loading
loading
Static Code Analysis
A Python tool that searches a Git repository's commit history for high-entropy strings like API keys.
overview
reposcanner reads through every commit in a Git repository and looks for strings that resemble secrets, such as API keys, tokens, and passwords. A secret deleted from the current tree still lives in history, so a tool that only scans the latest checkout misses it. reposcanner walks past commits to catch credentials that were committed once and reverted later.
Detection rests on Shannon entropy plus line-length rules. You set a minimum entropy threshold with -e and a maximum line length with -l, and reposcanner flags lines whose randomness crosses the bar. Bound the scan to a single branch with -b or to a fixed number of recent commits with -c when a full-history pass is too slow.
On Trickest, reposcanner is a Static Code Analysis node that takes a repository reference and writes a file and a folder of findings. Run it across a set of organization repositories to surface credential leaks before an attacker pulls the same history.
use cases
Scan the full commit history so credentials that were committed and later deleted still surface, since they remain reachable in past commits.
Point reposcanner at one branch with -b to review a feature line or release branch in isolation rather than the whole repository.
Raise the minimum entropy threshold with -e to focus on high-randomness strings and reduce false positives from ordinary code and config text.
Feed a list of organization repositories through reposcanner so every codebase gets a history-level secret check on a schedule.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| repo | STRING | -r | Repo to scan. |
| count | STRING | -c | Number of commits to scan. Default: all. |
| branch | STRING | -b | Scan a specific branch. |
| length | STRING | -l | Maximum line length. Default: 5. |
| entropy | STRING | -e | Minimum entropy to report. Default: 4.3. |
| verbose | BOOLEAN | -v | Verbose. |
Showing key inputs. reposcanner exposes 6 inputs in total.
example
# scan full history of a public repo for high-entropy secretsreposcanner -r https://github.com/example-org/example-repo -e 4.3 -l 200 -v[+] Scanning https://github.com/example-org/example-repo[+] Branch: main[!] High entropy string found Commit: a1b2c3d4e5f60718293a4b5c6d7e8f901234abcd File: config/settings.py Line: 42 Entropy: 5.12 String: AKIAIOSFODNN7EXAMPLE[!] High entropy string found Commit: 9f3a1c2b7d4e5f60a1b2c3d4e5f6a7b8c9d0e1f2 File: .env.example Line: 8 Entropy: 4.91 String: sk_test_EXAMPLE00000000000000000000guidance
Reach for reposcanner when you need to scan Git commit history, not just the current checkout, for leaked secrets. For broader rule sets across files and history, gitleaks and trufflehog carry larger detector libraries. reposcanner stays simple and entropy-driven.
Rule and entropy based secret scanner with a large built-in ruleset and git-history support.
Scans history and live sources, then verifies found credentials against their providers.
Targets JavaScript files for secrets rather than Git commit history.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
A repository reference feeds reposcanner, which walks the commit history and writes any high-entropy secrets it finds as a queryable output.
Facts on this page come from the live Trickest tool library.