Skip to content

Releases: chintanshah35/secretguard

v1.1.0

Choose a tag to compare

@chintanshah35 chintanshah35 released this 14 Jul 05:06

secretguard 1.1.0

Detector coverage expanded from 45 to 95 patterns.

New detectors

AI

  • OpenAI project and service account keys (sk-proj-, sk-svcacct-)
  • Groq (gsk_) and Replicate (r8_)

Cloud / hosting

  • AWS temporary access keys (ASIA)
  • DigitalOcean, Netlify, Heroku
  • PlanetScale, Terraform Cloud, Pulumi, Vault
  • GCP service account email markers

Payments / commerce

  • Stripe restricted keys and webhook secrets (rk_live_, whsec_)
  • Shopify (shpat_, shpss_, shpca_, shppa_)
  • Square (sq0atp-, sq0csp-)

Messaging

  • Slack app tokens and webhook URLs
  • Discord bot tokens and webhook URLs
  • Telegram bot tokens

Email

  • Mailgun, Mailchimp, Resend, Postmark

Observability / SaaS

  • Sentry auth tokens and DSNs
  • New Relic, Datadog
  • Notion, Linear, Postman, Dropbox, Mapbox, Algolia, Contentful

Infra

  • Redis and AMQP URLs with credentials
  • PKCS8 and DSA private keys
  • GitLab runner, deploy, and OAuth tokens

Accuracy

  • Mailgun keys now require Mailgun assignment context
  • Generic API key matching filters placeholders and process.env values
  • Added a clean-project fixture that must stay finding-free

Tests

  • Direct tests for all 95 detectors
  • Guard test fails if a new detector ships without coverage
npx secretguard .

**Full Changelog**: https://github.com/chintanshah35/secretguard/compare/v1.0.0...v1.1.0

v1.0.0

Choose a tag to compare

@chintanshah35 chintanshah35 released this 26 Jun 02:23

What's new in v1.0.0

New credential patterns (46 total, up from 30)

  • HuggingFace access tokens (hf_...)
  • Vercel access tokens
  • Supabase service role keys
  • Cloudflare API tokens and global API keys
  • Azure storage connection strings and client secrets
  • Firebase service account key markers and web API keys
  • PyPI API tokens (pypi-...)
  • Doppler service and personal tokens (dp.st., dp.pt.)

Git history scanning

Scan your entire commit history for secrets that were ever committed:

secretguard . --history
secretguard . --history --json

Pre-commit hook

Install a git hook that automatically blocks commits containing CRITICAL findings:

secretguard install-hook

Staged scanning

Scan only the changes you are about to commit:

secretguard . --staged

SARIF output — GitHub Code Scanning

Generate a SARIF report and upload it to GitHub's Security tab for free:

secretguard . --sarif results.sarif
# .github/workflows/secretguard.yml
- name: Scan for secrets
  run: npx secretguard . --sarif results.sarif

- name: Upload to GitHub Security tab
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Baseline suppression

Suppress known findings so only new secrets surface in CI:

# Write current findings as baseline
secretguard . --baseline .secretguard-baseline.json --update-baseline

# Future runs only report new findings
secretguard . --baseline .secretguard-baseline.json

.secretguardignore

Add a .secretguardignore file to your project root to ignore paths without repeating --ignore on every command:

# .secretguardignore
tests/
fixtures/
src/mocks/

30 tests — up from 14

Covers all new credential patterns, ignorefile loading, baseline round-trip, and SARIF output structure.

Fully backward compatible

All existing commands, flags, and the programmatic API are unchanged.

Full Changelog: v0.2.1...v1.0.0

v0.2.1

Choose a tag to compare

@chintanshah35 chintanshah35 released this 03 Jun 22:57

0.2.1

  • Skip PII patterns in test, spec, fixture, mock, and stub paths
  • Filter obvious fake emails and phone numbers in production files
  • Credentials still scanned everywhere (including tests)
  • README documents PII false-positive behavior

v0.2.0

Choose a tag to compare

@chintanshah35 chintanshah35 released this 01 Jun 19:06

Initial release.

What it detects

30 patterns across credentials and PII:

  • AWS, OpenAI, Anthropic, GitHub, GitLab, Slack, SendGrid, npm, Stripe, Twilio, Google API keys
  • Database URLs (PostgreSQL, MySQL, MongoDB)
  • RSA, EC, OpenSSH, PGP private keys
  • SSN, credit cards, email, phone, IPv4

Features

  • CLI: npx secretguard .
  • JSON output for CI pipelines
  • HTML report generation
  • Programmatic Node.js API
  • Exit code 1 on CRITICAL findings