Leek is a CLI and .NET toolset for detecting breached or weak secrets such as passwords.
Inspired by "There's a leek in the boat!" -Cloudy with a Chance of Meatballs, it helps you plug security holes before your system sinks.
π¦ .NET API β Integrate into your applications for real-time hash auditing and response.
π» CLI Tool β Use via terminal to import, scan, and analyze existing hash databases.
- π Hash-based breach detection (e.g. SHA1)
- π οΈ Wordlist imports and reading
- βοΈ EF Core integration with flexible data access (support list below)
- π Works online or offline β leverage databases, APIs, or wordlists from local or remote sources
- π ASP.NET demo web app included
- Enforce secure password policies by blocking weak or breached credentials at login, signup, or during password changes.
- Audit stored password hashes to proactively identify accounts at risk before a breach occurs.
- Integrate into CI/CD pipelines to prevent known or default credentials from being used in development or deployments.
- Automate hash database updates by syncing with trusted online breach or wordlist sources.
Leek focuses on the hash β not the password, and this means:
- Any hashed value can be audited (not just passwords)
- It works across various platforms and runtimes, while allowing extensibility.
- It integrates where you need it β login-time, scan-time, or CI/CD-time
Leek is built using one or more Data Provider5 that can be injected at runtime β below are the defaults supported:
- Microsoft SQL Server (
mssql) - SQLite (
sqlite) - File store (
directory) - Have I Been Pwned k-Anonymity search (
hibp) - Wordlists (
wordlist)
By default Leek will always assume inputs are secret and will produce a hash for each algorithm, which will subsequently be used to check with the local or remote databases.
You would instead supply a filter to the check command or API you are using. This will allow you to provide a flag to indicate what your hash algorithm is, allowing efficient and secure auditing.
Please ensure you check existing issues first! You're welcome to also read the CONTRIBUTING.md if you are interested in contributing to the project.
# Show help
leek -h
# Show the current apps full version.
leek --version
# Check a secret or hash
leek check <secret> [--type=<enter>] -p=<provider>[://<connection>]
# e.g.
# check test (check if test is found in the defaults)
# check test -p=hibp -p="sqlite://Data Source=leek.db" (check specific providers)
# Copies hashes from one provider/connection to another
leek copy -fp=<provider>[://<connection>] -tp=<provider>[://<connection>]
# Loads online hash data into the destination provider/connection.
# nb. this could take hours-days until our sources allow differentials
leek update -p=<provider>[://<connection>]
# Scan a target for breaches in known providers
# options: wordpress:database://<mysql connection string>
# nb. future plans for wordpress:sftp, and generic table scanning e.g. query:mysql://SELECT user_login AS `Username`, user_pass AS `Secret`, 'wp-sha384' AS `SecretType` FROM wp_users WHERE user_status = 0 AND user_pass LIKE '$wp%';
leek scan -t=<target>[://<connection] -p=<provider>[://<connection>]
# e.g.
# scan -t=wordpress:database (scan a wordpress database with defaults)
# scan -t=wordpress:database -p=hibp (scan wordpress and check against hibp)// register services with DI
builder.Services.AddLeekServices()
.AddDefaultServices(); // adds all providers, e.g. HIBP, db, directory
// configure your options
builder.Services.Configure<MyOptions>(); // customise as needed
// inject and use the IAuditor interface
public class Example(IAuditor auditor, IOptions<MyOptions> options)
{
async Task CheckSecret(string secret)
{
LeekSearchResponse response = await auditor.SearchBreaches(options.Value.Connections, new LeekSearchRequest(secret));
// do something with response.IsBreached
Console.WriteLine($"Secret is{(response.IsBreached ? "" : " not")} breached");
}
}
public class MyOptions
{
public required ConnectionContext[] Connections { get; set; }
}See here and here for an example use in a ASP.NET application.
Leek currently supports the following online sources:
Of course, online features are optional and instead you can read from wordlists you may already have, or existing databases if they match the Leek schema (table or view adapter).
Leek is built with extensibility in mind. Future enhancements may include:
--output json|csv|sarif: For use with audit tooling & CI pipelines- Integration with external scanning tools and log systems
- Auto-redaction alerts (log scanning)
- Agent/daemon mode for long-running environments
- Table/schema inference via adapters (e.g. WordPress(mysql,sftp), Laravel, etc.)
- Additional hash methods, e.g. NTLM
Leek is licensed under the GPLv3 for source code to protect community contributions.
However, to make it easier for real-world adoption:
- All official NuGet packages and CLI binaries are MIT licensed
- This means you can safely use them in closed-source projects, CI pipelines, and internal systems
- All we ask for is a star, mention, or shout-out to help raise awareness
| Component | License |
|---|---|
| Source code (this repo) | GPLv3 |
| NuGet packages (e.g., Leek.Core) | MIT |
| CLI binaries | MIT |
| Modifying the source | GPLv3 applies |
For full policy details, see LICENSE_POLICY.md
β οΈ Note: While Leek is not a certified security product, it provides practical tooling to help integrate hash auditing into existing security workflows and improve the overall posture of .NET applications.
Itβs designed to be accessible and extensible, making it easier for teams to adopt better security hygiene β especially when faced with limited time, budget, or tooling.
No warranties or official support provided. Use ethically at your own risk.