A defensive secret scanner for developers who want fast local evidence, dry-run remediation, and safer credential cleanup before code reaches GitHub.
Install directly from GitHub:
pip install git+https://github.com/Informant254/Zero-Trust-GitHub-Guard.gitInitialize the guard:
zero-trust-guard initScan your current directory for secrets:
zero-trust-guard scanScan a specific path:
zero-trust-guard scan path/to/projectEmit JSON for CI or scripts:
zero-trust-guard scan --format json --fail-on-findings .Preview remediation actions:
zero-trust-guard fixApply an interactive remediation:
zero-trust-guard fix --apply- Multi-Provider Scanning: Detects common tokens for Google, AWS, Stripe, GitHub, Slack, OpenAI, Anthropic, and more.
- Dry-Run Fix Mode: Shows remediation options first and requires
--applybefore changing files. - Line-Level Evidence: Reports file paths, secret types, counts, and line numbers without printing secret values.
- Safe Redaction: Replaces detected values with
[REDACTED]. - Quarantine Workflow: Moves risky files into
.quarantine/with collision-safe names. - Small Runtime Footprint: Uses a minimal dependency set for local and mobile-friendly scanning.
- CI-Friendly Output: JSON output and
--fail-on-findingssupport automation without exposing secret values.
- Skips
.git, dependency folders, caches, build outputs, and symlinked files. - Limits scanned files to 1 MB by default to keep scans fast and predictable.
- Redacts matched secrets as
[REDACTED]instead of exposing values in output. - Keeps quarantine output in
.quarantine/, which is ignored by Git. - Documents assumptions and limits in
docs/THREAT_MODEL.md.
If a real key was committed, redaction is not enough. Rotate or revoke the key with the provider, then remove it from Git history if required by your incident process.
If you find this tool useful, please give it a ⭐ Star! Contributions are welcome.
Built with ❤️ by Informant254