Skip to content
/ nosecrets Public

Scans your code for leaked secrets before commit. Fast, offline, zero configuration.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

casoon/nosecrets

BranchesTags

Repository files navigation

nosecrets

CI

Fast, offline secret scanner for Git pre-commit. Designed to be simple, fast, and safe for any GitHub repository.

Highlights

  • Pre-commit focus (no history scanning)
  • Offline only, no API calls
  • Fast scanning (regex + validation + prefilter)
  • Minimal configuration

Install

npm (recommended)

npm install -g @casoon/nosecrets

Homebrew (macOS)

Coming soon once nosecrets has been battle-tested.

From source (Rust)

cargo install --path crates/nosecrets-cli

Usage

# Scan staged files
nosecrets scan --staged

# Scan a directory
nosecrets scan src/

# Interactive mode (add ignores)
nosecrets scan --staged --interactive

# Add ignore by fingerprint
nosecrets ignore nsi_abcdef123456

Exit codes

  • 0: no blocking findings (only low or none)
  • 1: blocking findings (critical/high/medium)

Configuration

.nosecrets.toml

[ignore]
paths = [
  "vendor/",
  "node_modules/",
  "*.lock",
]

[allow]
patterns = [
  "EXAMPLE",
  "changeme",
  "YOUR_.*_HERE",
]

values = [
  "AKIAIOSFODNN7EXAMPLE",
]

.nosecretsignore

# Format: nsi_<hash> or nsi_<hash>:<path-glob>
nsi_a1b2c3d4e5f6
nsi_b2c3d4e5f6a7:src/config.py

Inline ignore

api_key = "sk_test_xxx"  # @nosecrets-ignore
api_key = "sk_test_xxx"  # @nsi example key

Default rules

Rules are shipped in TOML files under rules/:

  • rules/cloud.toml (AWS/GCP/Azure/Cloudflare, etc.)
  • rules/deploy.toml (Netlify, Fly.io, Heroku, Vercel, Railway, Render, Supabase)
  • rules/code.toml (GitHub/GitLab/npm/Slack/Discord, etc.)
  • rules/communication.toml (SendGrid, Twilio, Mailchimp, Mailgun)
  • rules/database.toml (Postgres/MySQL/Mongo/Redis, JDBC passwords)
  • rules/payment.toml (Stripe)
  • rules/generic.toml (private keys, generic secrets, passwords)

Help improve the rules

The built-in rules are a starting point, but this tool becomes more valuable as the rule set grows and improves. You can define your own rules in a local TOML file, but if you discover new secret patterns or improve existing ones, please consider contributing them back.

Contributions welcome:

  • New rules for services not yet covered
  • Improvements to existing patterns (better regex, fewer false positives)
  • Bug reports for missed secrets or false positives

Open an issue or pull request at github.com/casoon/nosecrets.

Pre-commit integration

Example .pre-commit-hooks.yaml entry:

- repo: local
  hooks:
    - id: nosecrets
      name: nosecrets
      entry: nosecrets scan --staged
      language: system
      pass_filenames: false

Development

cargo test
cargo run -p nosecrets-cli -- scan --staged

License

MIT

About

Scans your code for leaked secrets before commit. Fast, offline, zero configuration.

Topics

git rust cli security devops scanner pre-commit secrets git-hooks devsecops credential-scanner code-security secret-detection

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 7

v0.1.6 Latest
Dec 19, 2025
+ 6 releases

Packages

No packages published

Languages