A powerful CLI tool designed to find secrets in JavaScript files, web pages, and other text sources.
- Multi-Source Scanning: Process remote URLs, local files, and entire directories.
- Extensive Pattern Library: Over 60 meticulously crafted regex patterns to identify a wide range of secrets, including API keys (AWS, Google Cloud, Stripe, etc.), authentication tokens (JWT, OAuth, Bearer), database credentials, private keys, PII (email, phone), Web3 secrets (crypto addresses, private keys), and more.
- URL/Domain Extraction Mode: Dedicated mode (
--scan-urls) to efficiently extract only URL and domain patterns from sources. - Flexible Pattern Control: Fine-tune scans by including or excluding specific pattern categories (e.g.,
--include-categories aws,pii). - Concurrent Processing: Fast multi-threaded architecture for efficient scanning.
- Domain-Aware Scheduling: Smart distribution of requests to avoid rate limiting when scanning remote URLs.
- WAF/Rate Limit Evasion: Strategies for handling common web security measures.
- Context Analysis: Reduces false positives by analyzing surrounding code and context.
- Real-Time Progress: Live updates with progress bar and statistics (can be disabled with
--no-progressor in--silentmode). - Multiple Output Formats: Output results in standard text, JSON, or raw values. Supports a new grouped format (
--group-by-source) for TXT and JSON, organizing findings by their source URL/file.
# Clone the repository
git clone https://github.com/rafabd1/SecretHound.git
cd SecretHound
# Install dependencies
go mod download
# Build the binary
go build -o secrethound ./cmd/secrethound
# Optional: Move to path (Linux/macOS)
sudo mv secrethound /usr/local/bin/
# Optional: Add to PATH (Windows - in PowerShell as Admin)
# Copy-Item .\secrethound.exe C:\Windows\System32\go install github.com/rafabd1/SecretHound/cmd/secrethound@latestYou can download pre-built binaries for your platform from the releases page.
Scan a single URL:
secrethound https://example.com/script.jsScan multiple URLs:
secrethound https://example.com/script1.js https://example.com/script2.jsScan from a list of URLs:
secrethound -i url-list.txtScan a local file:
secrethound -i /path/to/file.jsScan an entire directory:
secrethound -i /path/to/directorySave results to a file:
secrethound -i url-list.txt -o results.txtSecretHound supports the following options:
| Flag | Description | Default |
|---|---|---|
-i, --input-file |
Input file (URLs/paths), directory, or a single URL/file path as a target argument. | - |
-o, --output |
Output file for results (default: stdout). Format (txt, json) inferred from extension. | - |
--raw |
Output only raw secret values (affects TXT and grouped JSON file output). | false |
--group-by-source |
Group secrets by source URL/file in TXT and JSON output. | false |
-t, --timeout |
HTTP request timeout in seconds. | 10 |
-r, --retries |
Maximum number of retry attempts for HTTP requests. | 2 |
-c, --concurrency |
Number of concurrent workers. | 50 |
-l, --rate-limit |
Max requests per second per domain (0 for auto/unlimited). | 0 |
-H, --header |
Custom HTTP header to add (e.g., "Authorization: Bearer token"). Can be used multiple times. | - |
--insecure |
Disable SSL/TLS certificate verification. | false |
--include-categories |
Comma-separated list of pattern categories to include (e.g., aws,gcp). | all enabled |
--exclude-categories |
Comma-separated list of pattern categories to exclude (e.g., pii,url). | none |
--scan-urls |
URL Extraction Mode: Scan ONLY for URL/Endpoint patterns (overrides category filters). | false |
--list-patterns |
List available pattern categories and patterns, then exit. | false |
-v, --verbose |
Enable verbose logging output. | false |
-n, --no-progress |
Disable the progress bar display. | false |
-s, --silent |
Silent mode (suppress progress bar and info logs). | false |
For more detailed information, see the documentation directory:
- Usage Examples - Detailed usage examples
- Technical Details - Internal architecture and design
- Supported Secrets - List of secret types detected
- Changelog - Check the latest updates and version history
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
Made with 🖤 by Rafael (github.com/rafabd1)
