DEV.co
Open-Source Security · deepfence

SecretScanner

SecretScanner is a Go-based open-source tool that scans container images and file systems to detect hardcoded secrets like passwords, API keys, SSH keys, and tokens. It matches findings against ~140 secret patterns and outputs results as JSON for review and remediation.

Source: GitHub — github.com/deepfence/SecretScanner
3.4k
GitHub stars
347
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorydeepfence/SecretScanner
Ownerdeepfence
Primary languageGo
LicenseMIT — OSI-approved
Stars3.4k
Forks347
Open issues25
Latest releasev2.5.8 (2026-03-07)
Last updated2026-03-07
Sourcehttps://github.com/deepfence/SecretScanner

What SecretScanner is

Standalone scanner written in Go that extracts and searches container and host filesystems against a database of ~140 secret detection patterns. Can be deployed as a Docker container or integrated into ThreatMapper for risk-ranked vulnerability assessment in cloud-native applications.

Quickstart

Get the SecretScanner source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/deepfence/SecretScanner.gitcd SecretScanner# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

CI/CD Pipeline Secret Detection

Scan container images at build time before deployment to catch hardcoded secrets before they reach production. Integrates into automated workflows for early detection and developer feedback.

Container Image Audits

Perform post-deployment audits of running container images and registries to identify leaked credentials, API keys, or tokens that may have been inadvertently included during rapid development cycles.

Host Filesystem Scanning

Scan local host directories and mounted volumes for plaintext secrets and sensitive data, useful for infrastructure compliance checks and data governance initiatives.

Implementation considerations

  • Requires Docker daemon access when scanning container images (via /var/run/docker.sock mount).
  • Output is JSON; integrate parsing and alerting logic into your scanning and incident response workflows.
  • Pattern database matches ~140 known secret types; custom or organization-specific secret formats may not be detected.
  • Scan time scales with image size and filesystem depth; plan for scan execution windows in CI/CD pipelines.
  • False positives are possible; configure review process and allowlists for non-sensitive matches.

When to avoid it — and what to weigh

  • Requires Machine Learning-Based Detection — SecretScanner uses pattern matching against ~140 known types. If you need AI-driven anomaly detection for novel or custom secret formats, this pattern-matching approach may miss sophisticated obfuscation.
  • Need Real-Time Runtime Monitoring — SecretScanner is a scanning tool for point-in-time audits, not continuous runtime secret exfiltration prevention. For real-time secret injection/access monitoring, look to runtime security platforms.
  • Require Commercial Support SLA — While community support via Slack and GitHub exists, there is no stated commercial support tier, SLA, or enterprise license model in the provided data.
  • Complex Secret Rotation / Remediation Workflows — SecretScanner detects and reports secrets but does not provide automated rotation, revocation, or remediation workflows. Use it alongside a secrets management platform (e.g., HashiCorp Vault, AWS Secrets Manager).

License & commercial use

Licensed under MIT License (permissive OSI-approved). Source code is freely available and modifiable.

MIT License permits commercial use, modification, and distribution. However, no stated commercial support, warranty, or indemnification from Deepfence. Evaluate risk tolerance; consult legal for commercial deployment in regulated environments.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

SecretScanner is a detection tool, not a prevention mechanism. Results depend on pattern accuracy; false negatives are possible with obfuscated or novel secret formats. Scan results must be stored securely; JSON output may contain plaintext secrets—control access and sanitize before sharing. No cryptographic signing, attestation, or supply-chain security measures mentioned in the data provided. For threats from malicious dependencies, require review of Go module dependencies and build reproducibility.

Alternatives to consider

GitGuardian (Commercial / SaaS)

SaaS-based secret detection with ML-driven models, real-time GitHub/GitLab/Bitbucket integration, and commercial support. Higher cost but easier onboarding and lower operational overhead for distributed teams.

Truffleog / Tartufo (OSS)

Open-source entropy-based secret detection, strong in finding high-entropy strings in Git history. Complementary to pattern matching; lighter footprint but requires Git repository integration.

HashiCorp Vault + Sealed Secrets

Not purely detection, but comprehensive secret management, rotation, and access control. Requires architectural change but prevents secrets in code/images from reaching production in the first place.

Software development agency

Build on SecretScanner with DEV.co software developers

Review the GitHub repository, test on sample container images, and assess integration points with your CI/CD pipeline. Consider supplementary tools for secrets prevention (pre-commit hooks) and management (Vault, AWS Secrets Manager). Contact the Deepfence community Slack for guidance.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

SecretScanner FAQ

Does SecretScanner prevent secrets from being committed?
No. SecretScanner detects already-present secrets in images and filesystems. Use Git pre-commit hooks (e.g., pre-commit framework with detect-secrets plugin) to prevent commits. SecretScanner is for audit and remediation.
Can SecretScanner scan private/air-gapped registries?
Yes, if the image is pulled to the local Docker daemon or filesystem is accessible. Scan any image available locally or via Docker socket. Air-gapped deployments are supported as long as the scanner has local access to images/filesystems.
How often should we scan?
Recommended at minimum: (1) on every image build in CI/CD, (2) periodically on production deployments, (3) after any image layer update or dependency change. Frequency depends on risk profile and velocity.
What happens if SecretScanner finds secrets?
JSON output lists suspected secrets with location and type. You must manually review findings (to confirm true positives and reduce false positives), then revoke/rotate the actual credentials and rebuild/redeploy images without the secrets. Use secrets management tools (e.g., Vault, AWS Secrets Manager) to inject secrets at runtime.

Work with a software development agency

From first prototype to production, DEV.co delivers software development services around tools like SecretScanner. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Evaluate SecretScanner for Your Secret Detection Workflow

Review the GitHub repository, test on sample container images, and assess integration points with your CI/CD pipeline. Consider supplementary tools for secrets prevention (pre-commit hooks) and management (Vault, AWS Secrets Manager). Contact the Deepfence community Slack for guidance.