Release Notes
Added
- Local-first repository secret scanning for folders, GitHub repository URLs,
owner/repo shorthand, and GitHub SSH targets.
- Text, JSON, and Markdown report formats with redaction enabled by default.
- Numbered findings in Text reports for easier human review and counting.
- Configurable minimum risk threshold with
--min-risk.
- Optional raw secret output with
--no-redact.
- File output support with
--output.
- Include and exclude glob filtering with default skips for generated dependency, build, cache, and target directories.
.leakhunterignore support using .gitignore syntax for project-local scan exclusions.- Debug output for scan decisions, candidate scores, and min-risk filtering reasons.
- Context-aware risk scoring using path, file type, documentation context, entropy, public-key/certificate context, Firebase context, local database URI context, Python
site-packages context, and placeholder detection.
- Secret hashing for findings using stable redacted reports.
- Pattern coverage for major AI provider API keys, cloud/provider tokens, framework application secrets, database connection strings, PostgreSQL URIs, MongoDB URIs, Redis URIs, JWTs, SSH private keys, Azure SAS URIs, Google OAuth client secrets, and GCP service account JSON.
- Taiwan personal-data patterns for National ID, UI/ARC/APRC numbers, mobile phone numbers, e-invoice mobile barcodes, and citizen digital certificate numbers.
- Validation and false-positive filtering for Taiwan National ID, Taiwan UI/ARC/APRC, Taiwan e-invoice mobile barcodes, Azure SAS URIs, and database connection strings.
- npm package wrapper that installs the native binary from cargo-dist GitHub Release artifacts.
- Cross-platform cargo-dist release targets for macOS arm64, macOS x64, Linux x64, and Windows x64.
- npm prepublish checks for expected release assets and checksum files.
- Localized READMEs and static website assets.
Changed
lib/python*/site-packages/** findings now start from a low base score of 20, because PyPI package files are third-party package content rather than project source.- Hostless PostgreSQL URIs such as
postgres:///db_name now score as low risk.
- Localhost database URIs now receive lower risk scoring.
- Redis localhost URIs now receive lower risk scoring.
- Taiwan mobile number scoring now distinguishes strict formats from incomplete space-separated formats.
- Placeholder connection strings with bracketed password placeholders such as
Password=<password> now score as low risk.
- Text reports now prefix every finding with a sequential number.
Fixed
- Avoid extracting Taiwan mobile numbers from the middle of alphanumeric tokens such as OpenSSL/BIO diagnostic codes.
- Reduce false positives for placeholder database connection strings and password examples.
- Reduce false positives for Azure SAS URI examples while preserving real SAS token detection.
- Reduce false positives for package-lock npm integrity hashes.
- Reduce false positives for Firebase public Google API key configuration.
- Reduce false positives for Taiwan e-invoice mobile barcodes.
Install leak-hunter 0.4.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/doggy8088/leak-hunter/releases/download/v0.4.0/leak-hunter-installer.sh | sh
Install prebuilt binaries via powershell script
powershell -ExecutionPolicy Bypass -c "irm https://github.com/doggy8088/leak-hunter/releases/download/v0.4.0/leak-hunter-installer.ps1 | iex"
Install prebuilt binaries into your npm project
npm install leak-hunter@0.4.0
Download leak-hunter 0.4.0
