secret-scan 0.1.2__tar.gz

secret_scan-0.1.2/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2025 amitu314, harshahemanth
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

secret_scan-0.1.2/PKG-INFO

@@ -0,0 +1,187 @@
+Metadata-Version: 2.4
+Name: secret-scan
+Version: 0.1.2
+Summary: A simple secret/credential scanner for source code repositories.
+Author-email: Your Name <you@example.com>
+License: MIT License
+        
+        Copyright (c) 2025 amitu314, harshahemanth
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+        
+Project-URL: Homepage, https://github.com/harshahemanth/secret-scan
+Project-URL: Repository, https://github.com/harshahemanth/secret-scan
+Project-URL: Issues, https://github.com/harshahemanth/secret-scan/issues
+Project-URL: Documentation, https://github.com/harshahemanth/secret-scan#readme
+Keywords: security,secrets,credentials,scanner
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Dynamic: license-file
+
+# secret-scan
+
+A fast, lightweight CLI tool to detect secrets in source code.
+
+`secret-scan` scans directories for sensitive data such as:
+
+- AWS Access Keys and Secret Keys
+- OpenAI API keys (sk-...)
+- Password assignments
+- Bearer tokens
+- SSH private keys
+- Azure storage keys
+- Generic API keys and tokens
+- JWT tokens
+
+It skips binary files, ignores common junk directories (node_modules, .git, venv, etc.), avoids scanning large files, and supports extensible regular expressions.
+
+## Installation
+
+    pip install secret-scan
+
+To upgrade:
+
+    pip install --upgrade secret-scan
+
+## Basic Usage
+
+Scan the current directory:
+
+    secret-scan .
+
+Scan a specific directory:
+
+    secret-scan ~/projects/my-repo
+
+Write results to a file (default: docsCred.txt):
+
+    secret-scan . --output secrets.txt
+
+## JSON Output
+
+Generate JSON output (useful for CI pipelines):
+
+    secret-scan . --json
+
+Example output:
+
+    [
+      {
+        "file": "config/settings.py",
+        "line": 20,
+        "match": "AWS_ACCESS_KEY_ID=AKIA1234567890ABCD12"
+      },
+      {
+        "file": "service/api.py",
+        "line": 42,
+        "match": "sk-ABCDEFGHIJKLMNOPQRSTUV123456"
+      }
+    ]
+
+## Command-Line Options
+
+| Flag              | Description                                |
+|------------------|--------------------------------------------|
+| --output <file>  | Save text results (default: docsCred.txt)   |
+| --skip-ext .log  | Skip specific file extensions               |
+| --skip-dir <dir> | Skip specific directories                   |
+| --max-size-mb N  | Scan only files smaller than N MB           |
+| --json           | Print JSON results to stdout                |
+
+Example:
+
+    secret-scan . --skip-ext .log --skip-dir build --json
+
+## What It Detects
+
+### AWS
+- Access Key IDs (AKIA...)
+- Secret Access Keys
+- Environment variable forms such as AWS_ACCESS_KEY_ID=...
+
+### OpenAI
+- Keys beginning with sk-
+
+### Passwords and Tokens
+- password=...
+- api_key=...
+- Bearer tokens
+- JWT tokens (xxx.yyy.zzz)
+
+### Private Keys
+- -----BEGIN PRIVATE KEY-----
+
+### Cloud Provider Keys
+- Azure storage account keys
+- Redis/MySQL/Postgres/Mongo/FTP/SMTP connection strings
+
+## Automatic Skips
+
+The scanner automatically ignores:
+
+- .git, .hg, .svn
+- node_modules
+- Python virtual environments (venv, .venv, env)
+- Binary files (null-byte detection)
+- Large files (over 5 MB by default)
+- Common non-text extensions (images, archives, executables)
+
+## Extending Detection Patterns
+
+Detection patterns are defined in:
+
+    src/secret_scanner/patterns.py
+
+You may extend or modify these patterns to detect additional token types.
+
+## Programmatic Usage
+
+Example using the Python API:
+
+    from pathlib import Path
+    from secret_scanner import scan_directory
+
+    matches = scan_directory(Path("."), output_path=None)
+    for m in matches:
+        print(m["file"], m["line"], m["match"])
+
+## Running Tests
+
+    pytest -q
+
+## Contributing
+
+Contributions are welcome.
+
+1. Fork the repository
+2. Create a feature branch
+3. Add tests for new functionality
+4. Open a pull request
+
+## License
+
+This project is licensed under the MIT License. See the LICENSE file for full details.
+

secret_scan-0.1.2/README.md

@@ -0,0 +1,144 @@
+# secret-scan
+
+A fast, lightweight CLI tool to detect secrets in source code.
+
+`secret-scan` scans directories for sensitive data such as:
+
+- AWS Access Keys and Secret Keys
+- OpenAI API keys (sk-...)
+- Password assignments
+- Bearer tokens
+- SSH private keys
+- Azure storage keys
+- Generic API keys and tokens
+- JWT tokens
+
+It skips binary files, ignores common junk directories (node_modules, .git, venv, etc.), avoids scanning large files, and supports extensible regular expressions.
+
+## Installation
+
+    pip install secret-scan
+
+To upgrade:
+
+    pip install --upgrade secret-scan
+
+## Basic Usage
+
+Scan the current directory:
+
+    secret-scan .
+
+Scan a specific directory:
+
+    secret-scan ~/projects/my-repo
+
+Write results to a file (default: docsCred.txt):
+
+    secret-scan . --output secrets.txt
+
+## JSON Output
+
+Generate JSON output (useful for CI pipelines):
+
+    secret-scan . --json
+
+Example output:
+
+    [
+      {
+        "file": "config/settings.py",
+        "line": 20,
+        "match": "AWS_ACCESS_KEY_ID=AKIA1234567890ABCD12"
+      },
+      {
+        "file": "service/api.py",
+        "line": 42,
+        "match": "sk-ABCDEFGHIJKLMNOPQRSTUV123456"
+      }
+    ]
+
+## Command-Line Options
+
+| Flag              | Description                                |
+|------------------|--------------------------------------------|
+| --output <file>  | Save text results (default: docsCred.txt)   |
+| --skip-ext .log  | Skip specific file extensions               |
+| --skip-dir <dir> | Skip specific directories                   |
+| --max-size-mb N  | Scan only files smaller than N MB           |
+| --json           | Print JSON results to stdout                |
+
+Example:
+
+    secret-scan . --skip-ext .log --skip-dir build --json
+
+## What It Detects
+
+### AWS
+- Access Key IDs (AKIA...)
+- Secret Access Keys
+- Environment variable forms such as AWS_ACCESS_KEY_ID=...
+
+### OpenAI
+- Keys beginning with sk-
+
+### Passwords and Tokens
+- password=...
+- api_key=...
+- Bearer tokens
+- JWT tokens (xxx.yyy.zzz)
+
+### Private Keys
+- -----BEGIN PRIVATE KEY-----
+
+### Cloud Provider Keys
+- Azure storage account keys
+- Redis/MySQL/Postgres/Mongo/FTP/SMTP connection strings
+
+## Automatic Skips
+
+The scanner automatically ignores:
+
+- .git, .hg, .svn
+- node_modules
+- Python virtual environments (venv, .venv, env)
+- Binary files (null-byte detection)
+- Large files (over 5 MB by default)
+- Common non-text extensions (images, archives, executables)
+
+## Extending Detection Patterns
+
+Detection patterns are defined in:
+
+    src/secret_scanner/patterns.py
+
+You may extend or modify these patterns to detect additional token types.
+
+## Programmatic Usage
+
+Example using the Python API:
+
+    from pathlib import Path
+    from secret_scanner import scan_directory
+
+    matches = scan_directory(Path("."), output_path=None)
+    for m in matches:
+        print(m["file"], m["line"], m["match"])
+
+## Running Tests
+
+    pytest -q
+
+## Contributing
+
+Contributions are welcome.
+
+1. Fork the repository
+2. Create a feature branch
+3. Add tests for new functionality
+4. Open a pull request
+
+## License
+
+This project is licensed under the MIT License. See the LICENSE file for full details.
+

secret_scan-0.1.2/pyproject.toml

@@ -0,0 +1,39 @@
+[build-system]
+requires = ["setuptools>=64", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "secret-scan"          
+version = "0.1.2"
+description = "A simple secret/credential scanner for source code repositories."
+readme = "README.md"
+requires-python = ">=3.9"
+license = { file = "LICENSE" }         
+authors = [
+  { name = "Your Name", email = "you@example.com" }
+]
+keywords = ["security", "secrets", "credentials", "scanner"]
+classifiers = [
+  "Programming Language :: Python :: 3",
+  "License :: OSI Approved :: MIT License",
+  "Environment :: Console",
+  "Intended Audience :: Developers",
+  "Topic :: Security",
+]
+
+dependencies = []                  # stdlib only right now
+
+[project.urls]
+Homepage = "https://github.com/harshahemanth/secret-scan"
+Repository = "https://github.com/harshahemanth/secret-scan"
+Issues = "https://github.com/harshahemanth/secret-scan/issues"
+Documentation = "https://github.com/harshahemanth/secret-scan#readme"
+
+[project.scripts]
+secret-scan = "secret_scanner.cli:main"
+
+[tool.setuptools]
+package-dir = {"" = "src"}
+
+[tool.setuptools.packages.find]
+where = ["src"]

secret_scan-0.1.2/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

secret_scan-0.1.2/src/secret_scan.egg-info/PKG-INFO

@@ -0,0 +1,187 @@
+Metadata-Version: 2.4
+Name: secret-scan
+Version: 0.1.2
+Summary: A simple secret/credential scanner for source code repositories.
+Author-email: Your Name <you@example.com>
+License: MIT License
+        
+        Copyright (c) 2025 amitu314, harshahemanth
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+        
+Project-URL: Homepage, https://github.com/harshahemanth/secret-scan
+Project-URL: Repository, https://github.com/harshahemanth/secret-scan
+Project-URL: Issues, https://github.com/harshahemanth/secret-scan/issues
+Project-URL: Documentation, https://github.com/harshahemanth/secret-scan#readme
+Keywords: security,secrets,credentials,scanner
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Dynamic: license-file
+
+# secret-scan
+
+A fast, lightweight CLI tool to detect secrets in source code.
+
+`secret-scan` scans directories for sensitive data such as:
+
+- AWS Access Keys and Secret Keys
+- OpenAI API keys (sk-...)
+- Password assignments
+- Bearer tokens
+- SSH private keys
+- Azure storage keys
+- Generic API keys and tokens
+- JWT tokens
+
+It skips binary files, ignores common junk directories (node_modules, .git, venv, etc.), avoids scanning large files, and supports extensible regular expressions.
+
+## Installation
+
+    pip install secret-scan
+
+To upgrade:
+
+    pip install --upgrade secret-scan
+
+## Basic Usage
+
+Scan the current directory:
+
+    secret-scan .
+
+Scan a specific directory:
+
+    secret-scan ~/projects/my-repo
+
+Write results to a file (default: docsCred.txt):
+
+    secret-scan . --output secrets.txt
+
+## JSON Output
+
+Generate JSON output (useful for CI pipelines):
+
+    secret-scan . --json
+
+Example output:
+
+    [
+      {
+        "file": "config/settings.py",
+        "line": 20,
+        "match": "AWS_ACCESS_KEY_ID=AKIA1234567890ABCD12"
+      },
+      {
+        "file": "service/api.py",
+        "line": 42,
+        "match": "sk-ABCDEFGHIJKLMNOPQRSTUV123456"
+      }
+    ]
+
+## Command-Line Options
+
+| Flag              | Description                                |
+|------------------|--------------------------------------------|
+| --output <file>  | Save text results (default: docsCred.txt)   |
+| --skip-ext .log  | Skip specific file extensions               |
+| --skip-dir <dir> | Skip specific directories                   |
+| --max-size-mb N  | Scan only files smaller than N MB           |
+| --json           | Print JSON results to stdout                |
+
+Example:
+
+    secret-scan . --skip-ext .log --skip-dir build --json
+
+## What It Detects
+
+### AWS
+- Access Key IDs (AKIA...)
+- Secret Access Keys
+- Environment variable forms such as AWS_ACCESS_KEY_ID=...
+
+### OpenAI
+- Keys beginning with sk-
+
+### Passwords and Tokens
+- password=...
+- api_key=...
+- Bearer tokens
+- JWT tokens (xxx.yyy.zzz)
+
+### Private Keys
+- -----BEGIN PRIVATE KEY-----
+
+### Cloud Provider Keys
+- Azure storage account keys
+- Redis/MySQL/Postgres/Mongo/FTP/SMTP connection strings
+
+## Automatic Skips
+
+The scanner automatically ignores:
+
+- .git, .hg, .svn
+- node_modules
+- Python virtual environments (venv, .venv, env)
+- Binary files (null-byte detection)
+- Large files (over 5 MB by default)
+- Common non-text extensions (images, archives, executables)
+
+## Extending Detection Patterns
+
+Detection patterns are defined in:
+
+    src/secret_scanner/patterns.py
+
+You may extend or modify these patterns to detect additional token types.
+
+## Programmatic Usage
+
+Example using the Python API:
+
+    from pathlib import Path
+    from secret_scanner import scan_directory
+
+    matches = scan_directory(Path("."), output_path=None)
+    for m in matches:
+        print(m["file"], m["line"], m["match"])
+
+## Running Tests
+
+    pytest -q
+
+## Contributing
+
+Contributions are welcome.
+
+1. Fork the repository
+2. Create a feature branch
+3. Add tests for new functionality
+4. Open a pull request
+
+## License
+
+This project is licensed under the MIT License. See the LICENSE file for full details.
+

secret_scan-0.1.2/src/secret_scan.egg-info/SOURCES.txt

@@ -0,0 +1,12 @@
+LICENSE
+README.md
+pyproject.toml
+src/secret_scan.egg-info/PKG-INFO
+src/secret_scan.egg-info/SOURCES.txt
+src/secret_scan.egg-info/dependency_links.txt
+src/secret_scan.egg-info/entry_points.txt
+src/secret_scan.egg-info/top_level.txt
+src/secret_scanner/cli.py
+src/secret_scanner/patterns.py
+src/secret_scanner/scanner.py
+tests/test_secret_scanner.py

secret_scan-0.1.2/src/secret_scan.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

secret_scan-0.1.2/src/secret_scan.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+secret-scan = secret_scanner.cli:main

secret_scan-0.1.2/src/secret_scan.egg-info/top_level.txt

@@ -0,0 +1 @@
+secret_scanner

secret_scan-0.1.2/src/secret_scanner/cli.py

@@ -0,0 +1,89 @@
+# src/secret_scanner/cli.py
+
+import argparse
+import json
+import sys
+from pathlib import Path
+
+from .scanner import scan_directory
+
+
+def parse_args(argv=None):
+    parser = argparse.ArgumentParser(
+        description="Scan a directory for potential credentials/secrets."
+    )
+    parser.add_argument(
+        "path",
+        help="Directory to scan.",
+    )
+    parser.add_argument(
+        "-o",
+        "--output",
+        default="docsCred.txt",
+        help="Output file path for text results (default: docsCred.txt)",
+    )
+    parser.add_argument(
+        "--max-size-mb",
+        type=int,
+        default=5,
+        help="Maximum file size in megabytes to scan (default: 5). "
+             "Use 0 or a negative value to disable the size limit.",
+    )
+    parser.add_argument(
+        "--skip-dir",
+        action="append",
+        default=[],
+        help="Additional directory name to skip. Can be passed multiple times.",
+    )
+    parser.add_argument(
+        "--skip-ext",
+        action="append",
+        default=[],
+        help="Additional file extension to skip (e.g. .log). "
+             "Can be passed multiple times.",
+    )
+    parser.add_argument(
+        "--json",
+        action="store_true",
+        help="Print results as JSON to stdout.",
+    )
+    return parser.parse_args(argv)
+
+
+def main(argv=None):
+    args = parse_args(argv)
+
+    root = Path(args.path).expanduser()
+    output = Path(args.output).expanduser() if args.output else None
+
+    if args.max_size_mb and args.max_size_mb > 0:
+        max_bytes = args.max_size_mb * 1024 * 1024
+    else:
+        max_bytes = None
+
+    extra_dirs = set(args.skip_dir) if args.skip_dir else None
+    extra_exts = set(args.skip_ext) if args.skip_ext else None
+
+    print(f"Scanning directory: {root}", file=sys.stderr)
+    if output is not None:
+        print(f"Writing text results to: {output}", file=sys.stderr)
+
+    matches = scan_directory(
+        root_path=root,
+        output_path=output,
+        skip_dirs=extra_dirs,
+        skip_exts=extra_exts,
+        max_file_size_bytes=max_bytes,
+    )
+
+    print(f"Scan complete. {len(matches)} potential secret(s) found.", file=sys.stderr)
+
+    if args.json:
+        # Pretty JSON to stdout
+        json.dump(matches, sys.stdout, indent=2)
+        print()  # newline after JSON
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])
+

secret_scan-0.1.2/src/secret_scanner/patterns.py

@@ -0,0 +1,43 @@
+# src/secret_scanner/patterns.py
+
+import re
+
+PATTERN_SOURCE = r"""
+(
+    # Existing patterns ...
+
+    (?:mongodb|postgres|mysql|jdbc|redis|ftp|smtp)[\s_\-=:][A-Za-z0-9+=._-]{10,}|
+    Azure_Storage_(?:AccountName|AccountKey|key|Key|KEY|AccessKey|ACCESSKEY|SasToken)[^\n]+|
+    ClientSecret"\svalue=.+|
+    (?:AccessKey|ACCESSKEY|ACCESS_KEY|Access_key)=\S{10,}|
+    AccountKey=\S{10,}|
+    secret_key_base:\s.[A-Za-z0-9_.-]{12,}|
+    secret(?:\s|:|=).+[A-Za-z0-9_.-]{12,}|
+    Bearer\s.\S{11,}|
+    api[_-](?:key|token)(?::|=).[A-Za-z0-9_.-]{10,}|
+    ssh-rsa\s+[A-Za-z0-9+/=]+|
+    -----BEGIN\s(?:RSA|DSA|EC|PGP|OPENSSH)\sPRIVATE\sKEY-----|
+    (?:password|passwd|pwd|Password|PASSWORD)\s*[:=]\s*["']?[^\s"']{8,}|
+    eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}|
+
+
+    # AWS access key IDs (AKIA..., etc.)
+    (?:AWS|aws)_?(?:ACCESS_KEY_ID|ACCESS_KEY|ACCESSKEY)\s*[:=]\s*["']?(?:AKIA|ASIA|AGPA|AIDA|AROA|ANPA)[0-9A-Z]{16}["']?|
+    (?:AKIA|ASIA|AGPA|AIDA|AROA|ANPA)[0-9A-Z]{16}|   # standalone
+
+
+    # AWS secret access keys
+    (?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[:=]\s*["']?[A-Za-z0-9/+=]{40}["']?|
+    aws_?(?:secret|access)?_?key\s*[:=]\s*["']?[A-Za-z0-9/+=]{16,}["']?|
+
+
+    # OpenAI API keys (sk-)
+    (?:OPENAI_API_KEY|openai_api_key)\s*[:=]\s*["']?sk-[A-Za-z0-9]{20,}["']?|
+    sk-[A-Za-z0-9]{20,}
+)
+"""
+
+
+def build_pattern() -> re.Pattern:
+    return re.compile(PATTERN_SOURCE, re.IGNORECASE | re.VERBOSE)
+

secret_scan-0.1.2/src/secret_scanner/scanner.py

@@ -0,0 +1,124 @@
+# src/secret_scanner/scanner.py
+
+import os
+from pathlib import Path
+import re
+
+from .patterns import build_pattern
+
+DEFAULT_SKIP_DIRS = {
+    ".git", ".hg", ".svn",
+    ".idea", ".vscode",
+    "node_modules",
+    ".venv", "venv", "env",
+    "__pycache__",
+    "dist", "build",
+}
+
+DEFAULT_SKIP_EXTS = {
+    ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".ico",
+    ".pdf",
+    ".zip", ".tar", ".gz", ".7z", ".rar",
+    ".exe", ".dll", ".so", ".dylib",
+    ".class", ".jar",
+}
+
+
+def is_binary_file(path: Path, blocksize: int = 1024) -> bool:
+    try:
+        with path.open("rb") as f:
+            chunk = f.read(blocksize)
+        return b"\0" in chunk
+    except OSError:
+        return True
+
+
+def scan_directory(
+    root_path: Path,
+    output_path: Path | None = None,
+    skip_dirs=None,
+    skip_exts=None,
+    max_file_size_bytes: int | None = 5 * 1024 * 1024,
+    pattern: re.Pattern | None = None,
+):
+    """
+    Walks root_path, skips junk dirs/exts/binary/large files,
+    scans text files line-by-line, optionally writes to output_path,
+    and returns a list of match dicts:
+        { "file": str, "line": int, "match": str }
+    """
+    if skip_dirs is None:
+        effective_skip_dirs = set(DEFAULT_SKIP_DIRS)
+    else:
+        effective_skip_dirs = set(DEFAULT_SKIP_DIRS).union(skip_dirs)
+
+    if skip_exts is None:
+        effective_skip_exts = set(DEFAULT_SKIP_EXTS)
+    else:
+        extra = {
+            e.lower() if e.startswith(".") else f".{e.lower()}"
+            for e in skip_exts
+        }
+        effective_skip_exts = set(DEFAULT_SKIP_EXTS).union(extra)
+
+    if pattern is None:
+        pattern = build_pattern()
+
+    matches_found: list[dict] = []
+    root_path = root_path.resolve()
+
+    # If output_path is provided, open once and reuse
+    cred_file_ctx = (
+        open(output_path, "w", encoding="utf-8")
+        if output_path is not None
+        else None
+    )
+
+    try:
+        for current_root, dirnames, filenames in os.walk(root_path):
+            dirnames[:] = [d for d in dirnames if d not in effective_skip_dirs]
+
+            for filename in filenames:
+                file_path = Path(current_root) / filename
+
+                ext = (
+                    "." + file_path.name.split(".")[-1].lower()
+                    if "." in file_path.name
+                    else ""
+                )
+                if ext in effective_skip_exts:
+                    continue
+
+                if max_file_size_bytes is not None:
+                    try:
+                        if file_path.stat().st_size > max_file_size_bytes:
+                            continue
+                    except OSError:
+                        continue
+
+                if is_binary_file(file_path):
+                    continue
+
+                try:
+                    with file_path.open("r", encoding="utf-8", errors="ignore") as f:
+                        for lineno, line in enumerate(f, start=1):
+                            for m in pattern.finditer(line):
+                                match_text = m.group(0)
+                                record = {
+                                    "file": str(file_path),
+                                    "line": lineno,
+                                    "match": match_text,
+                                }
+                                matches_found.append(record)
+                                if cred_file_ctx is not None:
+                                    cred_file_ctx.write(
+                                        f"{file_path}:{lineno} | {match_text}\n"
+                                    )
+                except Exception as e:
+                    print(f"Error reading file {file_path}: {e}")
+    finally:
+        if cred_file_ctx is not None:
+            cred_file_ctx.close()
+
+    return matches_found
+

secret_scan-0.1.2/tests/test_secret_scanner.py

@@ -0,0 +1,137 @@
+# tests/test_secret_scanner.py
+
+from pathlib import Path
+
+from secret_scanner.scanner import scan_directory, DEFAULT_SKIP_DIRS
+from secret_scanner.patterns import build_pattern
+
+
+def _write_text(path: Path, content: str):
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(content, encoding="utf-8")
+
+
+def _write_binary(path: Path, content: bytes):
+    path.parent.mkdir(parents=True, exist_ok=True)
+    with path.open("wb") as f:
+        f.write(content)
+
+
+def test_skips_default_junk_dirs(tmp_path: Path):
+    """
+    Files under junk dirs like node_modules should be skipped,
+    but regular app files should be scanned.
+    """
+    # Junk dir with a "secret"
+    junk_dir = tmp_path / "node_modules"
+    junk_file = junk_dir / "secret.js"
+    _write_text(junk_file, "password=supersecretjunk")
+
+    # Normal app file with a "secret"
+    app_dir = tmp_path / "app"
+    app_file = app_dir / "config.py"
+    _write_text(app_file, "password=mygoodsecret")
+
+    output_file = tmp_path / "out.txt"
+    matches = scan_directory(tmp_path, output_file)
+
+    # Should find the secret in app/config.py
+    assert any("mygoodsecret" in m["match"] for m in matches)
+
+    # Should NOT report the one under node_modules
+    assert not any("supersecretjunk" in m["match"] for m in matches)
+
+
+def test_skips_binary_files(tmp_path: Path):
+    """
+    Binary files (with null bytes) should be skipped even if they contain
+    credential-looking strings.
+    """
+    text_file = tmp_path / "config.txt"
+    _write_text(text_file, "password=plaintextsecret")
+
+    bin_file = tmp_path / "binary.dat"
+    # Contains a null byte and a password-looking string
+    _write_binary(bin_file, b"\x00\x01\x02password=binarysecret")
+
+    output_file = tmp_path / "out.txt"
+    matches = scan_directory(tmp_path, output_file)
+
+    # Should detect the secret in the text file
+    assert any("plaintextsecret" in m["match"] for m in matches)
+
+    # Should NOT detect the binarysecret
+    assert not any("binarysecret" in m["match"] for m in matches)
+
+
+def test_respects_extra_skip_ext(tmp_path: Path):
+    """
+    Additional skip extensions passed to scan_directory should be honored.
+    """
+    # .log file with secret
+    log_file = tmp_path / "app.log"
+    _write_text(log_file, "password=logsecret")
+
+    # .txt file with secret
+    txt_file = tmp_path / "config.txt"
+    _write_text(txt_file, "password=txtsecret")
+
+    # First scan: default behavior, .log is NOT skipped
+    output_file1 = tmp_path / "out1.txt"
+    matches1 = scan_directory(tmp_path, output_file1)
+    assert any("logsecret" in m["match"] and m["file"] == str(log_file) for m in matches1)
+    assert any("txtsecret" in m["match"] and m["file"] == str(txt_file) for m in matches1)
+
+    # Second scan: explicitly skip .log files
+    output_file2 = tmp_path / "out2.txt"
+    matches2 = scan_directory(tmp_path, output_file2, skip_exts={".log"})
+
+    # Should still see txtsecret from config.txt
+    assert any("txtsecret" in m["match"] and m["file"] == str(txt_file) for m in matches2)
+
+    # Should NOT see logsecret coming from app.log
+    assert not any("logsecret" in m["match"] and m["file"] == str(log_file) for m in matches2)
+
+
+def test_uses_default_regex_pattern(tmp_path: Path):
+    """
+    Sanity check that the default regex pattern is actually used and
+    recognizes a common password pattern.
+    """
+    file_path = tmp_path / "test.txt"
+    _write_text(file_path, "password=mydefaultpatternsecret")
+
+    output_file = tmp_path / "out.txt"
+    matches = scan_directory(tmp_path, output_file, pattern=build_pattern())
+
+    assert any("mydefaultpatternsecret" in m["match"] for m in matches)
+
+
+def test_detects_aws_access_key(tmp_path: Path):
+    """
+    Ensure AWS access key IDs are detected.
+    AWS Access Key ID: AKIA + 16 uppercase alnum chars (total 20).
+    """
+    file_path = tmp_path / "aws.txt"
+    fake_key = "AKIA1234567890ABCD12"  # 4 + 16 = 20 chars
+    _write_text(file_path, f"AWS_ACCESS_KEY_ID={fake_key}")
+
+    output_file = tmp_path / "out.txt"
+    matches = scan_directory(tmp_path, output_file)
+
+    assert any(fake_key in m["match"] for m in matches)
+
+
+def test_detects_openai_key(tmp_path: Path):
+    """
+    Ensure OpenAI API keys (sk-...) are detected.
+    """
+    file_path = tmp_path / "openai.txt"
+    fake_key = "sk-ABCDEFGHIJKLMNOPQRSTUV123456"
+    _write_text(file_path, f'OPENAI_API_KEY="{fake_key}"')
+
+    output_file = tmp_path / "out.txt"
+    matches = scan_directory(tmp_path, output_file)
+
+    assert any(fake_key in m["match"] for m in matches)
+