Metadata-Version: 2.4
Name: secretguard
Version: 0.1.0
Summary: CLI tool to detect hardcoded secrets and API keys before they leak to git
License-Expression: MIT
Project-URL: Homepage, https://github.com/your-handle/secretguard
Project-URL: Issues, https://github.com/your-handle/secretguard/issues
Keywords: security,secrets,api-keys,git,pre-commit,devsecops
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Security
Requires-Python: >=3.8
Description-Content-Type: text/markdown
Requires-Dist: click>=8.0

# SecretGuard 🔐

**Stop leaking API keys before they cost you.**

In 2025, 28.6 million hardcoded secrets were exposed on GitHub — a 34% YoY increase. AI coding assistants make it 2× worse. SecretGuard blocks secrets at commit time.

```
$ secretguard scan .

config/settings.py:12
  Rule     : [OAI001] OpenAI API Key (legacy)
  Severity : 🔴 CRITICAL
  Match    : sk-aB************lmn
  Line     : OPENAI_API_KEY = "sk-aBcDe..."

Found 1 secret(s) in 43 file(s) scanned
    1  CRITICAL
```

## Install

```bash
pip install secretguard
```

## Usage

```bash
# Scan current directory
secretguard scan .

# Scan specific file
secretguard scan src/config.py

# Git pre-commit hook (blocks commits with CRITICAL secrets)
secretguard install

# JSON output (CI/CD integration)
secretguard scan . --format json

# HTML report
secretguard scan . --format html --output report.html

# Only fail on HIGH or above
secretguard scan . --fail-on high

# List all 50+ detection rules
secretguard list-rules
```

## What it detects

50+ patterns across all major providers:

| Provider | Rules |
|---|---|
| AWS | Access Key ID, Secret Access Key, MWS Key |
| OpenAI | Legacy key, Project key, Service account |
| Anthropic/Claude | API Key |
| GitHub | PAT (classic + fine-grained), OAuth, Actions tokens |
| Stripe | Live/test secret keys, restricted keys, webhook secrets |
| Slack | Bot token, user token, app token, webhook URL |
| Google | API Key, OAuth token |
| HuggingFace | API Token |
| SendGrid | API Key |
| Azure | Storage connection string, subscription key |
| Private keys | RSA, OpenSSH, EC, PGP |
| Generic | API key assignments, hardcoded passwords, DB URLs with creds |
| + more | Replicate, DeepSeek, Twilio, Mailgun, npm, Docker Hub, Firebase, Telegram, Supabase |

## Git pre-commit hook

```bash
# Install (one-time per repo)
secretguard install

# Now every git commit is checked automatically:
# git commit -m "feat: add payment"
#   → SecretGuard scans staged files
#   → Blocks commit if CRITICAL secrets found
#   → Shows exactly where secrets are

# Remove
secretguard uninstall
```

## pre-commit framework

Add to `.pre-commit-config.yaml`:

```yaml
repos:
  - repo: https://github.com/your-handle/secretguard
    rev: v0.1.0
    hooks:
      - id: secretguard
```

## CI/CD integration

```yaml
# GitHub Actions
- name: Scan for secrets
  run: |
    pip install secretguard
    secretguard scan . --format json --fail-on high
```

## Options

| Flag | Default | Description |
|---|---|---|
| `--staged` | false | Scan only git staged files |
| `--format` | terminal | Output: `terminal`, `json`, `html` |
| `--output` | — | Output file (for `--format html`) |
| `--fail-on` | critical | Exit 1 when: `critical`, `high`, `medium`, `low`, `any`, `none` |
| `--no-color` | false | Disable ANSI colors |

## Why not GitGuardian or GitHub Advanced Security?

- **GitGuardian**: Enterprise pricing ($$$), sends your code to their servers
- **GitHub Advanced Security**: Enterprise plans only (~$49/seat/month)
- **SecretGuard**: Free, open source, **fully local** — your code never leaves your machine

## License

MIT
