PyPI - superencryptx - Versions diffs - 0.1.0__tar.gz → 0.1.1__tar.gz - Mend

superencryptx 0.1.0tar.gz → 0.1.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

{superencryptx-0.1.0 → superencryptx-0.1.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: superencryptx
-Version: 0.1.0
+Version: 0.1.1
 Summary: Scan a repo for secrets and encrypt/decrypt them in-place.
 Author: Superencrypt Contributors
 License: MIT License
@@ -46,8 +46,9 @@ Requires-Dist: cryptography>=41.0.0
 Dynamic: license-file
 # superencrypt
+https://pypi.org/project/superencryptx/0.1.0/
-CLI to scan a repo for secrets (including env files), encrypt them in-place, and decrypt them later using a key.
+CLI to scan a repo for secrets (including env files, Dockerfiles, compose files, and YAML/TOML/JSON/INI-style configs), encrypt them in-place, and decrypt them later using a key.
 ## Why
@@ -92,6 +93,13 @@ superencrypt decrypt --key-file .superencrypt.key
 # Scan only (no changes)
 superencrypt scan
+# Scan a single file
+superencrypt scan --file path/to/file
+# Encrypt/decrypt a single file
+superencrypt encrypt --file path/to/file
+superencrypt decrypt --file path/to/file --key-file .superencrypt.key
 ```
 ## Pipeline example
@@ -108,6 +116,7 @@ superencrypt decrypt --key "$SUPERENCRYPT_KEY"
  - Use `scan` first to review matches.
 ## Development
+https://pypi.org/project/superencryptx/0.1.0/
 ```bash
 python -m venv .venv

{superencryptx-0.1.0 → superencryptx-0.1.1}/README.md RENAMED Viewed

@@ -1,6 +1,7 @@
 # superencrypt
+https://pypi.org/project/superencryptx/0.1.0/
-CLI to scan a repo for secrets (including env files), encrypt them in-place, and decrypt them later using a key.
+CLI to scan a repo for secrets (including env files, Dockerfiles, compose files, and YAML/TOML/JSON/INI-style configs), encrypt them in-place, and decrypt them later using a key.
 ## Why
@@ -45,6 +46,13 @@ superencrypt decrypt --key-file .superencrypt.key
 # Scan only (no changes)
 superencrypt scan
+# Scan a single file
+superencrypt scan --file path/to/file
+# Encrypt/decrypt a single file
+superencrypt encrypt --file path/to/file
+superencrypt decrypt --file path/to/file --key-file .superencrypt.key
 ```
 ## Pipeline example
@@ -61,6 +69,7 @@ superencrypt decrypt --key "$SUPERENCRYPT_KEY"
  - Use `scan` first to review matches.
 ## Development
+https://pypi.org/project/superencryptx/0.1.0/
 ```bash
 python -m venv .venv

{superencryptx-0.1.0 → superencryptx-0.1.1}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "superencryptx"
-version = "0.1.0"
+version = "0.1.1"
 description = "Scan a repo for secrets and encrypt/decrypt them in-place."
 readme = "README.md"
 requires-python = ">=3.10"

{superencryptx-0.1.0 → superencryptx-0.1.1}/superencrypt/cli.py RENAMED Viewed

@@ -6,7 +6,7 @@ from pathlib import Path
 from typing import List
 from .crypto import Crypto
-from .scanner import scan_repo, iter_repo_files
+from .scanner import scan_repo, scan_path, iter_repo_files
 from .transform import encrypt_file, decrypt_file
@@ -26,8 +26,15 @@ def _write_key_file(path: Path, key: bytes) -> None:
 def cmd_scan(args: argparse.Namespace) -> int:
-    root = Path(args.root).resolve()
-    findings = scan_repo(root)
+    if args.file:
+        path = Path(args.file).resolve()
+        if not path.exists():
+            raise SystemExit(f"File not found: {path}")
+        findings = scan_path(path)
+        root = path.parent
+    else:
+        root = Path(args.root).resolve()
+        findings = scan_repo(root)
     if not findings:
         print("No secrets found.")
         return 0
@@ -50,10 +57,18 @@ def cmd_encrypt(args: argparse.Namespace) -> int:
     crypto = Crypto(key)
     changed_files: List[Path] = []
-    for path in iter_repo_files(root):
+    if args.file:
+        path = Path(args.file).resolve()
+        if not path.exists():
+            raise SystemExit(f"File not found: {path}")
         result = encrypt_file(path, crypto)
         if result.changed:
             changed_files.append(result.path)
+    else:
+        for path in iter_repo_files(root):
+            result = encrypt_file(path, crypto)
+            if result.changed:
+                changed_files.append(result.path)
     if changed_files:
         print(f"Encrypted {len(changed_files)} files.")
     else:
@@ -67,10 +82,18 @@ def cmd_decrypt(args: argparse.Namespace) -> int:
     crypto = Crypto(key)
     changed_files: List[Path] = []
-    for path in iter_repo_files(root):
+    if args.file:
+        path = Path(args.file).resolve()
+        if not path.exists():
+            raise SystemExit(f"File not found: {path}")
         result = decrypt_file(path, crypto)
         if result.changed:
             changed_files.append(result.path)
+    else:
+        for path in iter_repo_files(root):
+            result = decrypt_file(path, crypto)
+            if result.changed:
+                changed_files.append(result.path)
     if changed_files:
         print(f"Decrypted {len(changed_files)} files.")
     else:
@@ -80,19 +103,21 @@ def cmd_decrypt(args: argparse.Namespace) -> int:
 def build_parser() -> argparse.ArgumentParser:
     parser = argparse.ArgumentParser(prog="superencrypt")
-    parser.add_argument("--root", default=".", help="Root directory to scan")
+    parent = argparse.ArgumentParser(add_help=False)
+    parent.add_argument("--root", default=".", help="Root directory to scan")
+    parent.add_argument("--file", help="Scan/encrypt/decrypt a single file")
     subparsers = parser.add_subparsers(dest="command", required=True)
-    scan_parser = subparsers.add_parser("scan", help="Scan repo for secrets")
+    scan_parser = subparsers.add_parser("scan", help="Scan repo for secrets", parents=[parent])
     scan_parser.set_defaults(func=cmd_scan)
-    encrypt_parser = subparsers.add_parser("encrypt", help="Encrypt secrets in-place")
+    encrypt_parser = subparsers.add_parser("encrypt", help="Encrypt secrets in-place", parents=[parent])
     encrypt_parser.add_argument("--key", help="Base64 key string")
     encrypt_parser.add_argument("--key-file", help="Path to key file")
     encrypt_parser.set_defaults(func=cmd_encrypt)
-    decrypt_parser = subparsers.add_parser("decrypt", help="Decrypt secrets in-place")
+    decrypt_parser = subparsers.add_parser("decrypt", help="Decrypt secrets in-place", parents=[parent])
     decrypt_parser.add_argument("--key", help="Base64 key string")
     decrypt_parser.add_argument("--key-file", help="Path to key file")
     decrypt_parser.set_defaults(func=cmd_decrypt)

superencryptx-0.1.1/superencrypt/scanner.py ADDED Viewed

@@ -0,0 +1,261 @@
+from __future__ import annotations
+import os
+import re
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Iterable, Iterator, List, Optional
+SKIP_DIRS = {
+    ".git",
+    ".hg",
+    ".svn",
+    "node_modules",
+    "dist",
+    "build",
+    ".venv",
+    "venv",
+    "__pycache__",
+    "vendor",
+    "docs",
+    "doc",
+}
+SKIP_FILES = {
+    ".superencrypt.key",
+    "README.md",
+    "mvnw",
+    "mvnw.cmd",
+}
+ENV_FILE_PATTERNS = (
+    ".env",
+    ".env.",
+    ".envrc",
+)
+SENSITIVE_KEYWORDS = re.compile(
+    r"(?i)(password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret)"
+)
+NON_SECRET_HINTS = re.compile(
+    r"(?i)\b(password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret)\b"
+)
+URL_PATTERN = re.compile(r"(?i)^[a-z][a-z0-9+.-]*://")
+ENV_REF_PATTERN = re.compile(r"^\$(\{[^}]+\}|[A-Za-z_][A-Za-z0-9_]*)$")
+BOOL_PATTERN = re.compile(r"(?i)^(true|false|yes|no|on|off)$")
+PORT_PATTERN = re.compile(r"^\d{2,5}$")
+LOCAL_HOSTS = {"localhost", "127.0.0.1", "0.0.0.0"}
+FILE_LIKE_PATTERN = re.compile(r"(?i)\.(zip|tar\.gz|tgz|jar|war|css|js|map|png|jpg|jpeg|gif|svg)$")
+HOSTNAME_PATTERN = re.compile(r"(?i)^[a-z0-9][a-z0-9-]*(?:\.[a-z0-9-]+)+$")
+PLACEHOLDER_PATTERN = re.compile(r"(?i)^\*{2,}.*\*{2,}$")
+TEMPLATE_PATTERN = re.compile(r"(\$\{[^}]+\}|\$\([^)]+\)|\$[A-Za-z_][A-Za-z0-9_]*|\{\{[^}]+\}\}|<%[^%]+%>)")
+REFERENCE_TOKEN_PATTERN = re.compile(
+    r"(?i)\b(var|local|data|module|path|terraform|each|count)\.[A-Za-z0-9_.-]+\b"
+)
+ARN_PATTERN = re.compile(r"^arn:aws:[a-z0-9-]+:[a-z0-9-]*:\d{0,12}:[^\\s]+$", re.IGNORECASE)
+TERRAFORM_REF_PATTERN = re.compile(
+    r"(?i)^(?:var|local|data|module|path|terraform|each|count)\.[A-Za-z0-9_.-]+$"
+)
+TERRAFORM_RESOURCE_PATTERN = re.compile(r"(?i)^[a-z][a-z0-9_-]*\.[A-Za-z0-9_.-]+$")
+TERRAFORM_FUNC_PATTERN = re.compile(r"^[A-Za-z_][A-Za-z0-9_]*\s*\(.*\)$")
+@dataclass
+class Finding:
+    path: Path
+    line_number: int
+    key: Optional[str]
+    value: str
+@dataclass
+class SecretPattern:
+    name: str
+    regex: re.Pattern
+    group: int
+SECRET_PATTERNS: List[SecretPattern] = [
+    SecretPattern(
+        name="aws_access_key_id",
+        regex=re.compile(r"\b(AKIA[0-9A-Z]{16})\b"),
+        group=1,
+    ),
+    SecretPattern(
+        name="aws_secret_access_key",
+        regex=re.compile(r"(?i)aws_secret_access_key\s*[:=]\s*([A-Za-z0-9/+=]{40})"),
+        group=1,
+    ),
+    SecretPattern(
+        name="docker_env_or_arg",
+        regex=re.compile(
+            r"(?i)\b(?:ENV|ARG)\s+"
+            r"(?:[A-Z0-9_]*?(?:password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret)[A-Z0-9_]*)"
+            r"(?:\s*=\s*|\s+)"
+            r"(\"[^\"]+\"|'[^']+'|[^\s#]+)"
+        ),
+        group=1,
+    ),
+    SecretPattern(
+        name="generic_assignment",
+        regex=re.compile(
+            r"(?i)(?:password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret)\s*[:=]\s*(\"[^\"]+\"|'[^']+'|[^\s#]+)"
+        ),
+        group=1,
+    ),
+]
+def _is_env_file(path: Path) -> bool:
+    name = path.name
+    if name == ".env" or name.startswith(".env.") or name.endswith(".env"):
+        return True
+    return name in ENV_FILE_PATTERNS
+def _is_binary(data: bytes) -> bool:
+    return b"\x00" in data
+def _normalize_value(value: str) -> str:
+    raw = value.strip()
+    if raw.startswith(('"', "'")) and raw.endswith(('"', "'")) and len(raw) >= 2:
+        return raw[1:-1]
+    return raw
+def _is_probable_secret(value: str, context: str) -> bool:
+    raw = _normalize_value(value)
+    if not raw:
+        return False
+    lowered = raw.lower()
+    if TEMPLATE_PATTERN.search(raw):
+        return False
+    if PLACEHOLDER_PATTERN.match(raw):
+        return False
+    if lowered in LOCAL_HOSTS:
+        return False
+    if BOOL_PATTERN.fullmatch(raw):
+        return False
+    if PORT_PATTERN.fullmatch(raw):
+        return False
+    if URL_PATTERN.match(raw):
+        return False
+    if ENV_REF_PATTERN.match(raw):
+        return False
+    if REFERENCE_TOKEN_PATTERN.search(raw):
+        return False
+    if HOSTNAME_PATTERN.match(raw):
+        return False
+    if ARN_PATTERN.match(raw):
+        return False
+    if raw.startswith(("/", "./", "../")):
+        return False
+    if FILE_LIKE_PATTERN.search(raw):
+        return False
+    has_secret_hint = NON_SECRET_HINTS.search(context) is not None
+    if has_secret_hint:
+        if len(raw) < 6:
+            return False
+    else:
+        if len(raw) < 12:
+            return False
+        if re.fullmatch(r"[a-z]+", raw):
+            return False
+        if re.fullmatch(r"[A-Za-z0-9._-]+", raw) and len(raw) < 16:
+            return False
+        classes = sum(
+            bool(re.search(p, raw))
+            for p in (r"[a-z]", r"[A-Z]", r"\d", r"[^A-Za-z0-9]")
+        )
+        if classes < 2:
+            return False
+    return True
+def _is_terraform_reference(value: str) -> bool:
+    raw = _normalize_value(value)
+    if not raw:
+        return False
+    if TERRAFORM_FUNC_PATTERN.match(raw):
+        return True
+    if TERRAFORM_REF_PATTERN.match(raw):
+        return True
+    if TERRAFORM_RESOURCE_PATTERN.match(raw):
+        return True
+    return False
+def iter_repo_files(root: Path) -> Iterator[Path]:
+    for dirpath, dirnames, filenames in os.walk(root):
+        dirnames[:] = [d for d in dirnames if d not in SKIP_DIRS]
+        for filename in filenames:
+            if filename in SKIP_FILES:
+                continue
+            path = Path(dirpath) / filename
+            parts = set(path.parts)
+            if parts.intersection({"test", "tests", "__tests__", "spec"}):
+                continue
+            if ("gradle" in parts and "wrapper" in parts and filename == "gradle-wrapper.properties"):
+                continue
+            if (".mvn" in parts and "wrapper" in parts and filename == "maven-wrapper.properties"):
+                continue
+            yield path
+def scan_env_file(path: Path) -> List[Finding]:
+    findings: List[Finding] = []
+    text = path.read_text(encoding="utf-8", errors="ignore")
+    for idx, line in enumerate(text.splitlines(), start=1):
+        stripped = line.strip()
+        if not stripped or stripped.startswith("#"):
+            continue
+        if stripped.startswith("export "):
+            stripped = stripped[len("export ") :]
+        if "=" not in stripped:
+            continue
+        key, value = stripped.split("=", 1)
+        key = key.strip()
+        value = value.strip().strip('"').strip("'")
+        if SENSITIVE_KEYWORDS.search(key) and _is_probable_secret(value, key):
+            findings.append(Finding(path=path, line_number=idx, key=key, value=value))
+    return findings
+def scan_file_for_patterns(path: Path) -> List[Finding]:
+    data = path.read_bytes()
+    if _is_binary(data):
+        return []
+    text = data.decode("utf-8", errors="ignore")
+    findings: List[Finding] = []
+    for idx, line in enumerate(text.splitlines(), start=1):
+        for pattern in SECRET_PATTERNS:
+            match = pattern.regex.search(line)
+            if not match:
+                continue
+            value = match.group(pattern.group)
+            if path.suffix in {".tf", ".tfvars"} and _is_terraform_reference(value):
+                continue
+            if not _is_probable_secret(value, match.group(0)):
+                continue
+            findings.append(Finding(path=path, line_number=idx, key=pattern.name, value=value))
+    return findings
+def scan_repo(root: Path) -> List[Finding]:
+    findings: List[Finding] = []
+    for path in iter_repo_files(root):
+        if _is_env_file(path):
+            findings.extend(scan_env_file(path))
+            continue
+        findings.extend(scan_file_for_patterns(path))
+    return findings
+def scan_path(path: Path) -> List[Finding]:
+    if _is_env_file(path):
+        return scan_env_file(path)
+    return scan_file_for_patterns(path)

{superencryptx-0.1.0 → superencryptx-0.1.1}/superencrypt/transform.py RENAMED Viewed

@@ -6,7 +6,14 @@ from pathlib import Path
 from typing import Iterable, List
 from .crypto import Crypto, is_encrypted_value, wrap_encrypted, unwrap_encrypted
-from .scanner import SECRET_PATTERNS, SENSITIVE_KEYWORDS, _is_env_file, _is_binary
+from .scanner import (
+    SECRET_PATTERNS,
+    SENSITIVE_KEYWORDS,
+    _is_env_file,
+    _is_binary,
+    _is_probable_secret,
+    _is_terraform_reference,
+)
 @dataclass
@@ -37,6 +44,8 @@ def _encrypt_env_lines(text: str, crypto: Crypto) -> str:
             raw_value = raw_value[1:-1]
         if not SENSITIVE_KEYWORDS.search(key):
             continue
+        if not _is_probable_secret(raw_value, key):
+            continue
         if is_encrypted_value(raw_value):
             continue
         token = crypto.encrypt(raw_value).token
@@ -78,7 +87,7 @@ def _decrypt_env_lines(text: str, crypto: Crypto) -> str:
     return "\n".join(lines) + ("\n" if text.endswith("\n") else "")
-def _encrypt_generic(text: str, crypto: Crypto) -> str:
+def _encrypt_generic(text: str, crypto: Crypto, *, path: Path | None = None) -> str:
     changed = False
     def replacer(match: re.Match) -> str:
@@ -87,10 +96,23 @@ def _encrypt_generic(text: str, crypto: Crypto) -> str:
             inner = pattern.regex.search(match.group(0))
             if inner:
                 value = inner.group(pattern.group)
-                if is_encrypted_value(value):
+                raw_value = value
+                quote = ""
+                if raw_value.startswith(('"', "'")) and raw_value.endswith(('"', "'")):
+                    quote = raw_value[0]
+                    raw_value = raw_value[1:-1]
+                if is_encrypted_value(raw_value):
+                    return match.group(0)
+                if path is not None and path.suffix in {".tf", ".tfvars"}:
+                    if _is_terraform_reference(raw_value):
+                        return match.group(0)
+                if not _is_probable_secret(raw_value, match.group(0)):
                     return match.group(0)
-                token = crypto.encrypt(value).token
-                replaced = match.group(0).replace(value, wrap_encrypted(token), 1)
+                token = crypto.encrypt(raw_value).token
+                new_value = wrap_encrypted(token)
+                if quote:
+                    new_value = f"{quote}{new_value}{quote}"
+                replaced = match.group(0).replace(value, new_value, 1)
                 changed = True
                 return replaced
         return match.group(0)
@@ -121,7 +143,7 @@ def encrypt_file(path: Path, crypto: Crypto) -> TransformResult:
     if _is_env_file(path):
         new_text = _encrypt_env_lines(text, crypto)
     else:
-        new_text = _encrypt_generic(text, crypto)
+        new_text = _encrypt_generic(text, crypto, path=path)
     changed = new_text != text
     if changed:
         path.write_text(new_text, encoding="utf-8")

{superencryptx-0.1.0 → superencryptx-0.1.1}/superencryptx.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: superencryptx
-Version: 0.1.0
+Version: 0.1.1
 Summary: Scan a repo for secrets and encrypt/decrypt them in-place.
 Author: Superencrypt Contributors
 License: MIT License
@@ -46,8 +46,9 @@ Requires-Dist: cryptography>=41.0.0
 Dynamic: license-file
 # superencrypt
+https://pypi.org/project/superencryptx/0.1.0/
-CLI to scan a repo for secrets (including env files), encrypt them in-place, and decrypt them later using a key.
+CLI to scan a repo for secrets (including env files, Dockerfiles, compose files, and YAML/TOML/JSON/INI-style configs), encrypt them in-place, and decrypt them later using a key.
 ## Why
@@ -92,6 +93,13 @@ superencrypt decrypt --key-file .superencrypt.key
 # Scan only (no changes)
 superencrypt scan
+# Scan a single file
+superencrypt scan --file path/to/file
+# Encrypt/decrypt a single file
+superencrypt encrypt --file path/to/file
+superencrypt decrypt --file path/to/file --key-file .superencrypt.key
 ```
 ## Pipeline example
@@ -108,6 +116,7 @@ superencrypt decrypt --key "$SUPERENCRYPT_KEY"
  - Use `scan` first to review matches.
 ## Development
+https://pypi.org/project/superencryptx/0.1.0/
 ```bash
 python -m venv .venv

{superencryptx-0.1.0 → superencryptx-0.1.1}/superencryptx.egg-info/top_level.txt RENAMED Viewed

@@ -1,3 +1,2 @@
-build
 dist
 superencrypt

superencryptx-0.1.0/superencrypt/scanner.py DELETED Viewed

@@ -1,133 +0,0 @@
-from __future__ import annotations
-import os
-import re
-from dataclasses import dataclass
-from pathlib import Path
-from typing import Iterable, Iterator, List, Optional
-SKIP_DIRS = {
-    ".git",
-    ".hg",
-    ".svn",
-    "node_modules",
-    "dist",
-    "build",
-    ".venv",
-    "venv",
-    "__pycache__",
-}
-SKIP_FILES = {
-    ".superencrypt.key",
-}
-ENV_FILE_PATTERNS = (
-    ".env",
-    ".env.",
-    ".envrc",
-)
-SENSITIVE_KEYWORDS = re.compile(
-    r"(?i)(password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|db[_-]?user|database[_-]?user)"
-)
-@dataclass
-class Finding:
-    path: Path
-    line_number: int
-    key: Optional[str]
-    value: str
-@dataclass
-class SecretPattern:
-    name: str
-    regex: re.Pattern
-    group: int
-SECRET_PATTERNS: List[SecretPattern] = [
-    SecretPattern(
-        name="aws_access_key_id",
-        regex=re.compile(r"\b(AKIA[0-9A-Z]{16})\b"),
-        group=1,
-    ),
-    SecretPattern(
-        name="aws_secret_access_key",
-        regex=re.compile(r"(?i)aws_secret_access_key\s*[:=]\s*([A-Za-z0-9/+=]{40})"),
-        group=1,
-    ),
-    SecretPattern(
-        name="generic_assignment",
-        regex=re.compile(r"(?i)(password|passwd|secret|token|api[_-]?key)\s*[:=]\s*([\w\-./+=:@]+)"),
-        group=2,
-    ),
-]
-def _is_env_file(path: Path) -> bool:
-    name = path.name
-    if name == ".env" or name.startswith(".env.") or name.endswith(".env"):
-        return True
-    return name in ENV_FILE_PATTERNS
-def _is_binary(data: bytes) -> bool:
-    return b"\x00" in data
-def iter_repo_files(root: Path) -> Iterator[Path]:
-    for dirpath, dirnames, filenames in os.walk(root):
-        dirnames[:] = [d for d in dirnames if d not in SKIP_DIRS]
-        for filename in filenames:
-            if filename in SKIP_FILES:
-                continue
-            yield Path(dirpath) / filename
-def scan_env_file(path: Path) -> List[Finding]:
-    findings: List[Finding] = []
-    text = path.read_text(encoding="utf-8", errors="ignore")
-    for idx, line in enumerate(text.splitlines(), start=1):
-        stripped = line.strip()
-        if not stripped or stripped.startswith("#"):
-            continue
-        if stripped.startswith("export "):
-            stripped = stripped[len("export ") :]
-        if "=" not in stripped:
-            continue
-        key, value = stripped.split("=", 1)
-        key = key.strip()
-        value = value.strip().strip('"').strip("'")
-        if SENSITIVE_KEYWORDS.search(key):
-            findings.append(Finding(path=path, line_number=idx, key=key, value=value))
-    return findings
-def scan_file_for_patterns(path: Path) -> List[Finding]:
-    data = path.read_bytes()
-    if _is_binary(data):
-        return []
-    text = data.decode("utf-8", errors="ignore")
-    findings: List[Finding] = []
-    for idx, line in enumerate(text.splitlines(), start=1):
-        for pattern in SECRET_PATTERNS:
-            match = pattern.regex.search(line)
-            if not match:
-                continue
-            value = match.group(pattern.group)
-            findings.append(Finding(path=path, line_number=idx, key=pattern.name, value=value))
-    return findings
-def scan_repo(root: Path) -> List[Finding]:
-    findings: List[Finding] = []
-    for path in iter_repo_files(root):
-        if _is_env_file(path):
-            findings.extend(scan_env_file(path))
-            continue
-        findings.extend(scan_file_for_patterns(path))
-    return findings