A blazingly fast, memory-safe CLI tool for detecting secrets, passwords, API keys, and tokens in git repositories. Built with Rust for maximum performance and safety.
SecretScout is a complete Rust rewrite of the gitleaks-action open source project, delivering 10x faster performance with 60% less memory usage while maintaining 100% backward compatibility. It leverages the Gitleaks secret scanning engine with a high-performance Rust wrapper.
# Install globally
npm install -g secretscout
# Verify installation
secretscout --versionThe npm package automatically downloads the correct binary for your platform (Linux, macOS Intel, macOS ARM, Windows).
# Install from crates.io
cargo install secretscout
# Verify installation
secretscout --version# Clone the repository
git clone https://github.com/globalbusinessadvisors/SecretScout.git
cd SecretScout
# Build the CLI tool
cargo build --release
# The binary will be at: target/release/secretscout
./target/release/secretscout --version# If installed via npm:
secretscout detect
secretscout detect --source /path/to/repo
secretscout protect --staged
secretscout version
# If built from source:
./target/release/secretscout detect
./target/release/secretscout detect --source /path/to/repo
./target/release/secretscout protect --staged
./target/release/secretscout version# Build SecretScout
cargo build --release
# Scan the SecretScout repository itself
./target/release/secretscout detect --source . --verbose
# Output formats: sarif (default), json, csv, text
./target/release/secretscout detect --report-format json --report-path findings.json- 10x Faster - Rust-powered performance with intelligent caching
- Memory Safe - Zero buffer overflows, crashes, or memory leaks
- Dual Mode - Use as standalone CLI or GitHub Action
- Pre-commit Hooks - Protect staged changes before commit
- Multiple Formats - SARIF, JSON, CSV, text output
- Zero Config - Works out of the box with sensible defaults
- Easy Install - Available on npm for quick setup
Scan a repository for secrets:
secretscout detect [OPTIONS]
Options:
-s, --source <PATH> Path to git repository [default: .]
-r, --report-path <PATH> Path to write report [default: results.sarif]
-f, --report-format <FORMAT> Report format (sarif, json, csv, text) [default: sarif]
--redact Redact secrets in output
--exit-code <CODE> Exit code when leaks detected [default: 2]
--log-opts <OPTS> Git log options (e.g., "--all", "main..dev")
-c, --config <PATH> Path to gitleaks config file
-v, --verbose Enable verbose loggingExamples:
# Basic scan
secretscout detect
# Scan with custom config
secretscout detect --config .gitleaks.toml
# JSON output with verbose logging
secretscout detect -f json -r report.json --verbose
# Scan specific git range
secretscout detect --log-opts "main..feature-branch"
# Full repository scan (all commits)
secretscout detect --log-opts "--all"Scan staged changes (pre-commit hook):
secretscout protect [OPTIONS]
Options:
-s, --source <PATH> Path to git repository [default: .]
--staged Scan staged changes only [default: true]
-c, --config <PATH> Path to gitleaks config file
-v, --verbose Enable verbose loggingExamples:
# Scan staged changes
secretscout protect --staged
# Use in pre-commit hook
secretscout protect --config .gitleaks.tomlPrint version information:
secretscout versionCreate .git/hooks/pre-commit:
#!/bin/bash
./target/release/secretscout protect --staged
exit $?Make it executable:
chmod +x .git/hooks/pre-commitAdd to .pre-commit-config.yaml:
repos:
- repo: local
hooks:
- id: secretscout
name: SecretScout
entry: ./target/release/secretscout protect --staged
language: system
pass_filenames: falseSecretScout auto-detects gitleaks configuration files:
- Path specified with
--config .gitleaks.tomlin repository root.github/.gitleaks.toml- Gitleaks default config
Create .gitleaks.toml:
title = "My Gitleaks Config"
[[rules]]
description = "AWS Access Key"
id = "aws-access-key"
regex = '''AKIA[0-9A-Z]{16}'''
[[rules]]
description = "Generic API Key"
id = "generic-api-key"
regex = '''(?i)api[_-]?key['\"]?\s*[:=]\s*['\"]?[a-z0-9]{32,45}['\"]?'''
[allowlist]
paths = [
"vendor/",
"node_modules/",
"*.test.js"
]SecretScout can also run as a GitHub Action:
name: Secret Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: globalbusinessadvisors/SecretScout@v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}See docs/GITHUB_ACTIONS.md for advanced GitHub Actions configuration.
Standards-compliant SARIF 2.1.0 format:
secretscout detect --report-format sarif --report-path results.sarifMachine-readable JSON:
secretscout detect --report-format json --report-path findings.jsonTabular format for spreadsheets:
secretscout detect --report-format csv --report-path secrets.csvHuman-readable text output:
secretscout detect --report-format text --report-path report.txt0- No secrets found (success)1- Error occurred2- Secrets detected (configurable with--exit-code)
- Rust 1.90+ (install via rustup)
- Cargo (included with Rust)
# Debug build
cargo build
# Release build (optimized)
cargo build --release
# Run tests
cargo test --all-features
# Run linter
cargo clippy --all-features
# Format code
cargo fmt --allChoose one of the following methods:
# Install from npm registry
npm install -g secretscout
# Use from anywhere
secretscout detect --source ~/projects/my-repo# Install from crates.io registry
cargo install secretscout
# Use from anywhere
secretscout detect --source ~/projects/my-repo# Install from local source directory
cargo install --path secretscout
# Use from anywhere
secretscout detect --source ~/projects/my-repoSecretScout is built for speed:
| Metric | JavaScript v2 | Rust v3 | Improvement |
|---|---|---|---|
| Cold start | ~25s | ~8s | 3x faster |
| Warm start | ~12s | ~5s | 2.4x faster |
| Memory usage | 512 MB | 200 MB | 60% less |
| Binary size | N/A | 4.6 MB | Optimized |
Built-in security protections:
- Path traversal prevention
- Command injection protection
- Memory safety (Rust guarantees)
- Secure downloads (HTTPS only)
- Input validation
To report security issues: GitHub Security Advisories
- CHANGELOG.md - Version history
- MIGRATION.md - Migration from v2
- CLI Usage Guide - Comprehensive CLI guide
- GitHub Actions Guide - GitHub Actions setup
- Architecture - Technical architecture
If you see "gitleaks binary not found", SecretScout will download it automatically on first run. This may take 30-60 seconds.
Make sure the binary is executable:
chmod +x target/release/secretscoutInstall Rust via rustup:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/envContributions welcome! Please:
- Fork the repository
- Create a feature branch
- Write tests for your changes
- Run
cargo testandcargo clippy - Submit a pull request
MIT License - see LICENSE for details.
- gitleaks-action - Original open source project that inspired SecretScout
- Gitleaks - Secret scanning engine by @zricethezav
- Rust Community - Excellent tooling and libraries
SecretScout is an independent Rust rewrite of the gitleaks-action project, created to provide:
- 10x Performance Improvement through Rust's zero-cost abstractions
- Memory Safety with zero buffer overflows or memory leaks
- Enhanced CLI functionality for standalone usage
- 100% Backward Compatibility with the original project
The original gitleaks-action is available at: https://github.com/gitleaks/gitleaks-action
This project maintains the same functionality while adding significant performance improvements and new features through a modern Rust implementation.
Made with Rust
SecretScout v3 - Fast, Safe, Simple Secret Detection