Skip to content

v1.0.0

Choose a tag to compare

@chintanshah35 chintanshah35 released this 26 Jun 02:23

What's new in v1.0.0

New credential patterns (46 total, up from 30)

  • HuggingFace access tokens (hf_...)
  • Vercel access tokens
  • Supabase service role keys
  • Cloudflare API tokens and global API keys
  • Azure storage connection strings and client secrets
  • Firebase service account key markers and web API keys
  • PyPI API tokens (pypi-...)
  • Doppler service and personal tokens (dp.st., dp.pt.)

Git history scanning

Scan your entire commit history for secrets that were ever committed:

secretguard . --history
secretguard . --history --json

Pre-commit hook

Install a git hook that automatically blocks commits containing CRITICAL findings:

secretguard install-hook

Staged scanning

Scan only the changes you are about to commit:

secretguard . --staged

SARIF output — GitHub Code Scanning

Generate a SARIF report and upload it to GitHub's Security tab for free:

secretguard . --sarif results.sarif
# .github/workflows/secretguard.yml
- name: Scan for secrets
  run: npx secretguard . --sarif results.sarif

- name: Upload to GitHub Security tab
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Baseline suppression

Suppress known findings so only new secrets surface in CI:

# Write current findings as baseline
secretguard . --baseline .secretguard-baseline.json --update-baseline

# Future runs only report new findings
secretguard . --baseline .secretguard-baseline.json

.secretguardignore

Add a .secretguardignore file to your project root to ignore paths without repeating --ignore on every command:

# .secretguardignore
tests/
fixtures/
src/mocks/

30 tests — up from 14

Covers all new credential patterns, ignorefile loading, baseline round-trip, and SARIF output structure.

Fully backward compatible

All existing commands, flags, and the programmatic API are unchanged.

Full Changelog: v0.2.1...v1.0.0