Bug Circuit Secret Scanner
Security Tools
Instant

Bug Circuit Secret Scanner

Freebugcircuit-secretscan.zip · 29 KB · v1.0.0

Find leaked API keys, tokens, and private keys in your own code before attackers do.

Bug Circuit Secret Scanner is a free, single-file command-line tool that hunts through your codebase for accidentally committed secrets — AWS access keys, Google API keys, Slack and GitHub tokens, Stripe/Twilio/SendGrid/OpenAI/npm keys, private-key blocks, JSON Web Tokens, generic api_key = "..." assignments, and suspicious high-entropy strings. Every hit is reported as file:line:column with a type, a severity, and the secret safely redacted so your findings are never themselves a leak.

Leaked credentials are one of the most common root causes of real-world breaches — attackers actively scrape repositories for exactly these patterns. This scanner lets you get there first. It is fully passive and offline: it reads files on your machine, transmits nothing, and modifies nothing. It automatically skips .git, node_modules, virtualenvs, build output, and binary files, filters out obvious placeholders like YOUR_API_KEY_HERE, and validates JWTs and entropy candidates to keep noise down.

Written in pure Python 3 standard library — no pip install, no dependencies — it runs the moment you download it on Windows, macOS, and Linux. Get clean human-readable output with severity coloring, or --json for CI pipelines and pre-commit hooks (exit code 1 when anything is found). Tune sensitivity with --entropy-threshold, scope it with --exclude globs and a .secretscanignore file, and wire it straight into your build. Defensive tooling, brought to you free by Bug Circuit.

How to use

  • Install Python 3.8+ (it is standard-library only — no pip install, no dependencies).
  • Download bugcircuit-secretscan.py into your project or anywhere on your PATH.
  • Run python3 bugcircuit-secretscan.py . to scan the current directory (use python on Windows).
  • Review findings shown as file:line:column with a type, severity, and a redacted preview.
  • Add --json > report.json for machine-readable output, or --exclude / a .secretscanignore file to cut noise.
  • Wire it into CI or a pre-commit hook: exit code 1 means secrets were found. Rotate anything real immediately.

Example commands

python3 bugcircuit-secretscan.py .
python3 bugcircuit-secretscan.py ./src --json > secrets-report.json
python3 bugcircuit-secretscan.py . --entropy-threshold 4.6 --exclude '*.test.js' --exclude docs/
python3 bugcircuit-secretscan.py . --no-entropy --color never
python3 bugcircuit-secretscan.py . -q || echo 'Secrets found — failing build'

Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.

Download free

Downloads are free. You’ll sign in to a free store account (any email — takes 10 seconds) so you can re-download any time from your account.

Free & open — runs on your machineRe-download any time Real human support

Something not right with your order? Email [email protected] — the same team that runs our security audits makes it right.