Hunt exposed secrets with the cunning of a fox!
A lightweight, cross-platform CLI tool that scans your filesystem to detect exposed secrets, API keys, and tokens. Built with Go for maximum performance and zero dependencies.
- ๐ 30+ Secret Patterns - Detects AWS, Stripe, GitHub, Google, Slack, database credentials, and more
- ๐งฎ Shannon Entropy Analysis - Catches random high-entropy strings that regex might miss
- โก Concurrent Scanning - Uses Go's goroutines for blazing-fast parallel processing
- ๏ฟฝ Security Hygiene Scorecard - Beautiful terminal output with color-coded risk levels
- ๏ฟฝ๐ฆ Zero Dependencies - Single static binary, just download and run
- ๐ฅ๏ธ Cross-Platform - Works on macOS (Intel + Apple Silicon), Linux, and Windows
- ๐ฏ Smart Filtering - Scans only text-based files by default, skips binaries
- ๐ Quarantine Mode - Move sensitive files to a secure vault location
# macOS Apple Silicon (M1/M2/M3)
curl -L -o kyubisweep https://github.com/tanmayshahane/kyubisweep/releases/latest/kyubisweep-darwin-arm64
chmod +x kyubisweep
# Run it!
./kyubisweep --path /path/to/your/project# Ensure Go 1.21+ is installed
go version
# Clone and build
git clone https://github.com/tanmayshahane/kyubisweep.git
cd kyubisweep
go build -o kyubisweep ./cmd/sweep/main.go
# Run it!
./kyubisweep --path .USAGE:
kyubisweep [OPTIONS]
OPTIONS:
--path <directory> Path to scan (default: current directory)
--verbose Enable detailed output
--all Show all severity levels (default: HIGH only)
--all-files Scan all files, not just text-based files
--ext <extensions> Additional extensions to scan (comma-separated)
--json Output report as JSON file
--no-report Don't save report file
--quiet Minimal output, just summary
--move-to <path> Move files with secrets to quarantine directory
--help Show this help message
EXAMPLES:
kyubisweep --path ./my-project
kyubisweep --path . --all # Show all severities
kyubisweep --path . --ext log,dat # Add custom extensions
kyubisweep --path . --move-to ./vault # Quarantine sensitive files
kyubisweep --path . --json # Export as JSON
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ก๏ธ KYUBISWEEP SECURITY HYGIENE SCORECARD โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐จ CRITICAL ISSUES FOUND
๐ RISK BREAKDOWN
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐จ CRITICAL 9 โโโโโโโโโโโโโโโโโโโโ
๐ด HIGH 2 โโโโโโโโโโโโโโโโโโโโ
๐ก MEDIUM 0 โโโโโโโโโโโโโโโโโโโโ
๐ต LOW 0 โโโโโโโโโโโโโโโโโโโโ
๐ FINDINGS DETAIL
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
RISK TYPE LOCATION
[CRITICAL] AWS Access Key ID ~/project/.env:5
[CRITICAL] PostgreSQL Connection ~/project/config.yaml:12
[HIGH] Stripe Secret Key ~/project/payment.js:42
๐ Scanned: ~/my-project
๐ Files analyzed: 2.9K
โฑ๏ธ Duration: 1.2s
graph TD
subgraph "Initialization (Main Goroutine)"
A[Start CLI] --> B{Parse Flags};
B -->|--path| C[Init Walker];
B -->|--move-to| D[Init Quarantine Mgr];
C --> E[Create Jobs Channel];
E --> F[Create Results Channel];
end
subgraph "Producer (Goroutine 1)"
G[Walker] -->|Finds Files| E;
style G fill:#f9f,stroke:#333,stroke-width:2px
style E fill:#ccf,stroke:#333,stroke-width:2px,stroke-dasharray: 5 5
end
subgraph "Worker Pool (Goroutines 2...N)"
E -->|Read File Path| H[Worker 1];
E -->|Read File Path| I[Worker 2];
E -->|Read File Path| J[Worker N];
H -->|Read Content| K{Analyzer};
I -->|Read Content| K{Analyzer};
J -->|Read Content| K{Analyzer};
K -- No Secret --> L((Discard));
K -- Secret Found --> M[Send Finding];
M --> F;
style K fill:#ff9,stroke:#333,stroke-width:2px
end
subgraph "Consumer & Wrap up (Main Goroutine)"
F -->|Collect Findings| N[Reporter / Table UI];
style F fill:#ccf,stroke:#333,stroke-width:2px,stroke-dasharray: 5 5
N --> O{Quarantine Requested?};
O -- Yes --> P[Move Files to Vault];
O -- No --> Q[Exit];
P --> Q;
end
%% Add a WaitGroup visual helper
H -.-> WG[sync.WaitGroup];
I -.-> WG;
J -.-> WG;
WG -.->|All Done| F;
| Category | Examples |
|---|---|
| Cloud Credentials | AWS Access Keys, Google API Keys, Azure tokens |
| Payment Systems | Stripe API keys (live & test) |
| Developer Tools | GitHub PATs, NPM tokens, Heroku API keys |
| Communication | Slack tokens, Discord bot tokens, Twilio keys |
| Databases | PostgreSQL, MongoDB, MySQL connection strings |
| Cryptographic | RSA/SSH/PGP private keys |
| Generic | Passwords, API keys, Bearer tokens |
kyubisweep/
โโโ cmd/
โ โโโ sweep/
โ โโโ main.go # CLI entry point + worker pool
โโโ pkg/
โ โโโ analyzer/
โ โ โโโ analyzer.go # Entropy + regex detection
โ โโโ scanner/
โ โ โโโ walker.go # Concurrent directory walker
โ โโโ reporter/
โ โ โโโ reporter.go # Security Scorecard output
โ โโโ quarantine/
โ โ โโโ manager.go # Secure file relocation
โ โโโ common/
โ โโโ colors.go # Shared ANSI color utilities
โโโ reports/ # Generated scan reports
โโโ build/ # Cross-compiled binaries
โโโ go.mod # Go module definition
โโโ build.sh # Cross-platform build script
โโโ README.md
# Make the build script executable
chmod +x build.sh
# Build for all platforms
./build.sh
# Outputs:
# build/kyubisweep-darwin-arm64 (macOS Apple Silicon)
# build/kyubisweep-darwin-amd64 (macOS Intel)
# build/kyubisweep-linux-amd64 (Linux 64-bit)
# build/kyubisweep-linux-arm64 (Linux ARM)
# build/kyubisweep-windows-amd64.exe (Windows 64-bit)Found secrets you need to secure immediately? Use --move-to to relocate files:
./kyubisweep --path . --move-to ./secure_vaultSafety features:
โ ๏ธ Bold red warning before any files are moved- ๐ Requires typing "yes" to confirm
- ๐ Creates vault directory with secure permissions (0700)
- ๐ Handles cross-filesystem moves automatically
- ๐ Prevents overwrites with timestamp-based naming
Contributions are welcome! Please feel free to submit a Pull Request.
MIT License - feel free to use this in your own projects!
Made with ๐ฆ by developers who accidentally committed their API keys one too many times.