v1.0.0
What's new in v1.0.0
New credential patterns (46 total, up from 30)
- HuggingFace access tokens (
hf_...) - Vercel access tokens
- Supabase service role keys
- Cloudflare API tokens and global API keys
- Azure storage connection strings and client secrets
- Firebase service account key markers and web API keys
- PyPI API tokens (
pypi-...) - Doppler service and personal tokens (
dp.st.,dp.pt.)
Git history scanning
Scan your entire commit history for secrets that were ever committed:
secretguard . --history
secretguard . --history --jsonPre-commit hook
Install a git hook that automatically blocks commits containing CRITICAL findings:
secretguard install-hookStaged scanning
Scan only the changes you are about to commit:
secretguard . --stagedSARIF output — GitHub Code Scanning
Generate a SARIF report and upload it to GitHub's Security tab for free:
secretguard . --sarif results.sarif# .github/workflows/secretguard.yml
- name: Scan for secrets
run: npx secretguard . --sarif results.sarif
- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifBaseline suppression
Suppress known findings so only new secrets surface in CI:
# Write current findings as baseline
secretguard . --baseline .secretguard-baseline.json --update-baseline
# Future runs only report new findings
secretguard . --baseline .secretguard-baseline.json.secretguardignore
Add a .secretguardignore file to your project root to ignore paths without repeating --ignore on every command:
# .secretguardignore
tests/
fixtures/
src/mocks/
30 tests — up from 14
Covers all new credential patterns, ignorefile loading, baseline round-trip, and SARIF output structure.
Fully backward compatible
All existing commands, flags, and the programmatic API are unchanged.
Full Changelog: v0.2.1...v1.0.0