DEV Community: Amogetswe Mashele

How Reddit Shaped v1.1 of My Open-Source Secrets Scanner

Amogetswe Mashele — Fri, 07 Nov 2025 00:44:50 +0000

For the past month I’ve been building a small open-source project:
a local-first secrets scanner that prevents API key leaks before they hit GitHub.

I posted the early version on Reddit — and honestly, the feedback changed everything.

The Feedback (What People Asked For):

“It only catches provider signatures — what about generic JWTs/passwords?”
“Can I define custom ignore rules per repo?”
“Can it output SARIF for CI integration?”
“Pre-commit scanning is great — can I customize false-positive behavior?”

This was gold.

So I went back, reworked the scanner, and shipped v1.1.

What’s New in v1.1?

Generic JWT & Password Detection

The scanner now detects:

JWTs (header.payload.signature)

Generic tokens

suspicious KEY=xxx patterns

high-entropy secrets

accidental passwords in code

No more relying only on predefined provider regexes.

.secrets-policy.json Support

Each repo can now define its own policy:

{
"ignore_patterns": ["tests/*", ".md"],
"fail_on_severity": ["HIGH"],
"false_positives": {
"env/dev.env": ["123-fake-key"]
}
}

You can customize:

what files to ignore
severity levels that fail CI
false positives
local-only overrides

SARIF Support (for GitHub / CI)

Now you can run:

python -m app.cli --all --sarif results.sarif

And upload the report into GitHub’s code scanning interface.

Better CLI UX

Redacted snippets

Baseline support

More precise pattern labels

Cleaner output

Better exit codes for CI/pre-commit

Why Local-First Matters

Most scanners notify you after pushing to GitHub.
By that time:

the key is public
GitHub bots already scraped it
the damage is done

Local-first scanning is the missing piece in most workflows.

Try It

GitHub repo:
https://github.com/AMOSFinds/secrets-scanner

Live UI demo (self-hosted version):
https://secrets-scanner-jlw2.onrender.com
Send a comment to receive the API key to try it out.

I’d love feedback, especially from DevSecOps folks who care about pre-commit workflows and CI automation.

I Built an Offline Git Secrets Scanner. No Cloud, No Telemetry, Just Speed

Amogetswe Mashele — Mon, 03 Nov 2025 20:19:18 +0000

I’ve been experimenting with DevSecOps tools lately — but wanted to try a challenge of solving a specific problem.

Most secret scanners only alert you after you’ve already pushed your code.
By then, it’s too late.

So I decided to build something different:

A fast, lightweight local-first secrets scanner that runs before commits, works offline, and never sends your code anywhere.

*Why I Built It

Every year, thousands of API keys get exposed in public repos.

Even tools like GitGuardian or Gitleaks don’t stop this fully because:

Developers forget to run them before pushing

CI-only scanners catch leaks after the fact

Some tools require cloud setup or telemetry access

I wanted a tool that fits naturally into a developer’s workflow,and runs locally.

*What It Does

Scans files and commits for API keys, tokens, and credentials

Runs automatically before commits (python -m app.cli --staged)

Works as a CLI, pre-commit hook, or self-hosted web UI

Outputs SARIF reports, supports baselines, and runs fully offline

Integrates with CI for optional automation

*New Features Since Launch

I recently added a few upgrades based on early feedback:

Baseline support to avoid false positives

SARIF output for CI integration

Per-repo config for custom ignore patterns

Next: --fix mode to auto-redact or hint key rotation

*Why “Local-First” Matters

Most teams trust cloud scanners with private code — I wanted to try the opposite of that model.

Secrets Scanner runs on your machine or on your own server, so:

No code ever leaves your environment

You stay compliant and private

You can integrate it with any workflow

Quick Demo

Pre-commit scan

python -m app.cli --staged

Or full repo

python -m app.cli .

Optional: generate SARIF

python -m app.cli --sarif report.sarif

If it finds something:

HIGH · STRIPE_SECRET_KEY · app/settings.py:42

Otherwise:

No secrets found.

How to Try It

GitHub: github.com/AMOSFinds/secrets-scanner

Live demo: secrets-scanner-jlw2.onrender.com

If you’d like to help test, I have a few private API keys available for early users, just comment below or DM me.

*What I Learned

Building this taught me how critical it is to combine developer efficiency with security.

*Feedback Wanted

I’m looking for 5–10 testers to try the pre-commit integration and let me know if it is genuinely helpful or lackluster.

What do you think — is a fully local scanner like this a must-have for small teams?

A lightweight secrets scanner that catches exposed keys before they reach GitHub

Amogetswe Mashele — Sun, 26 Oct 2025 23:43:01 +0000

Hi,
I’ve been experimenting with DevSecOps tools lately, and noticed that
most secret scanners only alert you after you’ve already pushed to GitHub — when the damage is done.

So I decided to build a different kind of scanner.
Something fast, lightweight, and developer-first — that runs locally before you even commit code.

The Problem

Every year, thousands of API keys and credentials get accidentally committed to public repos.
Even with GitHub’s built-in secret scanning and tools like GitGuardian, leaks still happen because:

Developers forget to run scans before pushing.

Most scanners are CI-only (post-commit).

Setup is overcomplicated for solo devs and small teams.

I wanted a local-first tool that fits naturally into a workflow — no cloud sync, no telemetry, no “trust us” backend.

The Solution: Secrets Scanner

Secrets Scanner is a simple Python + FastAPI tool that:

Scans repos for hardcoded secrets, keys, and tokens.

Runs as a pre-commit hook locally (python -m app.cli --staged).

Works as a CLI or self-hosted web app.

Integrates with CI pipelines for an extra safety layer.

Sends optional alerts to Slack when secrets are detected.

Everything runs on your machine or your server — no data leaves your environment.

Quick Demo

Local use:

python -m app.cli --staged

If a secret is found, it blocks your commit with a clear message:

Secret found in .env (STRIPE_SECRET_KEY)

Otherwise:

No secrets found.

You can also deploy the web version (I used Render):

docker build -t secrets-scanner .
docker run -p 8000:8000 --env-file .env secrets-scanner

Then visit:

https://yourdomain.com/ui

to scan any repo (public or private, via OAuth).

Prevent Leaks with Pre-Commit

To integrate with Git hooks:

macOS/Linux

echo '#!/usr/bin/env bash
set -e
python -m app.cli --staged' > .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

Windows (PowerShell)

echo 'python -m app.cli --staged
if ($LASTEXITCODE -ne 0) { exit 1 }' > .git/hooks/pre-commit.ps1

Now, every time you run git commit, your secrets get scanned automatically.

Why Local-First Matters

There’s a big trust gap in third-party scanning tools.
By keeping everything local and open source, you stay in control of your code.

No API calls, no logging, no vendor lock-in.
You can even host the full service yourself if you want to integrate with a team Slack or private CI setup.

Tech Stack

FastAPI for backend

Python CLI for pre-commit and local scans

httpx for async GitHub API calls

Slack webhooks for alerts

Dockerized for easy self-hosting

Try It Yourself

GitHub: https://github.com/AMOSFinds/secrets-scanner

Live demo: https://secrets-scanner-jlw2.onrender.com/ui or if you want to find out more, visit the homepage: https://secrets-scanner-jlw2.onrender.com

If you’re into DevSecOps or pre-commit automation, I’d love feedback — especially from anyone who’s used GitGuardian or similar SAST tools.