secret-hunter
Advanced tools
A powerful CLI tool to scan your codebase for exposed API keys, secrets, and sensitive information
Lightning-fast secret detection for secure development
A powerful CLI tool that scans your codebase for exposed API keys, secrets, and sensitive information with zero configuration required.
Installation β’ Usage β’ Features β’ Detection β’ Contributing
| Feature | Description |
|---|---|
| β‘ Lightning Fast | Scans thousands of files in seconds with optimized algorithms |
| π― Smart Detection | AI-powered pattern matching with minimal false positives |
| π Comprehensive | Detects API keys, tokens, database URLs, private keys and more |
| π Rich Reports | Beautiful CLI output with file locations and security recommendations |
| π‘οΈ Zero Config | Works out of the box with intelligent defaults - no setup required |
| π Smart Filtering | Automatically ignores irrelevant files and directories |
| π¨ Beautiful UI | Colorized output with progress indicators and clear formatting |
Choose your preferred installation method:
npm install -g secret-hunter
yarn global add secret-hunter
npx secret-hunter
git clone https://github.com/itsAnuragsingh/secret-hunter.git
cd secret-hunter
npm install
npm link
# Navigate to your project directory
cd your-project
# Run the scanner
secret-hunter
π Starting secret scan...
Found 1,247 files to scan
Scanning for secrets...
βοΈ SECRET HUNTER REPORT
==================================================
π SCAN SUMMARY
------------------------------
π Total files scanned: 1,247
π¨ Total secrets found: 3
π Files with secrets: 2
π Secret types found: 2
π¨ DETAILED FINDINGS
------------------------------
π File 1: src/config/database.js
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. MongoDB Connection String
Line: 12
Code: const dbUrl = "mongodb://user:password@localhost:27017/myapp"
π File 2: .env.example
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. OpenAI API Key
Line: 5
Code: OPENAI_API_KEY=sk-1234567890abcdef...
2. Stripe Secret Key
Line: 8
Code: STRIPE_SECRET_KEY=sk_live_1234567890abcdef...
π‘ RECOMMENDATIONS
------------------------------
1. Remove hardcoded secrets from your code
2. Use environment variables (.env files)
3. Add .env to your .gitignore
4. Use secret management tools for production
==================================================
οΏ½οΈββοΈ Scan completed successfully!
sk-...)AIza...)sk-ant-...)ghp_...)AKIA...)What it does: Automatically scans your code before every Git commit. If secrets are found, it blocks the commit.
Setup Instructions:
Create the hook file:
# Navigate to your project
cd your-project
# Create the pre-commit hook
touch .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
Add this content to .git/hooks/pre-commit:
#!/bin/sh
echo "π Scanning for secrets before commit..."
secret-hunter
if [ $? -ne 0 ]; then
echo "β Secrets detected! Please remove them before committing."
exit 1
fi
echo "β
No secrets found. Commit allowed."
How it works: Every time you run git commit, it will automatically scan your code first!
|
|
|
This project is licensed under the MIT License - see the LICENSE file for details.
Maintained by Anurag Singh Β· LinkedIn Β· Twitter/X
Built with β€οΈ for developers who care about security
FAQs
A powerful CLI tool to scan your codebase for exposed API keys, secrets, and sensitive information
The npm package secret-hunter receives a total of 11 weekly downloads. As such, secret-hunter popularity was classified as not popular.
We found that secret-hunter demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.Β It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Bun 1.2.19 introduces isolated installs for smoother monorepo workflows, along with performance boosts, new tooling, and key compatibility fixes.
Security News
Popular npm packages like eslint-config-prettier were compromised after a phishing attack stole a maintainerβs token, spreading malicious updates.
Security News
/Research
A phishing attack targeted developers using a typosquatted npm domain (npnjs.com) to steal credentials via fake login pages - watch out for similar scams.