Credfence is a local-first, open, and customizable CLI to prevent sensitive data leaks in Git — fast, auditable, and CI/CD-ready.
$ ./credfence --repo https://github.com/xyz.git --rules-source ./rules --scan-id 4001 --deep-scan
🔍 Scanning repository...
total_files_scanned: 9001
total_files_scanned: 111247
"author": "zricethezav",
"commit_sha": "ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29",
"confidence": "low",
"entropy": 2.3232196723355076,
"file_path": "/checks_test.go",
"fingerprint": "e626075230e72764d1a90dae57867a0080b57cffa9ddf24698f3fc21572390fa",
"introduced_at": "2018-01-28T22:39:00+00:00",
"line_number": 37,
"message": "AWS Access Key",
"repo": "https://github.com/----.git",
"rule_id": "aws_access_key",
"scan_id": "3001",
"severity": "critical",
"snippet": "AKIAI**********XE4OA"
Everything you need to keep your secrets safe
Scan without sending code anywhere. Your secrets stay on your machine.
Analyze latest commits or scan your entire Git history for comprehensive coverage.
Fully editable YAML rules stored with your repo. Complete transparency and control.
Configure exactly what to scan. Focus on what matters, skip what doesn't.
Fast, optimized scanning that leverages your CPU for maximum performance.
Secure scanning with tokens. Works with your private repositories seamlessly.
Export as JSON or SARIF for seamless CI/CD pipeline integration.
Built by developers, for developers. Simple CLI, powerful results.
Four simple steps to secure your codebase
Quick installation via git or direct download under releases
Choose between Head scan (latest commits) or Deep scan (full history)
Built-in and custom YAML rules identify sensitive data patterns
Output JSON or SARIF for automated pipeline workflows
Transparent, version-controlled, and fully auditable
Credfence comes with comprehensive built-in rules for common secrets like AWS keys, API tokens, and private keys.
rules:
- id: aws-access-key
pattern: 'AKIA[0-9A-Z]{16}'
severity: high
description: AWS Access Key
- id: github-token
pattern: 'ghp_[a-zA-Z0-9]{36}'
severity: critical
description: GitHub Personal Access Token Create your own rules with .credfence.yaml. Store them in version control for team-wide consistency.
# .credfence.yaml
rules:
- id: internal-api-key
pattern: 'MYCOMPANY_[A-Z0-9]{32}'
severity: critical
description: Internal API Key
ignore_paths:
- vendor/
- node_modules/
- "*.test.js" All rules are open source and auditable. No proprietary detection logic, no black boxes.
Works with your favorite tools and workflows
Credfence outputs in industry-standard formats for easy integration with security dashboards and code quality tools.
- name: Run Credfence
run: |
credfence --repo https://github.com/user/xyz.git \
--rules-source ./rules --scan_id 1001 --output-format sarif \
> results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif secret_scan:
script:
- credfence --repo https://github.com/user/xyz.git \
--rules-source ./rules --scan_id 1001 --output-format json \
> gl-secret-scanning.json
artifacts:
reports:
secret_detection: \
gl-secret-scanning.json Built on principles that matter to developers
Built with developer experience at the core. Simple, fast, and non-intrusive.
All rules are open source and auditable. No black boxes, no hidden logic.
Catch secrets before they reach your Git history, not after the damage is done.
Rules live in your repo. Track changes, review updates, maintain compliance.
Join developers worldwide who trust Credfence to keep their secrets safe