Context-aware risk scoring
Findings are ranked from low to critical with boosts and reductions for paths, fixtures, and common false positives.
Redaction-first CLI
Find exposed secrets before attackers do.
leak-hunter scans local folders and GitHub repositories for likely leaked credentials, ranks findings with a context-aware risk model, and keeps output redacted by default.
01 / local
leak-hunter .
Audit a working tree before credentials leave the machine.
02 / github
leak-hunter owner/repo
Resolve HTTPS, SSH, and shorthand GitHub targets into temporary clones.
03 / ci
leak-hunter --json .
Emit machine-readable reports for policy checks, dashboards, and review bots.
What it protects
A scanner built for maintainers.
Secret detection is noisy when it ignores context. leak-hunter combines pattern inventory, path awareness, risk scoring, and safe defaults so teams can triage quickly without publishing sensitive values.
Redaction by default
Reports mask values unless a reviewer explicitly opts into local, manual inspection with --no-redact.
GitHub target resolution
Scan repository URLs, owner/repo shorthand, SSH remotes, branches, and tags from one binary.
Cross-platform release path
The npm package installs the native cargo-dist binary and verifies release checksums before use.
Report output
Human readable. Bot ready.
Use text for terminal review, JSON for automation, or Markdown for handoff documents. Findings stay sorted by risk so the highest-signal issues surface first.
Leak Hunter Report
==================
Target: github.com/doggy8088/leak-hunter
Risk buckets: critical 0 / high 1 / medium 3
Redaction: enabled
type file risk
cloud key config/app.example 82
db connection src/settings.rs 64
token-like value docs/example.md 41
value:
next: review context, rotate if real, keep report redactedInstall
One command, native speed.
npm package
npm install -g leak-hunter
from source
cargo install --path .