Top comments (0)