loading
loading
Static Code Analysis
Runs a regex ruleset across a directory or GitHub repository and saves matched secrets as JSON.
overview
rex, also called regexFinder, runs a set of regular expressions across the files in a directory or a GitHub repository and records every hit as structured JSON. There is no fixed detector list: you supply the patterns in a regex YAML file, so the same engine hunts for AWS keys, bearer tokens, internal hostnames, or any string shape you can describe.
It reads a local folder or pulls a remote GitHub repository, and a GitHub token opens private repositories for scanning. Work spreads across a configurable thread count so a large tree finishes quickly, and each match stays attributed to its file and pattern for clean triage.
On Trickest, rex is a Static Code Analysis node that takes a target directory or repository plus a regex ruleset and writes a file and a folder of matches. Reach for it when you want to enforce a custom secret-pattern policy across the repositories your team owns, then route the JSON findings into a tracker.
use cases
Point rex at your own regex YAML so the scan looks for the exact key, token, and credential shapes that matter to your stack rather than a generic preset.
Provide a GitHub token and a repository name to fetch and scan code that is not public, catching leaked API keys before they reach a wider audience.
Collect matches as JSON keyed to file and pattern so a downstream node can filter, deduplicate, and route findings into a tracker.
Raise the thread count so a deep directory or a large repository scans quickly without serializing every file.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| directory-to-scan | FOLDER | -d | Local directory of files and folders to scan for secrets. |
| github-repo | STRING | -g | GitHub repository to fetch and scan for secrets. |
| regex-path | FILE | -r | Path to the regex.yaml ruleset that defines what to match. |
| gh_token | STRING | -t | GitHub token for scanning private repositories. |
| threads | STRING | -c | Number of threads to spread the scan across. |
Showing key inputs. rex exposes 5 inputs in total.
example
# scan a GitHub repo against a custom regex ruleset, 20 threadsrex -g example/payments-api -t ghp_EXAMPLETOKEN0000 -r rules/secrets.yaml -c 20{ "aws-access-key-id": [ { "file": "config/settings.py", "line": 42, "match": "AKIAEXAMPLEKEY000000" } ], "generic-api-token": [ { "file": "src/api/client.js", "line": 118, "match": "token=EXAMPLE-b3f1-4a2c" }, { "file": "tests/fixtures/env.sample", "line": 7, "match": "sk_test_EXAMPLE000" } ], "rsa-private-key": [ { "file": "deploy/keys/id_rsa", "line": 1, "match": "-----BEGIN RSA PRIVATE KEY-----" } ]}guidance
Use rex when you want to drive secret discovery from your own regex ruleset against a directory or GitHub repository. For prebuilt detector libraries with git-history support, gitleaks and trufflehog are stronger. For JS-specific secrets, secretfinder fits better.
Ships a large built-in ruleset and scans git history, less reliant on hand-written patterns.
Detects and then verifies credentials against their live providers.
Specializes in extracting secrets from JavaScript files rather than arbitrary directories.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
A GitHub repository and a regex ruleset feed rex, which matches every pattern against the code and writes the found secrets as queryable JSON.
Facts on this page come from the live Trickest tool library.