Scan your git history, files, and stdin for leaked credentials, API keys, and tokens across 131 provider-specific rules.
flowchart LR
A[Git Repo\nFiles\nStdin] --> B[Source Adapter]
B --> C[Detection Engine]
C --> D[Codec Decoders\nbase64 / hex / unicode]
D --> E[Rule Matcher\nAho-Corasick + Regex]
E --> F{Secret Found?}
F -->|yes| G[Finding]
F -->|no| H[Clean]
G --> I[Reporter]
I --> J[SARIF\nJSON\nCSV\nJUnit]
- 131 provider-specific rules — AWS, GCP, Azure, GitHub, Stripe, Slack, and more
- Codec-aware decoding — detects secrets encoded in base64, hex, or unicode
- Aho-Corasick multi-pattern matching — high-throughput scanning with minimal CPU overhead
- Git history scanning — traverse every commit, branch, and tag
- SARIF output — integrates with GitHub Code Scanning and IDE tooling
- Allowlist suppression — suppress false positives with path, commit, or regex allowlists
- Pre-commit hook support — block secrets before they ever hit the remote
- Multiple input modes —
detect(files/git),protect(stdin),git(git log)
# Scan current git repo
secureflow-secrets detect
# Scan a specific directory
secureflow-secrets detect --source ./src
# Scan stdin (pre-commit / pipe)
git diff --staged | secureflow-secrets protect
# Output SARIF for GitHub Code Scanning
secureflow-secrets detect --report-format sarif --report-path results.sarifgo install github.com/BarakMozesPro/secureflow-secrets@latestOr build from source:
git clone https://github.com/BarakMozesPro/secureflow-secrets
cd secureflow-secrets
go build -o secureflow-secrets .Place a .gitleaks.toml in your repo root (or pass --config):
[allowlist]
description = "Global allowlist"
paths = ['''go\.sum''']
regexes = ['''EXAMPLE_KEY_[A-Z0-9]+''']Building this project taught me two powerful Go concurrency patterns:
-
Go channel pipelines for concurrent scanning — The detection engine fans out file fragments across worker goroutines using buffered channels. Each goroutine independently applies codec decoding and regex matching, then sends findings back through a collector channel. This eliminates locking entirely and scales linearly with CPU cores.
-
Aho-Corasick multi-pattern matching — Rather than running each of the 131 regex rules sequentially, the engine first filters fragments using an Aho-Corasick automaton that simultaneously scans for all keyword hints. Only fragments that match a keyword hint proceed to the more expensive full regex evaluation. This reduces the regex workload by 90%+ on clean codebases.
secureflow-secrets/
├── cmd/ # CLI commands (detect, protect, git)
│ └── generate/config/ # Rule generation utilities
│ └── rules/ # 131 provider rule definitions
├── config/ # Configuration structs, allowlists, TOML parser
├── detect/ # Core detection engine
│ └── codec/ # base64, hex, unicode decoders
├── report/ # SARIF, JSON, CSV, JUnit reporters
├── sources/ # Git, file, stdin source adapters
└── testdata/ # Test fixtures and configs
This project is built on top of Gitleaks by Zachary Rice, released under the MIT License. Gitleaks is the industry-standard secret detection tool trusted by thousands of security teams and integrated into major CI/CD platforms.
SecureFlow Secrets — keeping your credentials where they belong: not in git.