seekret: Index | Files | Directories

package seekret

import ""

Package seekret provides a framework to create tools to inspect information looking for sensitive information like passwords, tokens, private keys, certificates, etc.


The current trend of automation of all things and de DevOps culture are very beneficial for efficiency but also come with several problems, being one of them the secret provisioning. Bootstrapping secrets into systems and applications may be complicated and sometimes the straightforward way is to store them into a insecure storage, like github repository, embedded into an artifact or system image, etc. That means that an AWS secret_key end up into a Github repository.

Seekret is an extensible framework that gelps in creating tools for detecting secrets on different sources. The secrets to detect are defined by a set of rules that can help detect passwords, tokens, private keys, certificates, etc.

Tools Using Seekret

Seekret is extensible and can cover various use cases. Below there are some tools that uses seekret:


  Git module that uses local hooks to help develepers to prevent leaking
  sensitive information in a commit.

Using It

Seekret API is very simple and easy to use. This section shows some snippets of code that shows the basic operations you can do with it.

The first thing to be done is to create a new Seekret context:

s := seekret.NewSeekret()

Then the rules must to be loaded. They can be loaded from a path definition, a directory or a single file:




Optionally, exceptions (or false positives) can also be loaded from a file:


After that, must be loaded the objects to be inspected searching for secrets.

	opts := map[string]interface{} {
  		// Loading options.
	s.LoadObjects(sourceType, source, opts)

sourceType is an interface that implements the interface shown below. We offer sourceType's for Directories and Git Repositories, but you are able to extend it by creating your own.

type SourceType interface {
	LoadObjects(source string, opt LoadOptions) ([]models.Object, error)

Currently, there are the following different sources supported:

Directories (and files):

  Load all files contained in a directory (and its sub-directories).

Git Repositories:

  Load git objects from commits or staging area.

Having all the rules, exceptions and objects loaded into the contects, it's possible to start the inspection with the following code:


Nworkers is an integuer that specify the number of goroutines used on the inspection. The recommended value is runtime.NumCPU().

Finally, it is possible to obtain the list of secrets located and do something with them:

secretsList := s.ListSecrets()
for secret := range secretsList {
	// Do something


Package Files

doc.go inspect.go seekret.go source.go

func DefaultRulesPath Uses

func DefaultRulesPath() string

DefaultRulesPath return the default PATH that contains rules.

type LoadOptions Uses

type LoadOptions map[string]interface{}

type Seekret Uses

type Seekret struct {
    // contains filtered or unexported fields

Seekret contains a seekret context and exposes the API to manipulate it.

func NewSeekret Uses

func NewSeekret() *Seekret

NewSeekret returns a new seekret context.

func (*Seekret) AddException Uses

func (s *Seekret) AddException(exception models.Exception)

AddException adds a new exception into the context.

func (*Seekret) AddRule Uses

func (s *Seekret) AddRule(rule models.Rule, enabled bool)

AddRule adds a new rule into the context.

func (*Seekret) DisableRule Uses

func (s *Seekret) DisableRule(name string) error

DisableRule disables specific rule.

func (*Seekret) DisableRuleByRegexp Uses

func (s *Seekret) DisableRuleByRegexp(name string) int

DisableRule disables rules that match with a regular expression.

func (*Seekret) EnableRule Uses

func (s *Seekret) EnableRule(name string) error

EnableRule enables specific rule.

func (*Seekret) EnableRuleByRegexp Uses

func (s *Seekret) EnableRuleByRegexp(name string) int

EnableRule enables rules that match with a regular expression.

func (*Seekret) GroupObjectsByMetadata Uses

func (s *Seekret) GroupObjectsByMetadata(k string) map[string][]models.Object

GroupObjectsByMetadata returns a map with all objects grouped by specific metadata key.

func (*Seekret) GroupObjectsByPrimaryKeyHash Uses

func (s *Seekret) GroupObjectsByPrimaryKeyHash() map[string][]models.Object

GroupObjectsByPrimaryKeyHash returns a map with all objects grouped by the primary key hash, that is calculated from all metadata keys with the primary attribute. All returned objects could have the same content, even if are not the same.

func (*Seekret) Inspect Uses

func (s *Seekret) Inspect(Nworkers int)

Inspect executes the inspection into all loaded objects, by checking all rules and exceptions loaded.

func (*Seekret) ListRules Uses

func (s *Seekret) ListRules() []models.Rule

ListRules return an array with all loaded rules.

func (*Seekret) ListSecrets Uses

func (s *Seekret) ListSecrets() []models.Secret

ListSecrets return an array with all found secrets after the inspection.

func (*Seekret) LoadExceptionsFromFile Uses

func (s *Seekret) LoadExceptionsFromFile(file string) error

LoadExceptionsFromFile loads exceptions from a YAML file.

func (*Seekret) LoadObjects Uses

func (s *Seekret) LoadObjects(st SourceType, source string, opt LoadOptions) error

LoadObjects loads objects form an specific source. It can load objects from different source types, that are implemented following the SourceType interface.

func (*Seekret) LoadRulesFromDir Uses

func (s *Seekret) LoadRulesFromDir(dir string, defaulEnabled bool) error

LoadRulesFromFile loads rules from all YAML files inside a directory.

func (*Seekret) LoadRulesFromFile Uses

func (s *Seekret) LoadRulesFromFile(file string, defaulEnabled bool) error

LoadRulesFromFile loads rules from a YAML file.

func (*Seekret) LoadRulesFromPath Uses

func (s *Seekret) LoadRulesFromPath(path string, defaulEnabled bool) error

LoadRulesFromFile loads rules from all YAML files inside different directories separated by ':'.

type SourceType Uses

type SourceType interface {
    LoadObjects(source string, opt LoadOptions) ([]models.Object, error)



Package seekret imports 10 packages (graph) and is imported by 4 packages. Updated 2019-11-27. Refresh now. Tools for package owners.