Security

Secret Scanning & Guard

secr includes built-in secret detection that runs locally — no network, no auth required. Scan your codebase for leaked credentials and install a pre-commit hook to prevent secrets from ever reaching your repository.

secr scan

Scan files for hardcoded secrets. Works on any directory, no project configuration needed.

Usage

secr scan                     # Scan current directory
secr scan ./src               # Scan specific directory
secr scan --pre-commit        # Scan only git staged files
secr scan --json              # JSON output for CI
secr scan --list-patterns     # Show all detection patterns
secr scan --exclude dist tmp  # Skip additional paths

Option	Type	Required	Description
--pre-commit	flag	No	Scan only git staged files instead of the full directory
--json	flag	No	Output results as JSON (useful for CI pipelines)
--list-patterns	flag	No	Print all detection patterns and exit
--exclude	string[]	No	Additional directories or paths to skip

Exit Codes

Code	Meaning
0	No secrets found
1	Secrets detected (or error)

Detection Patterns

20+ built-in patterns covering the most common secret types:

Provider	Patterns
AWS	Access key IDs (AKIA...), secret key assignments
Stripe	Secret keys (sk_live_...), restricted keys (rk_live_...)
GitHub	Personal access tokens (ghp_...), OAuth tokens, fine-grained tokens
OpenAI	API keys (sk-proj-...)
Anthropic	API keys (sk-ant-...)
Google	API keys (AIza...)
Slack	Bot tokens (xoxb-...), webhook URLs
Database	Connection strings with embedded passwords
Private Keys	RSA, EC, DSA, and OpenSSH private keys
SendGrid	API keys (SG...)
Twilio	API keys (SK...)
npm	Auth tokens (npm_...)
Vercel	API tokens (vercel_...)
Generic	secret=, password=, token= assignments in code

Redaction

When secrets are found, values are redacted in the output. The first 4 and last 4 characters are shown, with the middle masked with asterisks.

Example output

WARNING: Potential secret found
  File: src/config.ts:12
  Type: AWS Access Key
  Value: AKIA****7X2Q

Skipped Files

The scanner automatically skips files that are unlikely to contain meaningful secrets:

Binary files
node_modules/
.git/
dist/ and build/
Lock files (package-lock.json, yarn.lock, etc.)
Files larger than 1 MB

secr guard

Install a git pre-commit hook that automatically scans staged files before every commit.

Commands

secr guard install            # Install the pre-commit hook
secr guard install --force    # Overwrite an existing hook
secr guard uninstall          # Remove the pre-commit hook
secr guard status             # Check if the hook is installed

How It Works

secr guard install writes a shell script to .git/hooks/pre-commit
On every git commit, the hook runs secr scan --pre-commit
If secrets are found, the commit is blocked (exit 1)
If clean, the commit proceeds normally

CI Integration

Run secret scanning in your CI pipeline to catch secrets before they reach your default branch.

GitHub Actions

.github/workflows/scan.yml

name: Secret Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Scan for secrets
        run: npx @secr/cli scan --json

GitLab CI

.gitlab-ci.yml

scan-secrets:
  image: node:20-alpine
  script:
    - npx @secr/cli scan --json

Pre-commit Framework (Python ecosystem)

.pre-commit-config.yaml

repos:
  - repo: local
    hooks:
      - id: secr-scan
        name: secr secret scan
        entry: npx @secr/cli scan --pre-commit
        language: system
        pass_filenames: false

Gitignore Check

In addition to scanning file contents, secr scan checks whether .env files are listed in your .gitignore. If they are not, a warning is displayed prompting you to add them.

Protect your codebase today

npx @secr/cli scan

Create Free Account Back to Docs