I Built an Offline Git Secrets Scanner. No Cloud, No Telemetry, Just Speed

I’ve been experimenting with DevSecOps tools lately — but wanted to try a challenge of solving a specific problem.

Most secret scanners only alert you after you’ve already pushed your code.
By then, it’s too late.

So I decided to build something different:

A fast, lightweight local-first secrets scanner that runs before commits, works offline, and never sends your code anywhere.

*Why I Built It

Every year, thousands of API keys get exposed in public repos.

Even tools like GitGuardian or Gitleaks don’t stop this fully because:

Developers forget to run them before pushing

CI-only scanners catch leaks after the fact

Some tools require cloud setup or telemetry access

I wanted a tool that fits naturally into a developer’s workflow,and runs locally.

*What It Does

Scans files and commits for API keys, tokens, and credentials

Runs automatically before commits (python -m app.cli --staged)

Works as a CLI, pre-commit hook, or self-hosted web UI

Outputs SARIF reports, supports baselines, and runs fully offline

Integrates with CI for optional automation

*New Features Since Launch

I recently added a few upgrades based on early feedback:

Baseline support to avoid false positives

SARIF output for CI integration

Per-repo config for custom ignore patterns

Next: --fix mode to auto-redact or hint key rotation

*Why “Local-First” Matters

Most teams trust cloud scanners with private code — I wanted to try the opposite of that model.

Secrets Scanner runs on your machine or on your own server, so:

No code ever leaves your environment

You stay compliant and private

You can integrate it with any workflow

Quick Demo

Pre-commit scan

python -m app.cli --staged

Or full repo

python -m app.cli .

Optional: generate SARIF

python -m app.cli --sarif report.sarif

If it finds something:

HIGH · STRIPE_SECRET_KEY · app/settings.py:42

Otherwise:

No secrets found.

How to Try It

GitHub: github.com/AMOSFinds/secrets-scanner

Live demo: secrets-scanner-jlw2.onrender.com

If you’d like to help test, I have a few private API keys available for early users, just comment below or DM me.

*What I Learned

Building this taught me how critical it is to combine developer efficiency with security.

*Feedback Wanted

I’m looking for 5–10 testers to try the pre-commit integration and let me know if it is genuinely helpful or lackluster.

What do you think — is a fully local scanner like this a must-have for small teams?