Metadata-Version: 2.4
Name: env-leak
Version: 0.1.0
Summary: Scan your codebase for leaked API keys and secrets before they reach production
License: MIT
Project-URL: Homepage, https://github.com/mansourmatta/env-leak
Project-URL: Repository, https://github.com/mansourmatta/env-leak
Project-URL: Bug Tracker, https://github.com/mansourmatta/env-leak/issues
Keywords: security,secrets,api-keys,developer-tools,devops,git
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: click>=8.0
Requires-Dist: colorama>=0.4
Dynamic: license-file

# env-leak

> Scan your codebase for leaked API keys, tokens, and secrets before they reach production.

[![PyPI](https://img.shields.io/pypi/v/env-leak)](https://pypi.org/project/env-leak/)
[![Python](https://img.shields.io/pypi/pyversions/env-leak)](https://pypi.org/project/env-leak/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)

## Install

```bash
pip install env-leak
```

## Usage

```bash
# Scan current directory
env-leak .

# Scan a specific path, skip test fixtures
env-leak ./src --exclude tests --exclude fixtures

# Disable entropy detection (pattern-only)
env-leak . --no-entropy

# Output JSON for CI pipelines
env-leak . --json > report.json
```

## What it detects

| Type | Examples |
|------|----------|
| OpenAI / Anthropic API keys | `sk-...`, `sk-ant-...` |
| AWS credentials | `AKIA...` access key IDs, secret key assignments |
| GitHub tokens | `ghp_`, `gho_`, `github_pat_` |
| Stripe keys | `sk_live_`, `pk_live_` |
| Google / Firebase | `AIza...`, Firebase server keys |
| Slack tokens | `xoxb-`, `xoxp-` |
| JWT tokens | Any `eyJ...eyJ...` pattern |
| Private keys | PEM headers in source files |
| Passwords in URLs | `https://user:pass@host` |
| Generic assignments | `api_key = "..."`, `secret = "..."` |
| High-entropy strings | Statistically random strings ≥ 20 chars |

## CI integration

```yaml
# .github/workflows/secret-scan.yml
- name: Scan for secrets
  run: pip install env-leak && env-leak . --no-entropy --json
```

Exit code `1` when secrets are found — makes it a natural CI gate.

## How entropy detection works

`env-leak` computes [Shannon entropy](https://en.wikipedia.org/wiki/Entropy_(information_theory)) for tokens longer than 20 characters. Real API keys and tokens are nearly random (entropy ≥ 4.5 bits/char). Normal English words and code identifiers score ~3.5. This catches secrets that don't match any known pattern.

## License

MIT
