DEV Community

Cover image for I was tired of noisy secret scanners, so I built a smarter one in Go (SecScan v2.2)
Zayan Mohamed
Zayan Mohamed

Posted on

I was tired of noisy secret scanners, so I built a smarter one in Go (SecScan v2.2)

#security #opensource #beginners #go

We have all had that moment.

You are deep in the flow, tweaking a config file, and you run git add . && git commit -m "quick fix" && git push. Five seconds later, the realization hits you: You just pushed your AWS access key to a public repository.

It’s a rite of passage for developers, but the cleanup is a nightmare.

The Problem with Existing ToolsTo solve this, I started using various open-source secret scanners in my CI/CD pipelines. They work, but they often suffer from one major flaw: Noise.

Many scanners rely heavily on regular expressions (regex). Regex is great for finding patterns like AKIA..., but it’s terrible at understanding context. High-entropy strings inside unit tests, build artifacts, or vendor files often get flagged as "critical secrets," flooding the logs with false positives.

When a tool cries wolf too often, developers stop listening. I wanted something faster, smarter, and designed specifically for modern Go workflows.

So, I built SecScan.

Meet SecScan v2.1: Smarter Detection with EntropySecScan is an open-source, fast secret scanner written in Go.

While v1.0 was a basic regex matcher, the newly released v2.1 introduces a significant upgrade in how it detects potential secrets: Shannon Entropy Analysis.

How it Works (The Technical Bit)Instead of just looking for a pattern like "ApiKey=", SecScan analyzes the randomness of a string. Real secrets (like high-entropy cryptographic keys) look very different mathematically than standard code variable names.

By calculating the Shannon entropy score of suspect strings, SecScan can differentiate between:

  • const genericString = "abcdefghijklmnop" (Low entropy, likely safe)
  • const actualSecret = "x7y8z9a0b1c2d3e4f5g6" (High entropy, flagged for review)

This approach, combined with an improved ruleset, has reduced false positives by nearly 95% in my tests compared to standard regex matching.

Key Features in v2.1I designed SecScan to fit seamlessly into a developer's daily workflow:

  • Blazing Fast (Go): Compiled into a single binary, it scans thousands of files in seconds. Perfect for pre-commit hooks or CI pipelines.
  • 🧠 Smart Deduplication: It tracks findings by hash. If you committed a secret 10 commits ago, it won't report the same secret 10 times; it reports the unique finding.
  • 📂 Gitignore Aware: It automatically reads your .gitignore files to skip build artifacts, node_modules, and vendor directories without extra configuration.
  • 🛡️ 20+ Built-in Patterns: Out-of-the-box detection for AWS, Stripe, GitHub, Slack, Database connection strings, and more.
  • 🔧 Highly Configurable: Adjust entropy thresholds or add custom regex rules via TOML.

Try It OutSecScan is fully open-source. You can install the latest version with a single Go command: 

go install github.com/Zayan-Mohamed/secscan@latest
Enter fullscreen mode Exit fullscreen mode

Once installed, just navigate to any project root and run:

# Run a basic scan
secscan

# Run verbose mode to see what's being skipped
secscan --verbose
Enter fullscreen mode Exit fullscreen mode

I’m actively looking for feedback from the community. If you give it a spin, let me know what you think or open an issue on the repo!

Link to GitHub Repository

Top comments (0)