Secrets Hunter

Secrets Scanner That Respects Your Time

Surface only findings worth acting on, not every high-entropy string or pattern match in your code.

.env
.../workspace/payments-api scan
src/app.pyclean
settings/prod.env3 secrets
tests/fixtures.jsonclean
deploy/values.yaml2 secrets
example.com probe
/backup.sql404
/.git/config404
/.env6 secrets
/config.json404
main..HEAD trace
a31c92f+ api_token
bb08d4aclean
d84f010+ AWS_ACCESS_KEY_ID
f10b7ceclean

Asset coverage

One scanner for every attack surface

Secrets Hunter follows the places secrets actually leak: filesystems, live web paths, and Git history.

Detection Process

Context-aware detection

Secrets Hunter extracts candidates, analyzes their context, and rejects known false positives. Every finding in your report is there for a reason.

Input Scan content
Candidate extraction Extract fragments
PEM keys
Generic strings
DB URLs
Detectors Entropy + patterns
No assignment context Reject malformed values
Assignment context Boost confidence or reject
Output Filter, mask, report
$ pip install secrets-hunter
$ secrets-hunter scan ./app --json report.json
  > Scan finished
  > Found 3 secrets: 2 critical, 1 medium
  > Results exported to report.json

Installation

Run it locally or wire it into CI

Available via pip, Docker, or source: run a scan and pipe results into the workflows your team already uses.

Start the Hunt

Find secrets before attackers do.

Install and run your first scan. Or get a guided demo to see what Secrets Hunter can find in your assets.