Secret/Config Diff Scanner

Catch API keys, tokens, passwords, and risky config changes in AI-generated code before they reach your repo. Local CLI, zero dependencies, five output formats, and CI/pre-commit examples.

What it scans

• 20+ secret patterns – API keys, tokens, passwords, connection strings, JWT-style secrets.
• Risky config changes – .env, docker-compose, CI workflows, auth files, infrastructure configs.
• Diffs, staged changes, and directories – Scan what you want, when you want.

Outputs and integrations

• Five output formats – JSON, Markdown, HTML, SARIF, and exit codes.
• GitHub Actions workflow – Automated scanning in CI.
• Pre-commit hook and allowlist templates – Catch secrets before they are committed.
• 198 passing tests – Integration tests, SARIF validation, and security review included.

Best for

Developers and teams using Cursor, Claude Code, Copilot, Codex, or other AI coding workflows where generated diffs may accidentally touch secrets or deployment configuration.

What this is not

• Not a full security audit or penetration testing tool.
• Not a SaaS – runs locally, no data leaves your machine.
• Not a guarantee – catches known patterns, not novel zero-days.
• Not a subscription – one-time purchase.

Requirements

Python 3.10+. Zero external dependencies. Runs locally and offline.

Related products

• Basic Kit – lightweight checklist for solo developers.
• Pro Kit – expanded risk scoring, client-ready deliverables.
• AI Code Review Workflow Pack – structured review checklists, evidence logs, and policy enforcement.