Telling tales on you for leaking secrets!
Alternatives To Squealer
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Sops12,9446515 days ago13May 09, 2022383mpl-2.0Go
Simple and flexible tool for managing secrets
7 hours ago24apache-2.0Python
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more.
My Arsenal Of Aws Security Tools8,148
24 days ago2apache-2.0Shell
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Devops Resources6,995
8 days ago13Groovy
DevOps resources - Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes, Terraform, OpenStack, SQL, NoSQL, Azure, GCP
Tfsec5,922134 days ago404September 21, 2022113mitGo
Security scanner for your Terraform code
14 days ago200bsd-3-clauseJavaScript
CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
7 hours ago44April 06, 2022168gpl-2.0Python
Multi-Cloud Security Auditing Tool
Steampipe5,28737 hours ago352September 20, 2022244agpl-3.0Go
Use SQL to instantly query your cloud services (AWS, Azure, GCP and more). Open source CLI. No DB required.
a month ago1mit
Ultimate DevSecOps library
2 years ago1June 15, 201585apache-2.0Python
Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
Alternatives To Squealer
Select To Compare

Alternative Project Comparisons



Telling tales on you for leaking secrets!

Go Report Card Github Release GitHub All Releases

Squealer scans a git repository or filesystem for secrets that are being leaked deep within the commit history.

The built-in configuration has the following checks;


  • access key id
  • access secret key


  • github token


  • slack token OAUTH
  • webhook url


  • Asymmetric Private Key

Sometimes we have secrets committed to our projects, generally we can invalidate them and move on. If squealer is telling tales about a secret that you are aware of and has been mitigated, you can use the exception rule found in the output to register it as ignored.


curl -s "https://raw.githubusercontent.com/owenrumney/squealer/main/scripts/install.sh" | bash


Squealer is intended to be run either locally or as part of a CI process.

./squealer --help
Telling tales on your secret leaking

  squealer [flags]

      --concise                Reduced output.
      --config-file string     Path to the config file with the rules.
      --debug                  Include debug output.
      --everything             Scan all commits.... everywhere.
      --from-hash string       The hash to work back to from the starting hash.
  -h, --help                   help for squealer
      --no-git                 Scan as a directory rather than a git history.
      --output-format string   The format that the output should come in (default, json, sarif.
      --redacted               Display the results redacted.
      --to-hash string         The most recent hash to start with.

Config File

  description: Check for AWS Access Key Id
- rule: (?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]
  description: Check for AWS Secret Access Key
- rule: (?i)github[_\-\.]?token[\s:,="\]']+?(?-i)[0-9a-zA-Z]{35,40}
  description: Check for Github Token 
- rule: https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}
  description: Check for Slack webhook
- rule: xox[baprs]-([0-9a-zA-Z]{10,48})?
  description: Check for Slack token
  description: Check for Private Asymetric Key
- vendor
- node_modules
- .zip
- .png
- .jpg
- .pdf
- .xls
- .doc
- .docx
- exception: release/update.go:D2IDetI6aidl58GE6dv5uAaWmXM=
  reason: This is a webhook that we got rid of - can be ignored in this file

Config breakdown

The config file is made up of the rules, ignore_prefixes, ignore_extensions and exceptions.


Rules define the regular expression that is used to detect the secret. Requires a description for posterity.


Ignore paths are folders that you don't want to look ing - generally vendor and the like.


Ignore extensions have the file types that won't be scanned. Binaries are automatically ignored.


Exceptions are the entries that you've already handled and don't want to be reported any more.

Example Output

INFO[0000] Using a git scanner to process ../../tfsec/tfsec
INFO[0000] starting at hash 3bd04e7e17f2aad9e5f38826d88325798534a289

Content:      | access_key = "AKIAABCD12ABCDEF1ABC"
Filename:     | internal/app/tfsec/checks/aws044.go
Line No:      | 21
Secret Hash:  | bcE9jU2WV11OYs63eGHPZf1l9v8=
Commit:       | 4e68e1c5b3bc66982e4b7e6c5cc1c1642c87f83d
Committer:    | GitHub ([email protected])
Committed:    | 2020-10-21 21:59:22 +0100 +0100
Exclude rule: | internal/app/tfsec/checks/aws044.go:bcE9jU2WV11OYs63eGHPZf1l9v8=

Content:      | access_key = "AKIAABCD12ABCDEF1ABC"
Filename:     | docs-website/docs/aws/AWS044.md
Line No:      | 26
Secret Hash:  | bcE9jU2WV11OYs63eGHPZf1l9v8=
Commit:       | 8a7715f2cf5a2ac74a1e186792c476fd52ee1474
Committer:    | ¨Owen Rumney ([email protected])
Committed:    | 2021-01-24 19:04:27 +0000 +0000
Exclude rule: | docs-website/docs/aws/AWS044.md:bcE9jU2WV11OYs63eGHPZf1l9v8=

  duration:     2.99s
  commits:      503
  commit files: 4095

  identified:   6
  ignored:      0
  reported:     2

INFO[0002] Exit code: 1

It's worth noting that these are known because they're examples in the documentation for tfsec - I can add them to the config.yaml as exclusions y using the Exclude rule

Using as a library

Squealer can be used for scanning a specific string using either the default config or by passing your own file in.

Adding the library

go get -u github.com/owenrumney/squealer

Using as a library

Git and Directory Scanning

package main

import (

func main() {

	// create a new scanner (optionally load your own config in)
	scanner, err :=  squealer.New(
		squealer.OptionWithConfig(config.DefaultConfig()), // if not supplied , config.DefaultConfig() used
		squealer.OptionRedactedSecrets(true), // defaults to true, secrets in output redacted
		squealer.OptionNoGitScan(false), // Treat Directories with .git in them as Directories, defaults to false
		squealer.OptionWithBasePath("."), // The path to scan, default is '.'
		squealer.OptionWithFromHash(""), // Specify the starting hash for the scan, useful for PRs
		squealer.OptionWithToHash(""), // Specify the hash to stop scanning, useful for PRs scanning
		squealer.OptionWithScanEverything(false), // Scan everything in every branch, defaults to only the current branch
		squealer.OptionWithCommitListFile(""), // a file of commits that you want to explicitly scan in a text file.

	transgressions, err := scanner.Scan()
	if err != nil {
	for _, t := range transgressions {
		fmt.Printf("%s[%d]\n", t.Filename, t.LineNo)

String Scanning

package main

import (


func main() {

  // create a new scanner (optionally load your own config in)
	scanner := squealer.NewStringScanner()
	testString := `password = "superSecretPassword"`

  // scan the string and if a transgression is found, report it.
	if result := scanner.Scan(testString); result.TransgressionFound {
		fmt.Printf("found an issue in [%s]. %s\n", testString, result.Description)


Image by Derangedmisfit

Popular Amazon Web Services Projects
Popular Security Projects
Popular Cloud Computing Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Security Tools
Static Analysis