@masyv/secretscan 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 MASYV
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,122 @@
+# SecretScan
+
+**Real-time secret & credential detector for Claude Code.** Blocks API keys, tokens, private keys, and database passwords from ever entering your LLM context window.
+
+[![Rust](https://img.shields.io/badge/Rust-1.70+-orange.svg)](https://www.rust-lang.org/)
+[![npm](https://img.shields.io/npm/v/@masyv/secretscan)](https://www.npmjs.com/package/@masyv/secretscan)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+
+## The Problem
+
+When Claude Code runs tools, their outputs flow directly into the context window. That includes:
+- `cat .env` → your API keys
+- `git log` → commit messages with accidentally committed credentials
+- Database query results → connection strings, hashed passwords
+- `curl` responses → tokens, JWTs, session cookies
+
+**SecretScan intercepts every tool output** before it reaches Claude, redacts detected secrets, and logs them locally. Claude sees `[REDACTED:anthropic_api_key:bbfc6912]` — not `sk-ant-api03-...`.
+
+## 47 Built-in Patterns
+
+| Severity | Providers |
+|----------|-----------|
+| 🔴 Critical | Anthropic, OpenAI, AWS, GitHub, Stripe, Google Service Account, PostgreSQL, MySQL, MongoDB, PEM Private Keys |
+| 🟠 High | GitLab, Slack, npm, SendGrid, Cloudflare, Azure, Redis, Heroku, Vercel, Datadog, HuggingFace, Discord, Shopify |
+| 🟡 Medium | JWT tokens, Twilio, env file secrets, Slack webhooks |
+| 🔵 Low | Test keys, certificates, high-entropy strings |
+
+Plus **Shannon entropy analysis** for detecting unknown secrets by statistical pattern.
+
+## Quick Start
+
+```bash
+# Install from source
+git clone https://github.com/Manavarya09/secretscan
+cd secretscan
+./scripts/build.sh && ./scripts/install.sh
+
+# Auto-configure Claude Code
+secretscan setup
+
+# That's it — restart Claude Code and you're protected.
+```
+
+## What It Looks Like
+
+```bash
+$ echo 'ANTHROPIC_API_KEY=sk-ant-api03-...' | secretscan scan
+
+🚨  1 secret found:
+
+  🔴 [CRITICAL]  Anthropic API Key   fingerprint: bbfc6912
+             sk-ant-api03-xxxxx…
+```
+
+With the hook active, Claude sees:
+```
+ANTHROPIC_API_KEY=[REDACTED:anthropic_api_key:bbfc6912]
+```
+
+## Recovery
+
+Originals are stored **locally** in SQLite — never forwarded anywhere:
+
+```bash
+secretscan expand bbfc6912
+# → sk-ant-api03-...
+```
+
+## Allowlist
+
+False positive? Mark it safe:
+
+```bash
+secretscan allow bbfc6912 --reason "This is a test key in the repo"
+```
+
+## CLI Reference
+
+```
+COMMANDS:
+  scan      Scan text, file, or stdin for secrets
+  hook      PostToolUse hook mode (reads hook JSON from stdin)
+  expand    Retrieve original value by fingerprint
+  allow     Add fingerprint to allowlist
+  unallow   Remove fingerprint from allowlist
+  stats     Show scan statistics
+  audit     List recent findings
+  patterns  List all 47 built-in patterns
+  setup     Auto-install PostToolUse hook into ~/.claude/settings.json
+
+OPTIONS:
+  --json        Output as JSON
+  --db-path     SQLite path [default: ~/.secretscan/secretscan.db]
+  -v, --verbose Verbose logging
+```
+
+## Manual Hook Setup
+
+Add to `~/.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PostToolUse": [
+      {
+        "matcher": "*",
+        "hooks": [{ "type": "command", "command": "secretscan hook" }]
+      }
+    ]
+  }
+}
+```
+
+## Performance
+
+- **< 2ms** per scan for typical tool outputs
+- **Zero network calls** — everything is local
+- **< 5MB** binary (release, stripped)
+
+## License
+
+MIT

package/core/Cargo.toml

@@ -0,0 +1,51 @@
+[package]
+name = "secretscan"
+version = "0.1.0"
+edition = "2021"
+description = "SecretScan — Real-time secret & credential detector for Claude Code. Blocks API keys, tokens, and private keys from entering your LLM context."
+license = "MIT"
+
+[[bin]]
+name = "secretscan"
+path = "src/main.rs"
+
+[lib]
+name = "secretscan"
+path = "src/lib.rs"
+
+[dependencies]
+# CLI
+clap = { version = "4", features = ["derive"] }
+
+# Serialization
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+
+# Error handling
+anyhow = "1"
+thiserror = "2"
+
+# Regex
+regex = "1"
+once_cell = "1"
+
+# SQLite (lossless local storage of redacted originals)
+rusqlite = { version = "0.32", features = ["bundled"] }
+
+# Hashing
+blake3 = "1"
+
+# Logging
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["env-filter"] }
+
+# Time
+chrono = { version = "0.4", features = ["serde"] }
+
+# Colors for terminal output
+colored = "2"
+
+[profile.release]
+opt-level = 3
+lto = "thin"
+strip = true

package/core/src/hook/mod.rs

@@ -0,0 +1,100 @@
+//! Claude Code hook handler.
+//! Reads PostToolUse / PreToolUse JSON from stdin, redacts secrets, writes to stdout.
+
+use anyhow::Result;
+use serde::{Deserialize, Serialize};
+use std::path::Path;
+
+use crate::redact;
+
+/// Claude Code PostToolUse hook input format.
+#[derive(Debug, Deserialize)]
+pub struct HookInput {
+    #[serde(default)]
+    pub tool_name: String,
+    #[serde(default)]
+    pub tool_input: serde_json::Value,
+    #[serde(default)]
+    pub tool_output: String,
+}
+
+/// Hook output — same shape as input with redacted fields.
+#[derive(Debug, Serialize)]
+pub struct HookOutput {
+    pub tool_name: String,
+    pub tool_input: serde_json::Value,
+    pub tool_output: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub secretscan: Option<HookMeta>,
+}
+
+#[derive(Debug, Serialize)]
+pub struct HookMeta {
+    pub secrets_found: usize,
+    pub redacted: Vec<String>,
+    pub clean: bool,
+}
+
+/// Process a hook call: scan + redact tool_output and tool_input values.
+pub fn process(raw: &str, db_path: &Path, session_id: &str) -> Result<String> {
+    let input: HookInput = match serde_json::from_str(raw) {
+        Ok(v) => v,
+        Err(_) => {
+            // Not a valid hook payload — pass through unchanged
+            return Ok(raw.to_string());
+        }
+    };
+
+    let tool_name = input.tool_name.as_str();
+
+    // Redact tool_output
+    let output_result = redact::scan_and_redact(
+        &input.tool_output,
+        Some(tool_name),
+        db_path,
+        session_id,
+    );
+
+    // Redact tool_input (serialized to string for scanning)
+    let input_str = serde_json::to_string(&input.tool_input).unwrap_or_default();
+    let input_result = redact::scan_and_redact(
+        &input_str,
+        Some(tool_name),
+        db_path,
+        session_id,
+    );
+    let redacted_input: serde_json::Value =
+        serde_json::from_str(&input_result.redacted_text).unwrap_or(input.tool_input);
+
+    let total_found = output_result.findings.len() + input_result.findings.len();
+    let mut all_redacted: Vec<String> = output_result
+        .findings
+        .iter()
+        .map(|f| format!("{} ({})", f.pattern_name, f.severity.as_str()))
+        .collect();
+    all_redacted.extend(
+        input_result
+            .findings
+            .iter()
+            .map(|f| format!("{} ({})", f.pattern_name, f.severity.as_str())),
+    );
+
+    let meta = if total_found > 0 {
+        Some(HookMeta {
+            secrets_found: total_found,
+            redacted: all_redacted,
+            clean: false,
+        })
+    } else {
+        None
+    };
+
+    let output = HookOutput {
+        tool_name: tool_name.to_string(),
+        tool_input: redacted_input,
+        tool_output: output_result.redacted_text,
+        secretscan: meta,
+    };
+
+    Ok(serde_json::to_string(&output)?)
+}

package/core/src/lib.rs

@@ -0,0 +1,93 @@
+pub mod hook;
+pub mod patterns;
+pub mod redact;
+pub mod store;
+
+use serde::{Deserialize, Serialize};
+
+/// Secret severity level.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum Severity {
+    Low,
+    Medium,
+    High,
+    Critical,
+}
+
+impl Severity {
+    pub fn as_str(self) -> &'static str {
+        match self {
+            Self::Low      => "low",
+            Self::Medium   => "medium",
+            Self::High     => "high",
+            Self::Critical => "critical",
+        }
+    }
+
+    pub fn emoji(self) -> &'static str {
+        match self {
+            Self::Low      => "🔵",
+            Self::Medium   => "🟡",
+            Self::High     => "🟠",
+            Self::Critical => "🔴",
+        }
+    }
+
+    pub fn color_code(self) -> &'static str {
+        match self {
+            Self::Low      => "\x1b[34m", // blue
+            Self::Medium   => "\x1b[33m", // yellow
+            Self::High     => "\x1b[91m", // bright red
+            Self::Critical => "\x1b[31m", // red
+        }
+    }
+}
+
+/// A single secret detection finding.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Finding {
+    pub pattern_id: &'static str,
+    pub pattern_name: &'static str,
+    pub severity: Severity,
+    /// The original matched string (stored locally, never forwarded).
+    pub matched: String,
+    /// Safe replacement string: `[REDACTED:pattern_id:fingerprint]`
+    pub redacted: String,
+    /// First 8 hex chars of blake3(matched) — used for recovery + allowlist.
+    pub fingerprint: String,
+    pub offset: usize,
+    pub length: usize,
+}
+
+/// Result of a scan + redact operation.
+#[derive(Debug, Serialize)]
+pub struct ScanResult {
+    pub original_len: usize,
+    pub redacted_text: String,
+    pub findings: Vec<Finding>,
+    pub clean: bool,
+}
+
+impl ScanResult {
+    pub fn summary(&self) -> String {
+        if self.clean {
+            return "✅  No secrets detected.".to_string();
+        }
+        let mut lines = vec![format!(
+            "🚨  {} secret{} found:",
+            self.findings.len(),
+            if self.findings.len() == 1 { "" } else { "s" }
+        )];
+        for f in &self.findings {
+            lines.push(format!(
+                "  {} [{}] {} — {}",
+                f.severity.emoji(),
+                f.severity.as_str().to_uppercase(),
+                f.pattern_name,
+                f.fingerprint
+            ));
+        }
+        lines.join("\n")
+    }
+}