Metadata-Version: 2.4
Name: pleno-secret-scanner
Version: 0.2.0
Summary: Scan SaaS sources for leaked secrets. Backend-agnostic (trufflehog, gitleaks, native regex), source-agnostic (filesystem, plus every connector saas-scraper provides).
Project-URL: Homepage, https://github.com/plenoai/pleno-secret-scanner
Project-URL: Repository, https://github.com/plenoai/pleno-secret-scanner
Project-URL: Issues, https://github.com/plenoai/pleno-secret-scanner/issues
Author-email: pleno <ai@egahika.dev>
License-Expression: AGPL-3.0-or-later
Keywords: dlp,gitleaks,saas,scanner,secrets,trufflehog
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Requires-Python: >=3.12
Requires-Dist: rich>=13.9
Requires-Dist: saas-scraper>=0.4.0
Requires-Dist: typer>=0.12
Provides-Extra: dev
Requires-Dist: mypy>=1.13; extra == 'dev'
Requires-Dist: pytest-asyncio>=0.24; extra == 'dev'
Requires-Dist: pytest>=8.3; extra == 'dev'
Requires-Dist: ruff>=0.7; extra == 'dev'
Description-Content-Type: text/markdown

# pleno-secret-scanner (Python)

Python CLI that scans SaaS content for leaked secrets, backed by
[saas-scraper](https://github.com/plenoai/saas-scraper) for source
collection and a pluggable detection backend (trufflehog, gitleaks,
or a tiny built-in regex set).

The Go binary in this repo (`cmd/pleno-secret-scanner`) remains for
filesystem-only scans; the Python package is the path forward for any
SaaS source.

## Install

```sh
uv tool install pleno-secret-scanner
# or
pipx install pleno-secret-scanner
playwright install chromium
```

## Usage

```sh
# Scan a Slack workspace using the trufflehog backend (requires trufflehog on PATH)
pleno-secret-scanner scan slack --workspace acme --backend trufflehog

# Scan a GitHub repo with the built-in native backend (no system deps)
pleno-secret-scanner scan github --owner plenoai --repo saas-scraper

# Output formats
pleno-secret-scanner scan slack --workspace acme --format sarif > findings.sarif
```

## Backends

| Backend | Verifies | System dep |
|---|---|---|
| trufflehog | yes (per-detector) | `trufflehog` CLI on PATH |
| gitleaks | no | `gitleaks` CLI on PATH |
| native | no | none — bundled regex set (AWS, GitHub PAT, Slack bot, OpenAI, Anthropic) |

## Connectors

Anything `saas-scraper` provides: filesystem, slack, github, gitlab,
bitbucket, jira, confluence, notion. New connectors land in saas-scraper
and become immediately available here.

## Release

Tag `py-vX.Y.Z` triggers PyPI trusted publishing via GitHub Actions.
