SlWatch 🔐 - Secret Leakage Watcher

A comprehensive Bash script to detect and report secret leakage across your system, including environment variables, API keys, SSH keys, AWS credentials, and other sensitive information.

Shell can run natively out of the box without any hussle or configurations. :)

Overview

SlWatch scans your system for exposed secrets and sensitive credentials that could compromise security. It uses intelligent pattern matching and entropy analysis to identify potential secrets, then generates a detailed JSON report of findings.

Features

• 🔍 Environment Variable Scanning: Detects secrets in environment variables
• 📁 File System Scanning: Searches for .env, .pem, .key files and SSH keys
• ☁️ AWS Credentials Detection: Scans AWS config and credentials files
• 🔑 SSH Key Detection: Identifies private SSH keys in ~/.ssh
• 🎯 Smart Detection: Uses keyword matching and entropy analysis
• 🔒 Security Controls: Multiple masking options for sensitive output
• 📊 JSON Reports: Generates detailed secret_report.json for further analysis
• 🎨 Color-Coded Output: Easy-to-read terminal output with color highlighting

Installation

1. Clone or download the repository
2. Make the script executable:

   chmod +x slwatch.sh

Usage

Basic Scan

./slwatch.sh

Performs a full system scan including environment variables, system files, AWS credentials, and SSH keys.

Command-Line Options

Option	Description
--env	Scan only environment variables
--keys	Scan only key files (.pem, .key, SSH)
--aws	Scan only AWS credentials/config files
--no-system	Skip full system scan ($HOME traversal)
--show-secrets	Display full secret values (⚠️ use with caution)
--partial	Partially mask secrets (show first 4 and last 4 characters)
--help	Display help information

Examples

# Scan only environment variables
./slwatch.sh --env

# Scan AWS credentials only
./slwatch.sh --aws

# Scan only SSH and certificate keys
./slwatch.sh --keys

# Perform full scan with partial masking of secrets
./slwatch.sh --partial

# Show full secret values (dangerous - use carefully)
./slwatch.sh --show-secrets

# Scan without traversing the full $HOME directory
./slwatch.sh --no-system --env --aws

Detection Methods

Keyword Matching

SlWatch looks for these secret-related keywords (case-insensitive):

• PASSWORD, PASS
• SECRET, API_KEY, APIKEY
• TOKEN
• AWS_SECRET
• PRIVATE_KEY
• ACCESS_KEY
• DB_PASSWORD

Entropy Analysis

The script calculates Shannon entropy of values to identify potential secrets:

• Requires minimum length of 8 characters
• Must contain both letters and numbers
• Entropy threshold of > 3.5 bits

Output

Console Output

• Color-coded scan progress (cyan for scanning, green for findings)
• List of files containing secrets
• Scan summary with statistics

Example:

📊 Scan Summary
---------------------------
Total secrets: 15
Files scanned: 1,234

JSON Report

Generates secret_report.json with detailed findings:

[
  {
    "source": "environment",
    "file": "system",
    "variable": "API_KEY",
    "value": "****"
  },
  {
    "source": ".env file",
    "file": "/path/to/.env",
    "variable": "DATABASE_PASSWORD",
    "value": "****"
  }
]

Security Notes

Prerequisites

• Bash 4.0+
• Standard Unix tools: find, grep, awk
• jq (for JSON report generation)

Scan Sources

SlWatch scans the following sources:

1. Environment Variables: All current shell environment variables
2. System Files: .env and key files (*.pem, *.key) in $HOME
3. AWS Credentials: ~/.aws/credentials and ~/.aws/config
4. SSH Keys: All files in ~/.ssh directory

File Structure

SlWatch/
├── slwatch.sh           # Main script
├── secret_report.json   # Generated report (auto-created)
└── README.md            # This file

License

See LICENSE file for details..

Blog

Here is a blog post for that tool. Enjoy! :)

Blog Post

Finally, here is a demonstration of the program in action!

Screenshots

Developed by Marios Daskalas