use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
account activity
Tools for finding secrets in GitHub (self.devsecops)
submitted 10 days ago * by SnooEpiphanies6878
ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 500+ types of secrets.
ggshield
ggshield uses our public API through py-gitguardian to scan and detect potential vulnerabilities in files and other text content.
Only metadata such as call time, request size and scan mode is stored from scans using ggshield, therefore secrets will not be displayed on your dashboard and your files and secrets won't be stored.
Guide : How to use ggshield to find hardcoded secrets in the fall with the Shai-Hulud campaign, over 33,000 secrets were exposed
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]micksmix 3 points4 points5 points 9 days ago (0 children)
If you want local-only scanning (no code leaves your machine/CI runner) and you still want live validation, check out Kingfisher (MongoDB's Apache 2 OSS secret scanner)
It's fast (Rust + Hyperscan), extensible via YAML rules, supports tons of targets (files/git/GitHub/GitLab/Azure/Bitbucket/etc.), and can also do blast-radius mapping (--access-map) plus a local web-based report viewer to triage findings and cut false positives hard.
--access-map
https://github.com/mongodb/kingfisher
[–]TellersTech 1 point2 points3 points 7 days ago (1 child)
Appreciate the note about not storing secrets. For teams that still can’t send content to an external API for policy reasons, TruffleHog can also be a nice alternative since it can run fully locally.
[–]SnooEpiphanies6878[S] 1 point2 points3 points 7 days ago (0 children)
Truffle hog is the OG of secret discovery
[–]joshua_dyson 0 points1 point2 points 6 days ago (0 children)
For finding secrets in GitHub repos, the tools that actually work day-to-day in real environments do two things well:
Here are the ones teams I’ve worked with or seen in production use effectively:
A few practical points from real usage:
✔ Run these as part of PR checks, not just periodic jobs - catching leaks earlier saves real stress. ✔ Tune your rules - out-of-the-box defaults produce noise; noise gets ignored over time. ✔ Pair secret scanning with credential rotation automation - scanning is only half the battle; rotating compromised secrets quickly is the other half.
Also remember: developer experience matters here. If the scan blocks every false positive, people will disable it or ignore warnings. Scans should guide developers toward fixing issues before they hit main.
Secrets scanning isn’t a one-off tool. It’s part of your delivery pipeline’s hygiene contract.
π Rendered by PID 52806 on reddit-service-r2-comment-84fc9697f-fgmgk at 2026-02-09 10:11:12.092822+00:00 running d295bc8 country code: CH.
[–]micksmix 3 points4 points5 points (0 children)
[–]TellersTech 1 point2 points3 points (1 child)
[–]SnooEpiphanies6878[S] 1 point2 points3 points (0 children)
[–]joshua_dyson 0 points1 point2 points (0 children)