Detect leaked Access Keys and Secret Keys in your codebase.
- π About Access Keys: Outscale Access Keys
- βοΈ GitHub Action: action.yml
- π§ͺ Test Script: tests/tests.sh
- π€ Contribution Guide: CONTRIBUTING.md
- π¬ Join us on Discord
Credential Scanner is a lightweight Bash script that recursively scans a directory for leaked Outscale Access Keys and Secret Keys.
It skips binary files and uses strict patterns to avoid false positives and catch high-confidence secrets.
-
Recursive scanning of directories
-
Skips binary files
-
Detects:
- Access Keys (20-character uppercase alphanumeric)
- Secret Keys (40-character uppercase alphanumeric)
-
Ignores known test keys:
ABCDEFGHIJ01234567890123456789ABCDEFGHIJ
-
Ignores weak matches:
- Access Keys with <3 digits or <3 uppercase letters
- Secret Keys with <5 digits or <5 uppercase letters
- Bash shell (Linux/macOS/WSL)
grep,find, and standard POSIX utilities
./scan.sh /path/to/your/codebaseExample:
./scan.sh ./src/You can integrate this scanner directly into your GitHub workflows to detect secrets on pull requests.
| Input | Description | Required | Default |
|---|---|---|---|
scan_path |
Path to scan | β Yes | "./" |
None
Create a file at .github/workflows/cred-scan.yml:
name: Credential Scanner
on:
pull_request:
branches: [ main ]
permissions:
contents: read
jobs:
cred-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Scan credentials
uses: outscale/cred-scan@main
with:
scan_path: "./"We welcome contributions and discussions!
-
Run tests with:
./tests/tests.sh
Please read our Contributing Guidelines and Code of Conduct before submitting a pull request.
Credential Scanner is licensed under the BSD 3-Clause License. Β© Outscale SAS
This project follows the REUSE Specification.