|
cargo install sentinel_cli
sentinel init
|
Every day, developers accidentally push secrets to GitHub:
- ๐ AWS keys โ $10,000 bill overnight
- ๐๏ธ Database passwords โ Production breach
- ๐ซ API tokens โ Unauthorized access
Traditional solutions are slow, bloated, or cloud-dependent.
Sentinel is a blazing-fast, privacy-first secret scanner written in Rust. It runs locally as a pre-commit hook and blocks commits containing:
โ
AWS Access Keys
โ
OpenAI API Keys
โ
Stripe Secrets
โ
GitHub Tokens
โ
Private Keys
โ
Database Credentials
โ
High-entropy strings (custom secrets)
# Via Cargo (Rust package manager)
cargo install sentinel_cli
# Or build from source
git clone https://github.com/meklasdev/sentinel.git
cd sentinel
cargo build --releasecd your-project
sentinel initThis creates a .git/hooks/pre-commit hook that automatically scans staged files.
git add .
git commit -m "feat: add new feature"If secrets are detected, the commit is blocked โ
# Scan specific files
sentinel scan file1.py file2.js
# Scan with custom entropy threshold
sentinel scan --entropy 5.0 config.yaml
# Fail with exit code 1 if secrets found (for CI/CD)
sentinel scan --fail src/**/*.rs# Install hook
sentinel init
# Force overwrite existing hook
sentinel init --forcesentinel pre-commitSentinel includes 100+ battle-tested regex patterns organized by category:
- AWS (Access Keys, Secret Keys, Session Tokens)
- Azure (Storage Keys, Client Secrets)
- Google Cloud (API Keys, OAuth Tokens, Service Accounts)
- DigitalOcean, Heroku, Cloudflare
- OpenAI (API Keys, Organization Keys)
- Anthropic (Claude API Keys)
- Hugging Face, Cohere, Replicate
- GitHub (PAT, OAuth, App Tokens, Refresh Tokens)
- GitLab, Bitbucket
- CircleCI, Travis CI, Jenkins
- Stripe (API Keys, Webhook Secrets)
- PayPal, Square, Braintree
- Slack (Tokens, Webhooks)
- Discord (Bot Tokens, Webhooks)
- Telegram, Twilio, SendGrid, Mailgun
- MongoDB, PostgreSQL, MySQL, Redis
- Firebase, Supabase (JWT Keys)
- Datadog, New Relic, Sentry, Segment
- Facebook, Twitter, LinkedIn
- Private Keys (RSA, EC, OpenSSH, DSA, PGP)
- SSH Keys, PGP Keys
- Generic API Keys, Secrets, Passwords
- JWT Tokens, NPM Tokens, PyPI Tokens, Docker Hub
Detects high-entropy strings (randomness) that likely indicate secrets:
// Example: This would be flagged
let api_key = "aB3$xK9#mP2@qL7!nR5%wT8&yU4*zV1^";Default threshold: 4.5 bits (configurable via --entropy)
โ 2 secret(s) detected:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ AWS Access Key ID in src/config.rs
๐ Line 42
๐ก AWS Access Key ID detected
๐ AKIAIOSFODNN7EXAMPLE
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ OpenAI API Key in .env
๐ Line 5
๐ก OpenAI API Key detected
๐ sk-proj-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Commit blocked due to detected secrets!
๐ก Remove the secrets and try again.
| Feature | Sentinel | Gitleaks | TruffleHog |
|---|---|---|---|
| Language | ๐ฆ Rust | Go | Python |
| Speed | โก Blazing | Fast | Slow |
| Privacy | ๐ 100% Local | Local | Cloud Option |
| Entropy Analysis | โ Built-in | โ | โ |
| Pre-commit Hook | โ Auto-install | Manual | Manual |
| Colored Output | ๐จ Beautiful | Basic | Basic |
# Run unit tests
cargo test
# Run with coverage
cargo tarpaulin --out HtmlContributions are welcome! See CONTRIBUTING.md for guidelines.
- Fork the repo
- Create your feature branch (
git checkout -b feature/amazing) - Commit your changes (
git commit -m 'feat: add amazing feature') - Push and open a PR
MIT ยฉ meklasdev
