SecretHawk
Scan your own Git repos for leaked keys, tokens, and credentials — before they ship.
- Hybrid detection — 15 format-specific rules (AWS, GitHub, Stripe, Slack, private keys, JWTs…) plus a Shannon-entropy heuristic for generic high-randomness strings.
- Low false positives by design — path globs, regex allowlists, and inline secrethawk:ignore pragmas. Tests assert non-detections, not just hits.
- CI-native — SARIF for GitHub code scanning, JSON for pipelines, and a composite GitHub Action that fails the build on new findings.
- Safe output — previews are redacted to first-4 / last-2 chars; the raw secret never reaches the report.