GoSecretScanv2

command module
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 27, 2025 License: MIT Imports: 12 Imported by: 0

README

GoSecretScanv2

GoSecretScanv2 is a fast secret scanner for code. It uses deterministic patterns with entropy and light context. LLM verification is optional.

Overview

  • Detects credentials, API keys, private keys, and connection strings
  • CLI and GitHub Actions support
  • Sensible defaults; no services required
  • Optional local LLM verification for triage
Optional: LLM verification
./scripts/download-models.sh
./scripts/run-llama-server.sh   # exposes http://localhost:8080
./gosecretscanner --llm

# Optionally point to a remote/local endpoint
export GOSECRETSCANNER_LLM_ENDPOINT=http://localhost:8080

Installation

From Source
git clone https://github.com/m1rl0k/GoSecretScanv2.git
cd GoSecretScanv2
go build -o gosecretscanner main.go
Using Go Install
go install github.com/m1rl0k/GoSecretScanv2@latest
Using Docker
# Build the Docker image
docker build -t gosecretscanner .

# Run the scanner on current directory
docker run --rm -v $(pwd):/workspace gosecretscanner

# Run on a specific directory
docker run --rm -v /path/to/scan:/workspace gosecretscanner
GitHub Actions

Action inputs (when using enable-llm):

  • enable-llm: set to 'true' to download Granite, launch llama.cpp via Docker, and run the scan with --llm.
  • model-path: overrides the GGUF path (relative to the action directory by default).
  • llm-endpoint / llm-port: control how the scanner reaches the llama.cpp HTTP server.
  • llama-image: change the Docker image used to serve Granite (default ghcr.io/ggerganov/llama.cpp:full).
  • manage-llm-server: set to 'false' when your workflow spins up the llama.cpp container via services: (as shown below).

Example workflow step:

      - name: Run GoSecretScan Action with LLM
        uses: ./
        with:
          scan-path: '.'
          fail-on-secrets: 'false'
          enable-llm: 'true'
          llm-port: '8080'
          manage-llm-server: 'false'

Usage

Navigate to the directory you want to scan and run:

cd /path/to/your/project
./gosecretscanner

The scanner will:

  1. Recursively scan all files in the current directory
  2. Skip .git and node_modules directories
  3. Report any secrets found with file location and line numbers
  4. Exit with code 1 if secrets are found, 0 otherwise

Integration with CI/CD

Pre-commit Hook

Add to .git/hooks/pre-commit:

#!/bin/bash
./gosecretscanner
if [ $? -ne 0 ]; then
    echo "Secret scan failed! Please remove secrets before committing."
    exit 1
fi
GitHub Actions

The repository also exposes a reusable GitHub Action for CI pipelines:

name: Security Scan
on: [push, pull_request]

jobs:
  secret-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # Use GoSecretScan as a reusable action
      - name: Run Secret Scanner
        uses: m1rl0k/GoSecretScanv2@main
        with:
          scan-path: '.'
          fail-on-secrets: 'true'

Development

Building
go build -o gosecretscanner main.go
Running Tests
go test ./...
Code Formatting
gofmt -w .

Current Limitations

  • Binary files are not automatically filtered.
  • Configuration files for custom settings are not yet supported.
  • Custom patterns require code changes.
  • Allowlists/whitelists must currently be handled outside the tool.

Contributing

Contributions are welcome via pull requests.

License

This project is licensed under the MIT License; see LICENSE for details.

Support

Please open an issue on GitHub for bugs or feature requests.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
embeddings
llm
parser
vectorstore
verification

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.