You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Local-first repository secret scanning for folders, GitHub repository URLs, owner/repo shorthand, and GitHub SSH targets.
Text, JSON, and Markdown report formats with redaction enabled by default.
Numbered findings in Text reports for easier human review and counting.
Configurable minimum risk threshold with --min-risk.
Optional raw secret output with --no-redact.
File output support with --output.
Include and exclude glob filtering with default skips for generated dependency, build, cache, and target directories.
.leakhunterignore support using .gitignore syntax for project-local scan exclusions.
Debug output for scan decisions, candidate scores, and min-risk filtering reasons.
Context-aware risk scoring using path, file type, documentation context, entropy, public-key/certificate context, Firebase context, local database URI context, Python site-packages context, and placeholder detection.
Secret hashing for findings using stable redacted reports.
Pattern coverage for major AI provider API keys, cloud/provider tokens, framework application secrets, database connection strings, PostgreSQL URIs, MongoDB URIs, Redis URIs, JWTs, SSH private keys, Azure SAS URIs, Google OAuth client secrets, and GCP service account JSON.
Taiwan personal-data patterns for National ID, UI/ARC/APRC numbers, mobile phone numbers, e-invoice mobile barcodes, and citizen digital certificate numbers.
Validation and false-positive filtering for Taiwan National ID, Taiwan UI/ARC/APRC, Taiwan e-invoice mobile barcodes, Azure SAS URIs, and database connection strings.
npm package wrapper that installs the native binary from cargo-dist GitHub Release artifacts.
Cross-platform cargo-dist release targets for macOS arm64, macOS x64, Linux x64, and Windows x64.
npm prepublish checks for expected release assets and checksum files.
Localized READMEs and static website assets.
Changed
lib/python*/site-packages/** findings now start from a low base score of 20, because PyPI package files are third-party package content rather than project source.
Hostless PostgreSQL URIs such as postgres:///db_name now score as low risk.
Localhost database URIs now receive lower risk scoring.
Redis localhost URIs now receive lower risk scoring.
Taiwan mobile number scoring now distinguishes strict formats from incomplete space-separated formats.
Placeholder connection strings with bracketed password placeholders such as Password=<password> now score as low risk.
Text reports now prefix every finding with a sequential number.
Fixed
Avoid extracting Taiwan mobile numbers from the middle of alphanumeric tokens such as OpenSSL/BIO diagnostic codes.
Reduce false positives for placeholder database connection strings and password examples.
Reduce false positives for Azure SAS URI examples while preserving real SAS token detection.
Reduce false positives for package-lock npm integrity hashes.
Reduce false positives for Firebase public Google API key configuration.
Reduce false positives for Taiwan e-invoice mobile barcodes.
Install leak-hunter 0.4.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/doggy8088/leak-hunter/releases/download/v0.4.0/leak-hunter-installer.sh | sh
