🔐 Security Tool

$ redactd

Find hardcoded secrets, API keys, and credentials in your codebase before they end up in production - or in the wrong hands.

25+Patterns

4Severity Levels

∞Git History

0False +ve Spam

Live Output

bash — redactd

❯ redactd scan ./my-project --git-history

🔍 Scanning: ./my-project (+ git history)

📄 src/config.js

🔴 [CRITICAL] Line 3:12 — AWS Access Key ID

Match: AKIAIO...MPLE

🟠 [HIGH] Line 4:8 — Database Connection String

Match: mongod...prod

📄 src/auth.py

🔴 [CRITICAL] Line 7:19 (commit: a1b2c3d) — GitHub Token

Match: ghp_xK...9s2T

───────────────────────────────

Total findings: 3 | Critical: 2 | High: 1

In git history: 1

───────────────────────────────

Commands

scan ./project

Recursively scan a directory for secrets in all source files

scan ./project --git-history

Also scan every git commit — catches secrets that were deleted but still live in history

scan ./project --severity critical

Filter output to only show findings at or above a severity level

scan ./project --json

Machine-readable JSON output. Plug straight into CI/CD pipelines

install-hook ./repo

Install a pre-commit hook that blocks any commit containing high/critical secrets

init ./project

Scaffold a .secretsignore file to whitelist false positives and test files

▶ node dist/index.js scan ./my-project

How It Works

📊

Entropy Analysis

Shannon entropy filters out low-entropy placeholders like changeme and your-api-key — no false positive noise.

📂

.secretsignore

Project-level ignore file. Whitelist test directories, example files, or specific content patterns with simple glob rules.

🔒

Pre-commit Hook

One command installs a git hook that silently scans staged files and blocks the commit if secrets are found.

🕵️

Git History Scan

Walks every commit and diffs added lines. Exposes secrets that were removed from code but are still accessible in history.

🔴

Smart Redaction

Matched secrets are shown in a redacted form — first 6 and last 4 chars only — so findings can be shared safely.

⚙️

CI Ready

Exits with code 1 when findings exist. Pair with --json to feed results into any pipeline or SIEM.

Severity Levels

CRITICAL AWS keys · GitHub tokens · Stripe live keys · Private keys (RSA/EC) · DB connection strings

HIGH JWT tokens · Slack webhooks · Twilio SIDs · Generic access tokens

MEDIUM Generic passwords · API keys · Secrets (high-entropy only)

LOW Stripe publishable keys · Non-sensitive identifiers