Getting Started

Install scan4secrets and run your first scan in under two minutes.

Install

pipx (recommended)

pipx install git+https://github.com/m14r41/scan4secrets

pip

pip install git+https://github.com/m14r41/scan4secrets
# or, when on PyPI:
pip install scan4secrets

From source

git clone https://github.com/m14r41/scan4secrets
cd scan4secrets
pip install -e .

Docker

docker run --rm -v $(pwd):/scan ghcr.io/m14r41/scan4secrets:latest --path /scan

Prebuilt binaries

Windows64 and Linux amd64 binaries are published with every release. See Downloads for direct links and checksums.

After install, the scan4secrets command is on your PATH.

scan4secrets --version

Quick start

SAST. Scan a local directory

scan4secrets --path /code

DAST. Crawl a live target

scan4secrets --url https://staging.example.com --threads 32

DAST runs all 15 bundled wordlists (1279 unique paths: /.env, /wp-config.php, /backup.zip, source maps, admin panels, API docs, …) by default.

Use your own wordlist file

scan4secrets --url https://target.com --wordlist /path/to/my-paths.txt

Combine multiple custom wordlists

scan4secrets --url https://target.com --wordlist seclists/Common.txt internal-paths.txt

Restrict to specific bundled wordlists by stem

scan4secrets --url https://wp.example.com --wordlist-only wordpress common env

Turn wordlist seeding off entirely

scan4secrets --url https://target.com --no-wordlist

Full audit with verification + HTML report

scan4secrets --path . --url https://app.example.com \
    --verify --report html sarif json \
    --output reports/audit-$(date +%F)

Authenticated DAST with proxy (works with Burp / ZAP)

scan4secrets --url https://app.example.com \
    --cookie "session=abc123" \
    --header "X-Tenant: acme" \
    --proxy http://127.0.0.1:8080

CI gate. Exit 1 on any high-or-above finding

scan4secrets --path . --report sarif --fail-on high --output reports/scan

Reports

scan4secrets --path . --report sarif json jsonl csv html excel pdf --output reports/run

Format	Best for
`sarif`	GitHub Code Scanning, GitLab Security Dashboard, Sonar, Defect Dojo
`json`	Tooling integrations, post-processing
`jsonl`	SIEM/SOAR pipelines (Splunk, Datadog, Sentinel)
`csv`	Spreadsheet triage
`html`	Sortable / filterable / colored UI for client review
`excel`	Pivot tables and exec summaries
`pdf`	Compliance evidence packets

Secrets are redacted by default (abcd****wxyz). Use --unsafe-show only when reports are stored securely.

CLI Reference. Every flag
CI Integration. GitHub Actions, GitLab CI, pre-commit
Verification. Turn "looks like a token" into "verified live credential"

Install​

pipx (recommended)​

pip​

From source​

Docker​

Prebuilt binaries​

Quick start​

SAST. Scan a local directory​

DAST. Crawl a live target​

Use your own wordlist file​

Combine multiple custom wordlists​

Restrict to specific bundled wordlists by stem​

Turn wordlist seeding off entirely​

Full audit with verification + HTML report​

Authenticated DAST with proxy (works with Burp / ZAP)​

CI gate. Exit 1 on any high-or-above finding​

Reports​

Next​