New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

secretscout

Package Overview
Dependencies
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

secretscout

Rust-powered secret detection for GitHub Actions - Fast, safe, and efficient CLI tool

latest
Source
npmnpm
Version
3.1.0
Version published
Maintainers
1
Created
Source

SecretScout

CI npm version crates.io License Version Rust

A blazingly fast, memory-safe CLI tool for detecting secrets, passwords, API keys, and tokens in git repositories. Built with Rust for maximum performance and safety.

SecretScout is a complete Rust rewrite of the gitleaks-action open source project, delivering 10x faster performance with 60% less memory usage while maintaining 100% backward compatibility. It leverages the Gitleaks secret scanning engine with a high-performance Rust wrapper.

Quick Start

Installation

Via npm (Recommended for most users)

# Install globally
npm install -g secretscout

# Verify installation
secretscout --version

The npm package automatically downloads the correct binary for your platform (Linux, macOS Intel, macOS ARM, Windows).

Via cargo (For Rust developers)

# Install from crates.io
cargo install secretscout

# Verify installation
secretscout --version

From Source

# Clone the repository
git clone https://github.com/globalbusinessadvisors/SecretScout.git
cd SecretScout

# Build the CLI tool
cargo build --release

# The binary will be at: target/release/secretscout
./target/release/secretscout --version

Basic Usage

# If installed via npm:
secretscout detect
secretscout detect --source /path/to/repo
secretscout protect --staged
secretscout version

# If built from source:
./target/release/secretscout detect
./target/release/secretscout detect --source /path/to/repo
./target/release/secretscout protect --staged
./target/release/secretscout version

Example: Scan This Repository

# Build SecretScout
cargo build --release

# Scan the SecretScout repository itself
./target/release/secretscout detect --source . --verbose

# Output formats: sarif (default), json, csv, text
./target/release/secretscout detect --report-format json --report-path findings.json

Features

  • 10x Faster - Rust-powered performance with intelligent caching
  • Memory Safe - Zero buffer overflows, crashes, or memory leaks
  • Dual Mode - Use as standalone CLI or GitHub Action
  • Pre-commit Hooks - Protect staged changes before commit
  • Multiple Formats - SARIF, JSON, CSV, text output
  • Zero Config - Works out of the box with sensible defaults
  • Easy Install - Available on npm for quick setup

CLI Commands

secretscout detect

Scan a repository for secrets:

secretscout detect [OPTIONS]

Options:
  -s, --source <PATH>              Path to git repository [default: .]
  -r, --report-path <PATH>         Path to write report [default: results.sarif]
  -f, --report-format <FORMAT>     Report format (sarif, json, csv, text) [default: sarif]
      --redact                     Redact secrets in output
      --exit-code <CODE>           Exit code when leaks detected [default: 2]
      --log-opts <OPTS>            Git log options (e.g., "--all", "main..dev")
  -c, --config <PATH>              Path to gitleaks config file
  -v, --verbose                    Enable verbose logging

Examples:

# Basic scan
secretscout detect

# Scan with custom config
secretscout detect --config .gitleaks.toml

# JSON output with verbose logging
secretscout detect -f json -r report.json --verbose

# Scan specific git range
secretscout detect --log-opts "main..feature-branch"

# Full repository scan (all commits)
secretscout detect --log-opts "--all"

secretscout protect

Scan staged changes (pre-commit hook):

secretscout protect [OPTIONS]

Options:
  -s, --source <PATH>     Path to git repository [default: .]
      --staged            Scan staged changes only [default: true]
  -c, --config <PATH>     Path to gitleaks config file
  -v, --verbose           Enable verbose logging

Examples:

# Scan staged changes
secretscout protect --staged

# Use in pre-commit hook
secretscout protect --config .gitleaks.toml

secretscout version

Print version information:

secretscout version

Pre-commit Hook Setup

Manual Setup

Create .git/hooks/pre-commit:

#!/bin/bash
./target/release/secretscout protect --staged
exit $?

Make it executable:

chmod +x .git/hooks/pre-commit

Using pre-commit Framework

Add to .pre-commit-config.yaml:

repos:
  - repo: local
    hooks:
      - id: secretscout
        name: SecretScout
        entry: ./target/release/secretscout protect --staged
        language: system
        pass_filenames: false

Configuration

SecretScout auto-detects gitleaks configuration files:

  • Path specified with --config
  • .gitleaks.toml in repository root
  • .github/.gitleaks.toml
  • Gitleaks default config

Custom Config Example

Create .gitleaks.toml:

title = "My Gitleaks Config"

[[rules]]
description = "AWS Access Key"
id = "aws-access-key"
regex = '''AKIA[0-9A-Z]{16}'''

[[rules]]
description = "Generic API Key"
id = "generic-api-key"
regex = '''(?i)api[_-]?key['\"]?\s*[:=]\s*['\"]?[a-z0-9]{32,45}['\"]?'''

[allowlist]
paths = [
  "vendor/",
  "node_modules/",
  "*.test.js"
]

GitHub Actions Usage

SecretScout can also run as a GitHub Action:

name: Secret Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: globalbusinessadvisors/SecretScout@v3
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

See docs/GITHUB_ACTIONS.md for advanced GitHub Actions configuration.

Output Formats

SARIF (Default)

Standards-compliant SARIF 2.1.0 format:

secretscout detect --report-format sarif --report-path results.sarif

JSON

Machine-readable JSON:

secretscout detect --report-format json --report-path findings.json

CSV

Tabular format for spreadsheets:

secretscout detect --report-format csv --report-path secrets.csv

Text

Human-readable text output:

secretscout detect --report-format text --report-path report.txt

Exit Codes

  • 0 - No secrets found (success)
  • 1 - Error occurred
  • 2 - Secrets detected (configurable with --exit-code)

Building from Source

Prerequisites

Build

# Debug build
cargo build

# Release build (optimized)
cargo build --release

# Run tests
cargo test --all-features

# Run linter
cargo clippy --all-features

# Format code
cargo fmt --all

Install Globally

Choose one of the following methods:

Via npm (Easiest)

# Install from npm registry
npm install -g secretscout

# Use from anywhere
secretscout detect --source ~/projects/my-repo

Via cargo (From crates.io)

# Install from crates.io registry
cargo install secretscout

# Use from anywhere
secretscout detect --source ~/projects/my-repo

From Local Source

# Install from local source directory
cargo install --path secretscout

# Use from anywhere
secretscout detect --source ~/projects/my-repo

Performance

SecretScout is built for speed:

MetricJavaScript v2Rust v3Improvement
Cold start~25s~8s3x faster
Warm start~12s~5s2.4x faster
Memory usage512 MB200 MB60% less
Binary sizeN/A4.6 MBOptimized

Security

Built-in security protections:

  • Path traversal prevention
  • Command injection protection
  • Memory safety (Rust guarantees)
  • Secure downloads (HTTPS only)
  • Input validation

To report security issues: GitHub Security Advisories

Documentation

Troubleshooting

Binary Not Found

If you see "gitleaks binary not found", SecretScout will download it automatically on first run. This may take 30-60 seconds.

Permission Errors

Make sure the binary is executable:

chmod +x target/release/secretscout

Rust Not Installed

Install Rust via rustup:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env

Contributing

Contributions welcome! Please:

  • Fork the repository
  • Create a feature branch
  • Write tests for your changes
  • Run cargo test and cargo clippy
  • Submit a pull request

License

MIT License - see LICENSE for details.

Acknowledgments

About This Project

SecretScout is an independent Rust rewrite of the gitleaks-action project, created to provide:

  • 10x Performance Improvement through Rust's zero-cost abstractions
  • Memory Safety with zero buffer overflows or memory leaks
  • Enhanced CLI functionality for standalone usage
  • 100% Backward Compatibility with the original project

The original gitleaks-action is available at: https://github.com/gitleaks/gitleaks-action

This project maintains the same functionality while adding significant performance improvements and new features through a modern Rust implementation.

Support

Made with Rust

SecretScout v3 - Fast, Safe, Simple Secret Detection

Keywords

secretscout
secrets
security
github-actions
rust
secret-scanning

FAQs

Package last updated on 01 Nov 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Security News

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

By Sarah Gooding  -  Apr 03, 2026