This content originally appeared on DEV Community and was authored by Amogetswe Mashele
Hi,
I’ve been experimenting with DevSecOps tools lately, and noticed that
most secret scanners only alert you after you’ve already pushed to GitHub — when the damage is done.
So I decided to build a different kind of scanner.
Something fast, lightweight, and developer-first — that runs locally before you even commit code.
The Problem
Every year, thousands of API keys and credentials get accidentally committed to public repos.
Even with GitHub’s built-in secret scanning and tools like GitGuardian, leaks still happen because:
Developers forget to run scans before pushing.
Most scanners are CI-only (post-commit).
Setup is overcomplicated for solo devs and small teams.
I wanted a local-first tool that fits naturally into a workflow — no cloud sync, no telemetry, no “trust us” backend.
The Solution: Secrets Scanner
Secrets Scanner is a simple Python + FastAPI tool that:
Scans repos for hardcoded secrets, keys, and tokens.
Runs as a pre-commit hook locally (python -m app.cli --staged).
Works as a CLI or self-hosted web app.
Integrates with CI pipelines for an extra safety layer.
Sends optional alerts to Slack when secrets are detected.
Everything runs on your machine or your server — no data leaves your environment.
Quick Demo
Local use:
python -m app.cli --staged
If a secret is found, it blocks your commit with a clear message:
Secret found in .env (STRIPE_SECRET_KEY)
Otherwise:
No secrets found.
You can also deploy the web version (I used Render):
docker build -t secrets-scanner .
docker run -p 8000:8000 --env-file .env secrets-scanner
Then visit:
to scan any repo (public or private, via OAuth).
Prevent Leaks with Pre-Commit
To integrate with Git hooks:
macOS/Linux
echo '#!/usr/bin/env bash
set -e
python -m app.cli --staged' > .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
Windows (PowerShell)
echo 'python -m app.cli --staged
if ($LASTEXITCODE -ne 0) { exit 1 }' > .git/hooks/pre-commit.ps1
Now, every time you run git commit, your secrets get scanned automatically.
Why Local-First Matters
There’s a big trust gap in third-party scanning tools.
By keeping everything local and open source, you stay in control of your code.
No API calls, no logging, no vendor lock-in.
You can even host the full service yourself if you want to integrate with a team Slack or private CI setup.
Tech Stack
FastAPI for backend
Python CLI for pre-commit and local scans
httpx for async GitHub API calls
Slack webhooks for alerts
Dockerized for easy self-hosting
Try It Yourself
GitHub: https://github.com/AMOSFinds/secrets-scanner
Live demo: https://secrets-scanner-jlw2.onrender.com/ui or if you want to find out more, visit the homepage: https://secrets-scanner-jlw2.onrender.com
If you’re into DevSecOps or pre-commit automation, I’d love feedback — especially from anyone who’s used GitGuardian or similar SAST tools.
This content originally appeared on DEV Community and was authored by Amogetswe Mashele
Amogetswe Mashele | Sciencx (2025-10-26T23:43:01+00:00) A lightweight secrets scanner that catches exposed keys before they reach GitHub. Retrieved from https://www.scien.cx/2025/10/26/a-lightweight-secrets-scanner-that-catches-exposed-keys-before-they-reach-github/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.