scan-for-secrets 0.2: Streaming CLI for Secret Detection

What Happened

Simon Willison released scan-for-secrets 0.2, a CLI tool designed to detect accidentally committed secrets in codebases. The update introduces streaming results output, meaning findings are displayed as they are discovered rather than buffered until the full scan completes. The release also adds a repeatable -d/--directory flag for scanning multiple directories in one command, a new -f/--file option for targeting individual files, and a -v/--verbose mode that logs each directory as it is processed. On the Python API side, three new functions are available: scan_directory_iter(), scan_file(), and scan_file_iter().

Why It Matters

Secret leakage — API keys, database credentials, tokens — remains one of the most common and costly mistakes in software development. For indie developers and small teams without dedicated security tooling, a lightweight CLI scanner lowers the barrier to catching these issues before they reach production or public repositories.

• Streaming output makes the tool practical for large monorepos or deep directory trees without waiting for a full scan to complete.
• The new Python API functions allow integration into custom CI pipelines, pre-commit hooks, or internal tooling without shelling out to the CLI.
• Multi-directory and per-file scanning gives teams flexibility to scan only changed paths in a pull request, reducing scan time.

Asia-Pacific Angle

Developers in China and Southeast Asia building SaaS products that integrate with platforms like Alibaba Cloud, Tencent Cloud, WeChat Pay, or Stripe frequently embed access keys during prototyping. These keys often end up in Git history or shared repositories on Gitee or GitHub. Running scan-for-secrets as a pre-push Git hook or inside a Gitea CI pipeline is a low-effort, zero-cost way to prevent credential exposure before going global. The scan_file_iter() Python API is particularly useful for teams building internal compliance tools that must audit specific configuration files or .env templates across microservice repositories.

Action Item This Week

Install scan-for-secrets 0.2 with pip install scan-for-secrets and add it as a pre-commit hook in your most active repository. Run scan-for-secrets -d . -v once manually to establish a baseline of any existing exposed credentials before enabling the hook.