SecretScanner
by
deepfence

Description: :unlock: :unlock: Find secrets and passwords in container images and file systems :unlock: :unlock:

View on GitHub ↗

Summary Information

Updated 37 minutes ago
Added to GitGenius on March 13th, 2026
Created on August 22nd, 2020
Open Issues & Pull Requests: 25 (+0)
Number of forks: 346
Total Stargazers: 3,366 (+0)
Total Subscribers: 45 (+0)

Issue Activity (beta)

Open issues: 4
New in 7 days: 0
Closed in 7 days: 0
Avg open age: 377 days
Stale 30+ days: 4
Stale 90+ days: 4

Recent activity

Opened in 7 days: 0
Closed in 7 days: 0
Comments in 7 days: 0
Events in 7 days: 0

Top labels

  • enhancement (1)

Most active issues this week

No issue events were indexed in the last 7 days.

Repository Insights (GitGenius)

Median issue/PR response: 15.3 hours
Mean response time: 60.1 days
90th percentile: 297.7 days
Tracked items: 5

Most active contributors

Detailed Description

Deepfence SecretScanner is a standalone security tool written in Go that detects unprotected secrets and sensitive credentials in container images and file systems. The tool matches file contents against a database of approximately 140 secret types, enabling organizations to identify exposed passwords, API keys, encryption keys, SSH keys, tokens, AWS credentials, and other sensitive data that could compromise infrastructure security. SecretScanner operates as both an independent utility and as a component integrated into Deepfence's ThreatMapper, a broader open source scanner that identifies vulnerable dependencies and unprotected secrets in cloud native applications while ranking vulnerabilities by their risk-of-exploit.

The primary use case for SecretScanner addresses a critical security gap in modern development workflows. Developers frequently leave hardcoded secrets in container images during rapid development and deployment cycles within CI/CD pipelines, either through inadvertent mistakes or by using default credentials. SecretScanner provides a lightweight and efficient scanning method to detect these exposures before they reach production. The tool outputs results in JSON format with detailed information about discovered secrets, allowing security teams to review findings and determine which exposed credentials require remediation.

SecretScanner's functionality extends across multiple deployment scenarios. Users can scan container images by pulling them and running the scanner through Docker, or they can scan local directories on host systems. This flexibility makes it applicable to both containerized environments and traditional infrastructure security audits. The tool's classification spans multiple security domains including container security, image analysis, code scanning, file system scanning, sensitive data detection, security audits, DevSecOps practices, and supply chain security.

The repository demonstrates active maintenance and community engagement. GitGenius tracking data shows a median issue and pull request response latency of 15.3 hours across sampled items, indicating responsive project management. The most active contributors include ibreakthecloud with 6 tracked events, ramanan-ravi with 5 events, and 53845714nF with 3 events. Enhancement requests represent the most actively tracked issue category. The project maintains connections with related security tools through overlapping contributors, particularly with Deepfence's ThreatMapper project, as well as connections to Infisical and Nuxt repositories.

The tool's design philosophy emphasizes simplicity and efficiency for organizations seeking to reduce their attack surface. Rather than attempting to determine definitively whether discovered patterns are actual secrets, SecretScanner identifies potential secrets and leaves validation to security teams who understand their specific infrastructure context. This approach acknowledges that false positives are preferable to missed exposures in security scanning scenarios.

SecretScanner builds upon established detection patterns, crediting the shhgit project's configuration file as a foundation for its secret detection rules. The project maintains clear security practices with a dedicated security contact for reporting vulnerabilities and provides comprehensive documentation through the ThreatMapper documentation portal. The tool is positioned specifically for legitimate security purposes on infrastructure that organizations own or manage, with explicit disclaimers against unauthorized use.

SecretScanner
by
deepfencedeepfence/SecretScanner

Repository Details

Fetching additional details & charts...