nosecrets-cli-0.3.7 is not a library.
nosecrets-cli
Fast, offline secret scanner for Git pre-commit hooks. Designed to be simple, fast, and safe for any repository.
Highlights
- Pre-commit focus (no history scanning)
- Offline only, no API calls
- Fast scanning (regex + validation + prefilter)
- High-entropy detection for unknown secrets
- Minimal configuration
Install
Cargo (Rust)
npm
The npm package is published from the main nosecrets repository and bundles prebuilt binaries for supported platforms.
Usage
# Scan staged files
# Scan a directory
# Interactive mode (add ignores)
# Add ignore by fingerprint
Exit codes
0: no blocking findings (only low or none)1: blocking findings (critical/high/medium)
Configuration
.nosecrets.toml
[]
= [
"vendor/",
"node_modules/",
"*.lock",
]
[]
= [
"EXAMPLE",
"changeme",
"YOUR_.*_HERE",
]
= [
"AKIAIOSFODNN7EXAMPLE",
]
.nosecretsignore
# Format: nsi_<hash> or nsi_<hash>:<path-glob>
nsi_a1b2c3d4e5f6
nsi_b2c3d4e5f6a7:src/config.py
Inline ignore
= # @nosecrets-ignore
= # @nsi example key
Built-in Rules
Detects secrets from:
- Cloud: AWS, GCP, Azure, DigitalOcean, Cloudflare
- Code: GitHub, GitLab, npm, Slack, Discord
- Deploy: Netlify, Fly.io, Heroku, Vercel, Railway, Render, Supabase
- Communication: SendGrid, Twilio, Mailchimp, Mailgun
- Database: PostgreSQL, MySQL, MongoDB, Redis
- Payment: Stripe
- Generic: Private keys, API keys, passwords
- High-entropy: Unknown tokens, proprietary secrets (Shannon entropy analysis)
High-entropy Detection
nosecrets detects unknown secrets through entropy analysis. Enabled by default, configurable via .nosecrets.toml:
[]
= true
= 20
= 4.2
= true
Pre-commit Integration
- repo: local
hooks:
- id: nosecrets
name: nosecrets
entry: nosecrets scan --staged
language: system
pass_filenames: false
Related Crates
nosecrets-core- Core scanning enginenosecrets-rules- Rule definitionsnosecrets-filter- Filtering logicnosecrets-report- Output formatting
License
MIT