SecretHawk is a local-only defensive secret scanner for repositories. It detects likely exposed tokens using curated regexes and entropy scoring, masks sensitive values in output, and can emit SARIF for code-scanning integrations.
It does not transmit findings anywhere and it does not validate secrets against external services.
- Detects common token shapes such as AWS access key IDs, GitHub tokens, Slack tokens, private key headers, and generic assignments.
- Uses Shannon entropy to catch unknown high-randomness tokens.
- Masks matched values so terminal logs do not leak secrets.
- Supports inline allowlisting with
secrethawk: allow. - Produces table, JSON, or SARIF output.
python -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -e . pytest
secrethawk scan samples
pytestUse --fail-on-findings in CI when any finding should block a build.
secrethawk scan . --json
secrethawk scan . --sarif reports\secrethawk.sarif- Secret scanning belongs in developer workflows before code reaches production.
- Findings are masked by default to avoid creating a second leak in logs.
- Entropy catches unknown tokens, while regexes keep precision high for known formats.
- SARIF output makes the project feel CI/CD ready.