Release: scan-for-secrets 0.1 (https://github.com/simonw/scan-for-secrets/releases/tag/0.1)

I like publishing transcripts of local Claude Code sessions using my claude-code-transcripts (https://github.com/simonw/claude-code-transcripts) tool but I'm often paranoid that one of my API keys or similar secrets might inadvertently be revealed in the detailed log files.

I built this new Python scanning tool to help reassure me. You can feed it secrets and have it scan for them in a specified directory:

uvx scan-for-secrets $OPENAI_API_KEY -d logs-to-publish/

If you leave off the -d it defaults to the current directory.

It doesn’t just scan for the literal secrets - it also scans for common encodings of those secrets e.g. backslash or JSON escaping, as described in the README (https://github.com/simonw/scan-for-secrets/blob/main/README.md#escaping-schemes).

If you have a set of secrets you always want to protect you can list commands to echo them in a ~/.scan-for-secrets.conf.sh file. Mine looks like this:

llm keys get openai llm keys get anthropic llm keys get gemini llm keys get mistral awk -F= ‘/aws_secret_access_key/{print $2}’ ~/.aws/credentials | xargs

I built this tool using README-driven-development: I carefully constructed the README describing exactly how the tool should work, then dumped it into Claude Code (https://gisthost.github.io/?d4b1a398bf3b6b14aade923dea69a1ac/index.html) and told it to build the actual tool (using red/green TDD (https://simonwillison.net/guides/agentic-engineering-patterns/red-green-tdd/), naturally.)

    Tags: projects (https://simonwillison.net/tags/projects), security (https://simonwillison.net/tags/security)