For the past month I’ve been building a small open-source project:
a local-first secrets scanner that prevents API key leaks before they hit GitHub.
I posted the early version on Reddit — and honestly, the feedback changed everything.
The Feedback (What People Asked For):
“It only catches provider signatures — what about generic JWTs/passwords?”
“Can I define custom ignore rules per repo?”
“Can it output SARIF for CI integration?”
“Pre-commit scanning is great — can I customize false-positive behavior?”
This was gold.
So I went back, reworked the scanner, and shipped v1.1.
What’s New in v1.1?
- Generic JWT & Password Detection
The scanner now detects:
JWTs (header.payload.signature)
Generic tokens
suspicious KEY=xxx patterns
high-entropy secrets
accidental passwords in code
No more relying only on predefined provider regexes.
- .secrets-policy.json Support
Each repo can now define its own policy:
{
"ignore_patterns": ["tests/*", ".md"],
"fail_on_severity": ["HIGH"],
"false_positives": {
"env/dev.env": ["123-fake-key"]
}
}
You can customize:
what files to ignore
severity levels that fail CI
false positives
local-only overrides
- SARIF Support (for GitHub / CI)
Now you can run:
python -m app.cli --all --sarif results.sarif
And upload the report into GitHub’s code scanning interface.
- Better CLI UX
Redacted snippets
Baseline support
More precise pattern labels
Cleaner output
Better exit codes for CI/pre-commit
Why Local-First Matters
Most scanners notify you after pushing to GitHub.
By that time:
the key is public
GitHub bots already scraped it
the damage is done
Local-first scanning is the missing piece in most workflows.
Try It
GitHub repo:
https://github.com/AMOSFinds/secrets-scanner
Live UI demo (self-hosted version):
https://secrets-scanner-jlw2.onrender.com
Send a comment to receive the API key to try it out.
I’d love feedback, especially from DevSecOps folks who care about pre-commit workflows and CI automation.
Top comments (0)