# scan-for-secrets CLI tool and Python library by [[Simon Willison]] that scans text files for accidentally exposed secrets before sharing content publicly. Particularly useful for reviewing logs from coding agent sessions. ## How It Works Recursively scans directories for specified secret strings, checking both literal matches and common encoding variants: - JSON-escaped variants - URL percent-encoded forms - HTML entity encoding - Backslash-doubled escapes - Unicode escape sequences Returns exit code 0 if clean, 1 if secrets found. Shows file paths, line numbers, and first 4 characters of matched secrets with encoding type. Automatically skips binary files and directories like `.git`, `node_modules`, `__pycache__`. ## Installation ```bash pip install scan-for-secrets uv tool install scan-for-secrets uvx scan-for-secrets --help # no install needed ``` ## Usage ```bash scan-for-secrets $API_KEY # scan current directory scan-for-secrets $API_KEY -d ~/project # specific directory scan-for-secrets $API_KEY -f log1.txt # specific files cat file.txt | scan-for-secrets # piped input scan-for-secrets $API_KEY -r # redact mode (replaces with "REDACTED") ``` Supports a config file (`~/.scan-for-secrets.conf.sh`) with shell commands to retrieve secrets dynamically. ## Python API Five functions: `scan_directory()`, `scan_directory_iter()`, `scan_file()`, `scan_file_iter()`, `redact_file()`. Returns `ScanResult` and `Match` dataclasses. ## License Apache 2.0. ## References - https://github.com/simonw/scan-for-secrets ## Related - [[Simon Willison]] - [[Data Security]] - [[AI Data Security]]