Skip to content
/ sentinel-secrets- Public

πŸ” A tool that automatically prevents secrets (API keys, tokens, passwords) from leaking before code is committed to the repository Git.

License

MIT license
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mscbuild/sentinel-secrets-

BranchesTags

Repository files navigation

πŸ“¦ Project name - SentinelSecrets

πŸ” Secret Scanner for CI/CD & Git Hooks

SentinelSecrets is an open-source tool for preventing secret leaks (API keys, tokens, passwords) in Git repositories and CI/CD.The project integrates directly into the development process via Git hooks, blocking a commit if a secret is detected in it.

🎯 Project Summary

A tool that automatically prevents secrets (API keys, tokens, passwords) from leaking before code is pushed to the repository:

  • Checks git diffs before committing

  • Uses regular expressions + entropy analysis

  • Suitable for local development and CI/CD

  • Generates reports in JSON and Markdown

  • Has a REST API with OpenAPI (Swagger)

βœ… Benefits and Problems Solved

  • Leak Prevention: Stops secrets from leaking into public and corporate repositories.
  • Risk Mitigation (Shift Left Security): Security is checked at the coding stage, not after deployment.
  • Audit Automation: Report generation in JSON format allows for easy integration into corporate security dashboards.

🧱 Architecture

sentinel-secrets/
β”œβ”€β”€ sentinel/
β”‚   β”œβ”€β”€ __init__.py
β”‚   β”œβ”€β”€ scanner.py
β”‚   β”œβ”€β”€ entropy.py
β”‚   β”œβ”€β”€ git_utils.py
β”‚   β”œβ”€β”€ ignore.py
β”‚   └── report.py
β”œβ”€β”€ hooks/
β”‚   └── pre-commit        # git pre-commit hook
β”œβ”€β”€ tests/
β”‚   └── test_scanner.py
β”œβ”€β”€ examples/
β”‚   └── example_report.md
β”œβ”€β”€ .sentinelignore
β”œβ”€β”€ .pre-commit-hooks.yaml
β”œβ”€β”€ .pre-commit-config.yaml
β”œβ”€β”€ main.py
β”œβ”€β”€ pyproject.toml
β”œβ”€β”€ README.md
β”œβ”€β”€ SECURITY.md
β”œβ”€β”€ LICENSE
└── requirements.txt

🧠 Core logic (key fragments)

πŸ” Regex + entropy search

πŸ“Š Entropy

Git pre-commit hook

🌐 REST API (Swagger)

Swagger will be available on:

http://localhost:8000/docs

πŸš€ Features

  • πŸ” Regex search (AWS, GitHub, JWT, passwords)
  • πŸ” Entropy analysis (Shannon entropy)
  • 🧠 False positive minimization
  • πŸͺ Git pre-commit integration
  • πŸ“„ Reports: JSON / Markdown / HTML
  • πŸ“Š HTML report with graphs (Chart.js)
  • ❌ Commit locking on leak

Installation

git clone https://github.com/mscbuild/sentinel-secrets-.git
cd sentinel-secrets-
pip install -r requirements.txt

Usage

python main.py --file app.py

Architecture

  • scanner.py β€” signatures and search logic

  • entropy.py β€” random secret detection

  • git_utils.py β€” working with git diff

  • api.py β€” REST API

Threats this addresses

  • API key leaks to public repositories

  • Cloud account compromise

  • SOC2/ISO 27001 compliance violations

  • Supply chain attacks

πŸ§ͺ How to run tests

pip install pytest
pytest -v

Important

Use git filter-repo (recommended) or BFG Repo-Cleaner to remove secrets from Git history.

Note

My project is lightweight, customizable to the company's internal formats, and written in pure Python for easy auditing.

πŸ›‘οΈ Security

This project is developed in compliance with the OWASP Code Review Guide.

πŸ“œ LICENSE (MIT)

MIT License

Copyright (c) 2025 Mscbuild

About

πŸ” A tool that automatically prevents secrets (API keys, tokens, passwords) from leaking before code is committed to the repository Git.

Topics

github tools repository rest-api secrets sentinel tokens releases passwords security-tools github-config mscbuild

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages