loading
loading
Static Code Analysis
Find secrets and sensitive information in text and Git history.
overview
noseyparker scans textual data for secrets and sensitive information. Point it at a file, a directory, or a Git repository and it applies a library of detection rules, surfacing API keys, tokens, and credentials wherever they appear. It reads full Git history, not only the current tree, so secrets that were committed and later removed still get caught.
It is built to scan a lot of code quickly. Run many parallel jobs with --jobs, clone and scan a repository straight from a URL with --git-url, or sweep every accessible repo for a GitHub user or organization through the GitHub API. Custom rule files, path-based ignore files, and a configurable max file size tune the scan to a codebase instead of drowning you in noise.
On Trickest, noseyparker is a Static Code Analysis node that takes a file, directory, or Git source and writes a file and a folder of results. Run it across a repository or an organization's repos to catch leaked credentials before an attacker does, and route the matches into a report or alert.
use cases
Clone a Git repo and scan every commit so secrets that were added and later deleted still surface, not only the ones left in the current tree.
Point noseyparker at a GitHub user or organization to enumerate and scan every accessible repository through the API in one run.
Supply custom rules and a path-based ignore file so the scan matches your secret formats and skips vendored or generated paths.
Scan a build directory or checkout on a schedule so leaked tokens are flagged and routed to an alert before they ship.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input-directory | FOLDER | · | Scan the specified directory or local Git repository. |
| input-file | FILE | · | Scan the specified file. |
| git-url | STRING | --git-url | Clone and scan the Git repository at the specified URL. |
| github-organization | STRING | --github-organization | Clone and scan accessible repositories belonging to the specified GitHub organization. |
| github-user | STRING | --github-user | Clone and scan accessible repositories belonging to the specified GitHub user. |
| rules | FILE | --rules | Use custom detection rules from the specified file. |
| ignore | FILE | --ignore | Use custom path-based ignore rules from the specified file. |
| jobs | STRING | --jobs | Use N parallel scanning jobs (default 10). |
Showing key inputs. noseyparker exposes 18 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| jobs | STRING | --jobs | Use N parallel scanning jobs (default 10). |
| color | STRING | --color | Enable or disable colored output (auto, never, always; default auto). |
| rules | FILE | --rules | Use custom detection rules from the specified file. |
| ignore | FILE | --ignore | Use custom path-based ignore rules from the specified file. |
| git-url | STRING | --git-url | Clone and scan the Git repository at the specified URL. |
| verbose | BOOLEAN | --verbose | Enable verbose output. |
| progress | STRING | --progress | Enable or disable progress bars (auto, never, always; default auto). |
| input-file | FILE | · | Scan the specified file. |
| github-user | STRING | --github-user | Clone and scan accessible repositories belonging to the specified GitHub user. |
| blob-metadata | STRING | --blob-metadata | Choose which blobs record metadata (all, matching, none; default matching). |
| max-file-size | STRING | --max-file-size | Do not scan files larger than the specified size in MiB (default 100). |
| git-clone-mode | STRING | --git-clone-mode | Method used to clone Git repositories (bare, mirror; default bare). |
| github-api-url | STRING | --github-api-url | URL to use for GitHub API access (default https://api.github.com/). |
| snippet-length | STRING | --snippet-length | Bytes of context to include before and after each match (default 256). |
| input-directory | FOLDER | · | Scan the specified directory or local Git repository. |
| rules-directory | FOLDER | --rules | Use custom detection rules from the specified directory. |
| git-blob-provenance | STRING | --git-blob-provenance | Git commit provenance metadata to collect (first-seen, minimal; default first-seen). |
| github-organization | STRING | --github-organization | Clone and scan accessible repositories belonging to the specified GitHub organization. |
example
# clone a repo, scan its full history, then print the findingsnoseyparker scan --datastore np.db --git-url https://github.com/example/webapp.git --jobs 8noseyparker report --datastore np.dbScanned 842.19 MiB from 3,410 blobs in 37 seconds (22.6 MiB/s); 9/9 new matches Rule Distinct Groups Total Matches ────────────────────────────────────────────────────────────── GitHub Personal Access Token 2 3 AWS Secret Access Key 1 1 Generic API Key 3 4 Slack Token 1 1 Run the `report` command next to show finding details.guidance
Use noseyparker when you need to find leaked secrets in source code or Git history, including across an entire GitHub organization. It is a secret scanner, not a SAST engine, so reach for it to catch credentials rather than code-quality or injection flaws.
Secret scanner with credential verification. noseyparker emphasizes fast rule-based scanning across large histories.
Lightweight Git secret scanner. noseyparker adds GitHub org/user sweeps and parallel scanning at larger scale.
Pulls secrets from JavaScript files specifically. noseyparker scans full repos and history rather than single JS assets.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
A repository URL feeds noseyparker, which scans the code and full Git history for secrets and writes the matches as a queryable output.
Facts on this page come from the live Trickest tool library.