A command-line tool for detecting sensitive information in your code before it gets leaked. Think of it as your vigilant guardian against accidentally committing secrets, API keys, credentials, and PII.
- 🚀 Written in Rust for maximum performance
- 🔍 Scans repositories for potential sensitive information
- ⚙️ Configurable pattern matching and ignores
- 🕒 Digs through Git history to find previously committed secrets
- 🎯 Can focus on staged files only (perfect for git hooks)
- 🦾 Continuous integration support
cargo install secret-squirrelBasic repository scan:
# Run from the root of your repository
ssq
# Or specify the path
ssq /path/to/repositoryScan only staged files:
ssq --stagedScan Git history:
ssq --historyCreate a .ssq.yaml in your project root. For IDE support (autocomplete and validation), add the schema reference:
# yaml-language-server: $schema=https://raw.githubusercontent.com/therealklanni/secret-squirrel/main/schema/ssq.schema.json
# Ignore specific patterns
ignore_patterns:
- 'TEST_API_KEY=.*'
- 'localhost:.*'
- '^dummy_password=.*'
# Ignore specific files or directories
ignore_paths:
- 'tests/fixtures/*'
- '*.test.js'
- 'docs/**/*'
# Custom severity levels for different patterns
patterns:
github_token:
description: GitHub personal access token pattern
regex: '[A-Za-z0-9]{40}'
severity: critical
password:
description: Generic password in configuration
regex: '(?i)password\s*=\s*.+'
severity: high
email:
description: Email addresses that might contain PII
regex: '[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9_-]+'
severity: mediumThe configuration schema supports:
severity: Global minimum severity level (LOW,MEDIUM,HIGH,CRITICAL)ignore_patterns: Array of regex patterns to ignoreignore_paths: Array of glob patterns for ignored pathspatterns: Object containing detection patterns- Each pattern requires:
description: Human-readable descriptionregex: Regular expression patternseverity: Pattern-specific severity level
- Each pattern requires:
MIT © Kevin Lanni