CodeSecret v2

CodeSecret v2 is an open-source security CLI that scans local repositories or Git URLs for exposed secrets using TruffleHog, detects the project technology stack, runs static pipeline security checks, and produces both machine-readable and executive-ready reports.

Features

• Open-source Go CLI for repository secret exposure analysis
• TruffleHog-powered secret detection with structured normalization
• Commit-history scanning support (--history=true by default)
• Pipeline static analysis mode (--pipeline) with CI/CD hardening checks
• Technology fingerprinting for context-aware reporting
• Professional PDF report with risk score, findings detail, technologies, and remediation
• Clean terminal UX with tables for scan and scanme summaries

Quick Start

./setup.sh

Or build manually:

go mod tidy
go build -o ./bin/codesecret ./cmd/codesecret

Usage

Scan one repo/directory

./bin/codesecret scan --target /path/to/repo
./bin/codesecret scan --target https://github.com/org/repo
# history scan is enabled by default
./bin/codesecret scan --target https://github.com/org/repo --history=false
# run CodeSecret v2 pipeline checks
./bin/codesecret scan --target /path/to/repo --pipeline

Output is written to:

out/{repo_name}/

Scan all repositories for authenticated GitHub user

./bin/codesecret scanme --max-repos 100
# disable commit-history scan for faster execution if needed
./bin/codesecret scanme --max-repos 100 --history=false
# run pipeline checks for each scanned repo
./bin/codesecret scanme --max-repos 100 --pipeline

Output is written to:

out/{username}/{repo_name}/

Aggregate files:

• out/{username}/scanme-summary.json
• out/{username}/scanme-report.txt

CLI Modes

• Default: banner + concise INFO logs + final tables
• --silent: progress/final tables only (no banner/log lines)
• --history (default true): includes git commit history scan using TruffleHog git mode
• --pipeline (default false): enables CodeSecret v2 static pipeline security checks

Reports

Each scan generates:

• summary.json
• secrets.json
• remediation.json
• codesecret-report.pdf

Pipeline findings are included in the same reports (secrets.json, summary.json, and PDF) with source_type: "pipeline".

CodeSecret v2 Pipeline Checks (--pipeline)

All checks are file-based static analysis and run on repository files only (no API calls or authentication needed).

1. CRITICAL Secrets echoed in workflow commands
2. HIGH Unpinned third-party Actions
3. HIGH Overprivileged GITHUB_TOKEN permissions
4. CRITICAL Secrets in Dockerfiles
5. MEDIUM Missing or weak .dockerignore
6. MEDIUM Deploy-on-push without PR gate signal (branch protection inference)
7. CRITICAL Hardcoded credentials in CI config files
8. INFO Self-hosted runner indicator (reported as low-severity risk signal)

Public Assets

• Sample PDF report: assets/samples/codesecret-report.pdf
• Sample summary JSON: assets/samples/summary.json
• Sample findings JSON: assets/samples/secrets.json
• Sample remediation JSON: assets/samples/remediation.json

CLI previews:

Release Checklist

go test ./...
go build -o ./bin/codesecret ./cmd/codesecret
./bin/codesecret version
./bin/codesecret scan --target /path/to/repo --output ./out --silent
./bin/codesecret scan --target /path/to/repo --pipeline --silent

Security and Responsible Use

Only scan repositories and systems you are authorized to audit.

License

MIT. See LICENSE.