I’ve been experimenting with DevSecOps tools lately — but wanted to try a challenge of solving a specific problem.
Most secret scanners only alert you after you’ve already pushed your code. By then, it’s too late.
So I decided to build something different:
A fast, lightweight local-first secrets scanner that runs before commits, works offline, and never sends your code anywhere.
*Why I Built It
Every year, thousands of API keys get exposed in public repos.
Even tools like GitGuardian or Gitleaks don’t stop this fully because:
Developers forget to run them before pushing
CI-only scanners catch leaks after the fact
Some tools require cloud setup or telemetry access
I wanted a tool that fits naturally into a developer’s workflow,and runs locally.
*What It Does
Scans files …
I’ve been experimenting with DevSecOps tools lately — but wanted to try a challenge of solving a specific problem.
Most secret scanners only alert you after you’ve already pushed your code. By then, it’s too late.
So I decided to build something different:
A fast, lightweight local-first secrets scanner that runs before commits, works offline, and never sends your code anywhere.
*Why I Built It
Every year, thousands of API keys get exposed in public repos.
Even tools like GitGuardian or Gitleaks don’t stop this fully because:
Developers forget to run them before pushing
CI-only scanners catch leaks after the fact
Some tools require cloud setup or telemetry access
I wanted a tool that fits naturally into a developer’s workflow,and runs locally.
*What It Does
Scans files and commits for API keys, tokens, and credentials
Runs automatically before commits (python -m app.cli –staged)
Works as a CLI, pre-commit hook, or self-hosted web UI
Outputs SARIF reports, supports baselines, and runs fully offline
Integrates with CI for optional automation
*New Features Since Launch
I recently added a few upgrades based on early feedback:
Baseline support to avoid false positives
SARIF output for CI integration
Per-repo config for custom ignore patterns
Next: –fix mode to auto-redact or hint key rotation
*Why “Local-First” Matters
Most teams trust cloud scanners with private code — I wanted to try the opposite of that model.
Secrets Scanner runs on your machine or on your own server, so:
No code ever leaves your environment
You stay compliant and private
You can integrate it with any workflow
Quick Demo
Pre-commit scan
python -m app.cli –staged
Or full repo
python -m app.cli .
Optional: generate SARIF
python -m app.cli –sarif report.sarif
If it finds something:
HIGH · STRIPE_SECRET_KEY · app/settings.py:42
Otherwise:
No secrets found.
How to Try It
GitHub: github.com/AMOSFinds/secrets-scanner
Live demo: secrets-scanner-jlw2.onrender.com
If you’d like to help test, I have a few private API keys available for early users, just comment below or DM me.
*What I Learned
Building this taught me how critical it is to combine developer efficiency with security.
*Feedback Wanted
I’m looking for 5–10 testers to try the pre-commit integration and let me know if it is genuinely helpful or lackluster.
What do you think — is a fully local scanner like this a must-have for small teams?