reDACT is a command-line tool that scans git repositories for leaked secrets — API keys, tokens, private keys, JWTs, connection strings, and similar patterns. It walks full git history, so that secrets that were committed and then later deleted are still found. Only scan repositories that you own or have explicit permission to audit.
Source: github.com/dsdugal/redact
The package is not published on PyPI yet. See Installation for how to get started.
- Scan a local repo, a remote URL, or every public repo for a GitHub user (non-fork, non-archived only)
- Regex catalog for major providers (AWS, GCP, GitHub, Slack, Stripe, Twilio, SendGrid, npm, PyPI, ...) plus generic password / private-key / JWT / DB-URL detectors
- Full-history scan with per-blob deduplication
- Categorized findings: provider, type, severity
- Allowlist file and inline
# redact: allowpragma (case-insensitive, e.g.# reDACT: allow) - Masked values in the report
- Parallel multi-repo scanning (up to 8 workers, capped by CPU count)
- Rendered to stdout via
rich; pipes cleanly to a file
- Python 3.10+ (see
requires-pythoninpyproject.toml) - git on your
PATH(used for local repos and for cloning remote URLs)
git clone https://github.com/<your-org>/redact.git # adjust to your fork or mirror
cd redact
python3 -m venv .venv # optional but recommended
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -e .redact . # current repo
redact https://github.com/owner/repo.git # remote (clones to tmp)
redact --github-user someone # public repos (excludes forks & archived)
redact . --allowlist .redact.yml # suppress known patterns
redact . > findings.txt # rich strips ANSI when pipedFor higher rate limits (and to enumerate larger profiles) set:
export GITHUB_TOKEN=ghp_xxxThe token is only used as an API auth header and is never logged.
Allowlists let you suppress known-safe matches without rewriting rules. reDACT uses --allowlist <path> if given, else auto-discovers .redact.yml in the current directory or, when scanning a single local target, in that repo's root. The file is YAML with three optional keys:
rules— list of rule ids to disable globallypaths— POSIX globs (**supported); findings under any matching path are droppedvalues— Python regexes; matches against the raw secret value are dropped
rules:
- id: generic-password # disable a rule globally
paths:
- "tests/fixtures/**" # ignore findings under these globs
values:
- "EXAMPLEFAKE.*" # regex of values to ignoreUse inline pragmas when one specific occurrence is intentional and the surrounding rule should still apply elsewhere. Append # redact: allow (or // redact: allow) to a line to suppress findings on that line. Matching is case-insensitive (# reDACT: allow works).
reDACT always returns 0 after a successful scan, regardless of whether findings were reported — so you can pipe output to a file or other tools without scripts treating findings as failures.
| Code | Meaning |
|---|---|
| 0 | Scan completed |
| 2 | Usage / runtime error |
See CHANGELOG.md.
This project is distributed under the MIT License.