# SecretScanner Demonstration Notebook

This notebook demonstrates the main features of the `SecretScanner` class from Safeguard Toolkit.

You will see how to scan different file types and directories for secrets using regex, entropy, and more.

## 1. Scan a Python File

Scan a Python file for secrets such as hardcoded credentials, tokens, or high-entropy strings.

In [5]:
from safeguard_toolkit.scanners.secrets_scanner import SecretScanner
scanner = SecretScanner(whitelist=[])
file_to_scan = "examples/secrets_scanner_project/example.py"
scanner.scan(file_to_scan)

[INFO] Scanning file: examples/secrets_scanner_project/example.py


{'findings': [{'level': 'HIGH',
   'types': ['Password'],
   'line': 7,
   'message': 'Password detected',
   'content': 'password = "hunter2"'},
  {'level': 'HIGH',
   'types': ['Generic API Key', 'API Key'],
   'line': 8,
   'message': 'Generic API Key, API Key detected',
   'content': 'service_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"'}]}

## 2. Scan an INI Configuration File

Scan an `.ini` configuration file for secrets or sensitive values.

In [6]:
from safeguard_toolkit.scanners.secrets_scanner import SecretScanner
scanner = SecretScanner(whitelist=[])
file_to_scan = "examples/secrets_scanner_project/config.ini"
scanner.scan(file_to_scan)

[INFO] Scanning file: examples/secrets_scanner_project/config.ini


{'findings': [{'level': 'HIGH',
   'types': ['Password'],
   'line': 3,
   'message': 'Password detected',
   'content': 'password = admin123'}]}

In [9]:
from safeguard_toolkit.scanners.secrets_scanner import SecretScanner
scanner = SecretScanner(whitelist=['admin123'])
file_to_scan = "examples/secrets_scanner_project/config.ini"
scanner.scan(file_to_scan)

[INFO] Scanning file: examples/secrets_scanner_project/config.ini


{'findings': []}

## 3. Scan a YAML Settings File

Scan a `.yaml` file for secrets or risky configuration values.

In [7]:
from safeguard_toolkit.scanners.secrets_scanner import SecretScanner
scanner = SecretScanner(whitelist=[])
file_to_scan = "examples/secrets_scanner_project/settings.yaml"
scanner.scan(file_to_scan)

[INFO] Scanning file: examples/secrets_scanner_project/settings.yaml


{'findings': [{'level': 'HIGH',
   'types': ['AWS Access Key', 'API Key'],
   'line': 1,
   'message': 'AWS Access Key, API Key detected',
   'content': 'aws_access_key_id: AKIAIOSFODNN7EXAMPLE'},
  {'level': 'HIGH',
   'types': ['API Key'],
   'line': 2,
   'message': 'API Key detected',
   'content': 'aws_secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'},
  {'level': 'HIGH',
   'types': ['Password', 'API Key'],
   'line': 5,
   'message': 'Password, API Key detected',
   'content': 'password: mysecretpassword'},
  '[MEDIUM] High entropy at line 2: aws_secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY (Entropy: 5.02)']}

## 4. Scan an Entire Directory

Recursively scan all supported files in a directory for secrets.

In [8]:
from safeguard_toolkit.scanners.secrets_scanner import SecretScanner
scanner = SecretScanner(whitelist=[])
file_to_scan = "examples/secrets_scanner_project"
scanner.scan(file_to_scan)

[INFO] Scanning directory: examples/secrets_scanner_project


{'findings': [{'level': 'HIGH',
   'types': ['AWS Access Key', 'API Key'],
   'line': 1,
   'message': 'AWS Access Key, API Key detected',
   'content': 'aws_access_key_id: AKIAIOSFODNN7EXAMPLE'},
  {'level': 'HIGH',
   'types': ['API Key'],
   'line': 2,
   'message': 'API Key detected',
   'content': 'aws_secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'},
  {'level': 'HIGH',
   'types': ['Password', 'API Key'],
   'line': 5,
   'message': 'Password, API Key detected',
   'content': 'password: mysecretpassword'},
  '[MEDIUM] High entropy at line 2: aws_secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY (Entropy: 5.02)',
  {'level': 'HIGH',
   'types': ['Password'],
   'line': 3,
   'message': 'Password detected',
   'content': 'password = admin123'},
  {'level': 'HIGH',
   'types': ['Password'],
   'line': 7,
   'message': 'Password detected',
   'content': 'password = "hunter2"'},
  {'level': 'HIGH',
   'types': ['Generic API Key', 'API Key'],
   'line': 8,
   'm

---

## Next Steps

- Use the `whitelist` parameter to ignore certain keys or patterns.
- Integrate `SecretScanner` into your CI/CD pipeline for automated checks.