[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80530":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":8,"language":10,"languages":8,"totalLinesOfCode":8,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":15,"stars30d":15,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":16,"rankGlobal":8,"rankLanguage":8,"license":17,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":20,"topics":21,"createdAt":8,"pushedAt":8,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":15,"starSnapshotCount":15,"syncStatus":14,"lastSyncTime":25,"discoverSource":26},80530,"leak-hunter","doggy8088\u002Fleak-hunter","doggy8088",null,"https:\u002F\u002Fdoggy8088.github.io\u002Fleak-hunter\u002F","Rust",61,11,62,2,0,40.24,"MIT License",false,"main",true,[],"2026-06-12 04:01:29","# leak-hunter\n\n\u003Cp align=\"center\">\n  \u003Cimg src=\"public\u002Fassets\u002Fleak-hunter-banner.png\" alt=\"leak-hunter repository secret scanner banner\" width=\"100%\">\n\u003C\u002Fp>\n\n**Languages:** [English](README.md) | [繁體中文](README.zh-tw.md) | [简体中文](README.zh-cn.md) | [日本語](README.ja.md) | [한국어](README.ko.md) | [Tiếng Việt](README.vi.md) | [ไทย](README.th.md) | [Français](README.fr.md) | [Deutsch](README.de.md)\n\n`leak-hunter` is a local-first defensive repository secret-scanning CLI. It ships as a single cross-platform binary that scans GitHub repository URLs, `owner\u002Frepo` shorthand, GitHub SSH targets, or local folders, then emits Text, JSON, or Markdown reports.\n\nThe Rust crate is the only core implementation. The npm package `leak-hunter` is a thin wrapper that installs and runs the native binary produced by cargo-dist in GitHub Releases.\n\n## Install\n\n```bash\ncargo install --path .\n```\n\nOr install the npm package:\n\n```bash\nnpm install -g leak-hunter\nleak-hunter --help\n```\n\n## Quick start\n\n```bash\nleak-hunter .\nleak-hunter --json --min-risk 50 .\nleak-hunter --format markdown --output leak-hunter-report.md owner\u002Frepo\n```\n\nSupported GitHub targets:\n\n```bash\nleak-hunter https:\u002F\u002Fgithub.com\u002Fdoggy8088\u002Fholidaybook\nleak-hunter github.com\u002Fdoggy8088\u002Fholidaybook\nleak-hunter doggy8088\u002Fholidaybook\nleak-hunter git@github.com:doggy8088\u002Fholidaybook.git\n```\n\n## CLI options\n\n| Option | Description |\n|---|---|\n| `--json` | Output machine-readable JSON; shortcut for JSON reports. |\n| `--format \u003Ctext\\|json\\|markdown>` | Choose the report format. |\n| `--output \u003Cpath>` | Write the report to a file and create parent directories when needed. |\n| `--min-risk \u003C0-100>` | Show only findings at or above the risk threshold. |\n| `--include \u003Cglob>` \u002F `--exclude \u003Cglob>` | Limit scan scope; can be repeated. |\n| `--no-default-exclude` | Disable built-in exclusion rules. |\n| `--max-file-size-mb \u003Cn>` | Set the per-file scan size limit. |\n| `--concurrency \u003Cn>` | Set how many files are scanned in parallel. |\n| `--no-redact` | Output raw secret values; use only for local manual review. |\n| `--keep-temp` | Keep temporary clones for GitHub targets. |\n| `--cache-dir \u003Cdir>` | Set the GitHub temporary clone directory; default is `.leak-hunter-cache`. |\n| `--branch \u003Cname>` | Scan a specific branch or tag. |\n| `--debug` | Print scan decisions, candidate scores, and min-risk filtering reasons to stderr. |\n| `-v, --version` | Print version information. |\n\n`--json` and an explicit `--format` are mutually exclusive so CI scripts do not produce ambiguous output.\n\n## Reports\n\nText reports are designed for direct terminal review:\n\n```bash\nleak-hunter . --format text\n```\n\nThe report starts with the Leak Hunter ASCII banner and includes the target, resolved scan root, scan time, scanned and skipped file counts, finding count, risk buckets, redaction status, and a finding table.\n\nJSON reports are better for CI artifacts, `jq` processing, and system integrations:\n\n```bash\nleak-hunter . --json --output leak-hunter-report.json\n```\n\nExample query for high-risk findings:\n\n```bash\nleak-hunter . --json \\\n  | jq '.findings[] | select(.riskScore >= 75) | {type, filePath, lineNumber, riskScore}'\n```\n\n## Scan strategy\n\n1. Resolve the local or GitHub target.\n2. Clone GitHub repositories into `.leak-hunter-cache` or the directory specified by `--cache-dir`.\n3. Walk files with gitignore-aware include \u002F exclude glob handling, including `.leakhunterignore` files that use `.gitignore` syntax.\n4. Skip binary files or files above the configured size limit.\n5. Apply the built-in pattern inventory and context-aware risk model.\n6. Reduce common noise from npm integrity hashes in package-lock files, Firebase public API key context, and docs\u002Fexample paths.\n7. Redact by default, then sort output by risk score, path, and position.\n8. Remove temporary GitHub clones unless `--keep-temp` is set.\n\n## Detection highlights\n\nThe current rebuilt rules cover:\n\n- OpenAI, Google API keys, GitHub\u002FGitLab tokens, Stripe, Slack tokens\u002Fwebhooks, Sentry, and Docker Hub PATs\n- npm, PyPI, DigitalOcean, HashiCorp Vault, Doppler, Shopify, Square, Airtable, Braintree, Mailchimp, Cloudflare, Snyk, Sonar, PayPal, Notion, Mailgun, Postmark, Netlify, and Microsoft Teams token formats\n- AWS access key \u002F secret key pairing\n- Azure Storage connection strings, AccountKeys, and SAS URIs\n- Popular framework app secrets such as Django, Flask, Rails, Laravel, NextAuth, Nuxt, Spring, and ASP.NET\n- Database connection strings and URIs, including SQL Server-style connection strings, PostgreSQL, MongoDB, and Redis\n- JWTs, PEM private keys, GCP service account JSON, and Google OAuth client secrets\n\n## npm package and checksums\n\n`npm\u002Fpostinstall.cjs` maps the current platform to a cargo-dist target, downloads the release archive and matching `.sha256` file, verifies the SHA-256 checksum, then extracts and installs the native binary. npm publishing uses Trusted Publishing \u002F OIDC instead of a long-lived `NPM_TOKEN`. Before publish, `prepublishOnly` runs npm tests, `npm pack --dry-run`, and verifies that every release archive and checksum exists.\n\n## Development\n\n```bash\ncargo fmt --all -- --check\ncargo test\ncargo build --release\nnpm test\nnpm pack --dry-run\n```\n\nSelf-scan:\n\n```bash\ncargo run --quiet -- --json --min-risk 40 . \\\n  | jq '{findings: .summary.findings, filesEnumerated: .summary.filesEnumerated}'\n```\n\n## Safety\n\nRedaction is enabled by default. Do not publish unredacted reports. Test fixtures must use synthetic values assembled from string fragments so GitHub push protection is not triggered.\n","leak-hunter 是一个用于扫描 GitHub 仓库和本地文件夹中泄露的敏感信息的命令行工具。它采用 Rust 语言编写，支持跨平台运行，能够扫描 GitHub 仓库 URL、`owner\u002Frepo` 简写、GitHub SSH 地址或本地目录，并生成文本、JSON 或 Markdown 格式的报告。该工具提供了多种 CLI 选项，如风险阈值设置、扫描范围限制以及输出格式选择等，便于用户根据需求定制扫描过程。适用于开发者在代码提交前进行安全检查，或是企业定期对公开代码库执行安全审计以防止敏感信息泄露。","2026-06-11 04:01:06","CREATED_QUERY"]