I built Sentinel: A blazing fast, regex-free secret scanner in Go 🛡️

Khaled Hani — Sun, 28 Jun 2026 02:55:34 +0000

If you’ve ever used standard secret scanners (like Gitleaks or TruffleHog) in a heavy CI/CD pipeline, you’ve probably hit the "Catastrophic Backtracking" wall. A massive minified JS file slips in, the regex engine chokes, and your pipeline freezes.

I got extremely frustrated with the performance bottlenecks and false positives, so I decided to rewrite the architecture from scratch.

Meet Sentinel, an enterprise-grade, ultra-fast pre-commit scanner written in Go.

🔥 How it’s different:

Aho-Corasick Engine: Instead of relying purely on Regex, the core engine uses an Aho-Corasick automaton. It scans massive payloads in strict O(n) linear time.
Pre-Decoding Layer: It detects Base64 strings in-memory, decodes them dynamically, and feeds them back into the entropy pipeline to catch nested K8s/GCP keys.
Blob Aggregation: Multi-line certs (like JKS or PEM) are aggregated into a single CRITICAL alert instead of blasting you with 50 lines of fragmented noise.
100% Silent: Zero "skipping binary file" logs. It acts as a true silent guardian—natively using git ls-files for traversal.

📊 The Doomsday Benchmark

I built a "Doomsday Payload" (15MB of compressed minified strings mixed with 100+ structural baits like UPPER_SNAKE_CASE constants).
Result: Sentinel ripped through it in ~1.5s with a flawless 100% signal-to-noise ratio.

It is fully open-source under the AGPL-3.0 license. I'd love for the community to try it out, read the code, and give me some harsh feedback!

GitHub Repo: https://github.com/sentinel-cli/sentinel

DEV Community: Khaled Hani

I built Sentinel: A blazing fast, regex-free secret scanner in Go 🛡️

🔥 How it’s different:

📊 The Doomsday Benchmark