Releases: chintanshah35/secretguard
Release list
v1.1.0
secretguard 1.1.0
Detector coverage expanded from 45 to 95 patterns.
New detectors
AI
- OpenAI project and service account keys (
sk-proj-,sk-svcacct-) - Groq (
gsk_) and Replicate (r8_)
Cloud / hosting
- AWS temporary access keys (
ASIA) - DigitalOcean, Netlify, Heroku
- PlanetScale, Terraform Cloud, Pulumi, Vault
- GCP service account email markers
Payments / commerce
- Stripe restricted keys and webhook secrets (
rk_live_,whsec_) - Shopify (
shpat_,shpss_,shpca_,shppa_) - Square (
sq0atp-,sq0csp-)
Messaging
- Slack app tokens and webhook URLs
- Discord bot tokens and webhook URLs
- Telegram bot tokens
- Mailgun, Mailchimp, Resend, Postmark
Observability / SaaS
- Sentry auth tokens and DSNs
- New Relic, Datadog
- Notion, Linear, Postman, Dropbox, Mapbox, Algolia, Contentful
Infra
- Redis and AMQP URLs with credentials
- PKCS8 and DSA private keys
- GitLab runner, deploy, and OAuth tokens
Accuracy
- Mailgun keys now require Mailgun assignment context
- Generic API key matching filters placeholders and
process.envvalues - Added a clean-project fixture that must stay finding-free
Tests
- Direct tests for all 95 detectors
- Guard test fails if a new detector ships without coverage
npx secretguard .
**Full Changelog**: https://github.com/chintanshah35/secretguard/compare/v1.0.0...v1.1.0v1.0.0
What's new in v1.0.0
New credential patterns (46 total, up from 30)
- HuggingFace access tokens (
hf_...) - Vercel access tokens
- Supabase service role keys
- Cloudflare API tokens and global API keys
- Azure storage connection strings and client secrets
- Firebase service account key markers and web API keys
- PyPI API tokens (
pypi-...) - Doppler service and personal tokens (
dp.st.,dp.pt.)
Git history scanning
Scan your entire commit history for secrets that were ever committed:
secretguard . --history
secretguard . --history --jsonPre-commit hook
Install a git hook that automatically blocks commits containing CRITICAL findings:
secretguard install-hookStaged scanning
Scan only the changes you are about to commit:
secretguard . --stagedSARIF output — GitHub Code Scanning
Generate a SARIF report and upload it to GitHub's Security tab for free:
secretguard . --sarif results.sarif# .github/workflows/secretguard.yml
- name: Scan for secrets
run: npx secretguard . --sarif results.sarif
- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifBaseline suppression
Suppress known findings so only new secrets surface in CI:
# Write current findings as baseline
secretguard . --baseline .secretguard-baseline.json --update-baseline
# Future runs only report new findings
secretguard . --baseline .secretguard-baseline.json.secretguardignore
Add a .secretguardignore file to your project root to ignore paths without repeating --ignore on every command:
# .secretguardignore
tests/
fixtures/
src/mocks/
30 tests — up from 14
Covers all new credential patterns, ignorefile loading, baseline round-trip, and SARIF output structure.
Fully backward compatible
All existing commands, flags, and the programmatic API are unchanged.
Full Changelog: v0.2.1...v1.0.0
v0.2.1
0.2.1
- Skip PII patterns in test, spec, fixture, mock, and stub paths
- Filter obvious fake emails and phone numbers in production files
- Credentials still scanned everywhere (including tests)
- README documents PII false-positive behavior
v0.2.0
Initial release.
What it detects
30 patterns across credentials and PII:
- AWS, OpenAI, Anthropic, GitHub, GitLab, Slack, SendGrid, npm, Stripe, Twilio, Google API keys
- Database URLs (PostgreSQL, MySQL, MongoDB)
- RSA, EC, OpenSSH, PGP private keys
- SSN, credit cards, email, phone, IPv4
Features
- CLI:
npx secretguard . - JSON output for CI pipelines
- HTML report generation
- Programmatic Node.js API
- Exit code 1 on CRITICAL findings