What makes it different
Six things gitleaks, trufflehog, and detect-secrets cannot do.
DAST live web crawl
Crawls staging or prod, parses JS source-maps, extracts endpoints, scans response headers. Catches secrets no SAST will ever see.
Live verification
Twenty plus vendor probes confirm a token is live in one HTTP call. Hypothesis becomes evidence before you write the report.
170+ rules out of the box
Cloud, payments, AI/ML, messaging, monitoring, databases, JWT, PEM keys. Add your own with a YAML block. No code change.
CI native reporting
SARIF for GitHub code-scanning, JSONL for SOAR, Excel and PDF and HTML for client reports. Exit-code gate on severity.
Authenticated DAST
Cookies, headers, Burp or ZAP proxy. Scan behind login with the same engine and rules you use everywhere else.
Fast and safe
Aho-Corasick keyword pre-filter, binary skip, line-length cap, scope honoring, hard caps on URLs and depth. No accidental DoS.
How it compares
scan4secrets is meant to sit alongside gitleaks, not replace it. Use both.
| Capability | gitleaks | trufflehog | detect-secrets | scan4secrets |
|---|---|---|---|---|
| SAST secret detection | Yes | Yes | Yes | Yes |
| DAST live web crawl | No | No | No | Yes |
| JS source-map parsing | No | No | No | Yes |
| JS endpoint extraction | No | No | No | Yes |
| HTTP header secret scan | No | No | No | Yes |
| Live token verification | No | Yes | No | Yes |
| SARIF output | Yes | No | No | Yes |
| Excel, PDF, HTML reports | No | No | No | Yes |
| Authenticated DAST (cookie, header, proxy) | No | No | No | Yes |
Ready to scan?
One command. SAST and DAST. SARIF for code-scanning, PDF for clients.