Secr CLI
Aug 2025 – Present

Secr CLI

A command-line tool for scanning Git repositories to detect and flag secrets.

GoGitGitHub Actions
Source Code

Overview

secr-cli started as a small utility I built to scratch a very real itch: catching secrets before they accidentally leave my machine. It evolved into a lightweight, fast command-line tool written in Go that scans Git repositories for sensitive data like API keys, tokens, and private keys. The focus was simplicity and speed, without sacrificing practical features developers actually need during day-to-day work.

Problem

At some point, I pushed a commit that had something it absolutely shouldn’t have. Nothing catastrophic, but enough to realise how easy it is to leak credentials when moving fast. Most existing tools either felt too heavy, too slow, or too detached from the Git workflow. I wanted something that runs quickly, integrates directly into commits, and doesn’t require a full security pipeline just to be useful.

Solution

The result was secr-cli. A minimal CLI tool that scans repositories using concurrent workers, making it fast enough to run frequently without becoming annoying.

I designed it around a few principles:

  • Speed first: Using goroutines and a worker pool made scanning large repos feel instant.

  • Stay out of the way: It respects .gitignore automatically, so it doesn’t waste time scanning irrelevant files.

  • Actionable output: Severity levels (HIGH / MEDIUM / LOW) help prioritise what actually matters.

  • Developer workflow integration:

    • Pre-commit hooks to catch issues before they land
    • Git passthrough so commands like commit and push can be guarded without changing habits

  • Automation-ready: JSON output makes it easy to plug into CI/CD pipelines.

One of the more interesting parts was balancing flexibility with simplicity. I avoided over-engineering configuration early on, focusing instead on solid default detection rules across common categories like cloud credentials and authentication tokens.

Developer Notes

Building this was less about complex algorithms and more about careful iteration.

  • Build process: Straightforward Go project. I kept the build simple with a Makefile so installing from source feels natural. Cross-compiling binaries was useful when testing across environments.

  • Testing: Most testing happened on real repositories rather than synthetic cases. I intentionally planted fake secrets across different file types to see how the scanner behaved. Performance tuning mostly came from observing bottlenecks in larger repos.

  • Unexpected challenges:

    • Getting .gitignore handling right without overcomplicating file traversal
    • Making concurrency safe without introducing race conditions
    • Ensuring the tool remains fast even when adding more detection rules

  • Extensibility: The project is structured so new detection rules can be added without touching core scanning logic. Future improvements I considered while building:

    • Custom rule configuration
    • SARIF output for deeper integration with security tools
    • Better CLI ergonomics without bloating the interface

Overall, secr-cli reflects a bias toward practical tooling. It solves a specific problem, integrates cleanly into existing workflows, and stays fast enough that you don’t think twice about using it.