βββββββ βββ βββ βββββββ ββββββββββββββββββββ ββββββββββββββ βββ
ββββββββ βββ ββββββββββββββββββββββββββββββββ ββββββββββββββββ ββββ
βββ βββββββββββββββ βββββββββββ βββ βββββββ ββββββ βββββββ
βββ ββββββββββββββ βββββββββββ βββ βββββββ ββββββ βββββ
ββββββββββββ ββββββββββββββββββββ βββ βββ ββββββββββββ βββ
βββββββ βββ βββ βββββββ ββββββββ βββ βββ βββββββββββ βββ
AI-Powered Secret Scanner & Credential Leak Preventer
Find leaked secrets before they reach GitHub. Zero cloud. Zero compromise.
GhostKey scans your code, git history, environment files, and clipboard for leaked API keys, passwords, tokens, and credentials β before they ever reach a public repository.
Unlike cloud-based scanners, GhostKey runs 100% locally. Your secrets never leave your machine. Optional local AI verification (via Ollama) reduces false positives without any cloud dependency.
| Command | Description |
|---|---|
ghostkey scan . |
Scan files in current directory |
ghostkey audit |
Scan entire git history for leaked secrets |
ghostkey env |
Scan .env files and docker-compose configs |
ghostkey watch |
Monitor clipboard for secret leaks in real-time |
ghostkey install |
Install pre-commit hook to block secret commits |
- 160+ detection rules across 15+ categories
- Shannon entropy analysis for high-randomness strings
- Local AI verification via Ollama (optional, reduces false positives)
- Smart allowlist to skip test/example values
| Category | Examples |
|---|---|
| Cloud Providers | AWS Access Keys, GCP API Keys, Azure Secrets |
| Version Control | GitHub PAT, GitLab Tokens, Bitbucket Keys |
| Payment | Stripe Secret Keys, PayPal, Square |
| Databases | PostgreSQL, MySQL, MongoDB, Redis URLs |
| Messaging | Slack Tokens, Discord Webhooks, Telegram Bots |
| Authentication | JWT Tokens, OAuth Secrets, Bearer Tokens |
| SSH & Crypto | RSA/ECDSA/Ed25519 Private Keys, PGP Keys |
| CI/CD | CircleCI, Travis, Jenkins Tokens |
| Package Managers | NPM Tokens, PyPI Tokens |
| Generic | API Keys, Passwords in Code, High-Entropy Strings |
- Terminal β Colored table with severity indicators
- JSON β Machine-readable for CI/CD pipelines
- SARIF β GitHub Code Scanning compatible
# Download from releases
# Or build from source:
git clone https://github.com/threatvec/ghostkey.git
cd ghostkey
go build -o ghostkey .
# Scan current directory
./ghostkey scan .
# Scan git history
./ghostkey audit
# Install pre-commit hook
./ghostkey install
# Scan with AI verification (requires Ollama)
./ghostkey scan . --ai
# Monitor clipboard
./ghostkey watch
# JSON output for CI/CD
./ghostkey scan . --format json
# SARIF for GitHub Code Scanning
./ghostkey scan . --format sarif > results.sarifAutomatically block commits containing secrets:
# Install the hook
ghostkey install
# Now any commit with secrets will be blocked:
git add .
git commit -m "update config"
# ERROR: Found 2 secrets. Commit blocked.GhostKey can use a local Ollama instance to verify findings and reduce false positives:
# Install Ollama (https://ollama.ai)
# Pull a model
ollama pull llama3.2
# Scan with AI
ghostkey scan . --aiThe AI checks whether detected strings are real secrets or just test/example values. Everything runs locally β no data leaves your machine.
Create a .ghostkey.yaml in your project root:
# Custom allowlist
allowlist:
- "EXAMPLE_API_KEY"
- "test_token_123"
# Exclude directories
exclude:
- "vendor"
- "testdata"
# AI settings
ai_enabled: false
ollama_url: "http://localhost:11434"
ollama_model: "llama3.2"
# Max file size (bytes)
max_file_size: 1048576ghostkey/
βββ cmd/ # CLI commands (scan, audit, install, watch, env)
βββ internal/
β βββ scanner/ # Pattern engine, matcher, entropy calculator
β βββ git/ # Git history traversal, hook management
β βββ ai/ # Ollama AI integration
β βββ clipboard/ # Clipboard monitoring daemon
β βββ config/ # YAML configuration
β βββ report/ # Terminal, JSON, SARIF output
β βββ signature/ # Author signatures & integrity
β βββ types/ # Type definitions
βββ rules/ # Custom rule definitions
βββ go.mod
βββ main.go
βββ LICENSE
βββ README.md
| Feature | GhostKey | Gitleaks | TruffleHog |
|---|---|---|---|
| Local AI Verification | Yes (Ollama) | No | No |
| Clipboard Monitoring | Yes | No | No |
| Pre-commit Hook | Yes | Yes | Yes |
| Zero Cloud | Yes | Yes | Partial* |
| SARIF Output | Yes | Yes | Yes |
| Git History Scan | Yes | Yes | Yes |
| .env Scanning | Yes | Limited | Yes |
| Entropy Analysis | Yes | Yes | Yes |
| Free | Yes | Yes | Yes |
*TruffleHog sends detected keys to cloud providers for verification
# Requirements: Go 1.22+
git clone https://github.com/threatvec/ghostkey.git
cd ghostkey
go mod tidy
go build -o ghostkey .
# Cross-compile
GOOS=linux GOARCH=amd64 go build -o ghostkey-linux .
GOOS=darwin GOARCH=arm64 go build -o ghostkey-macos .Proprietary License β see LICENSE for details.
Source code is provided for transparency and security auditing. Redistribution and modification are not permitted.
GhostKey β by talkdedsec & threatvec
Find secrets before hackers do.