API keys don't belong in the Repository
nosecrets detects API keys, tokens and passwords in pre-commit – offline, no API calls, no overhead.
GitHubnosecrets detects API keys, tokens and passwords in pre-commit – offline, no API calls, no overhead.
Pre-commit Offline Entropy Detection 100+ Rules Git Integration Configurable Rust Open Source
Installation
macOS & Linux
curl
One command, no Node.js required. Installs the binary directly into /usr/local/bin.
curl -fsSL https://raw.githubusercontent.com/casoon/nosecrets/main/install.sh | shGitHub Releases
npm
@casoon/nosecrets
Global installation via npm. Ships pre-compiled binaries for macOS, Linux and Windows.
npm install -g @casoon/nosecretsOpen on npm
Rust / Cargo
nosecrets-cli
Compile directly from crates.io – for all platforms that support Rust.
cargo install nosecrets-cli
Usage
# Scan staged files (pre-commit) nosecrets scan --staged # Scan a directory nosecrets scan src/ # Interactive: add ignores nosecrets scan --staged --interactive # Ignore a single finding nosecrets ignore nsi_abcdef123456
Exit 0 — no critical findings
Exit 1 — critical/high/medium findings
Features
Signature-Based Detection
Over 100 rules for AWS, GitHub, Stripe, PostgreSQL, Twilio and many more services.
Entropy Detection
Detects unknown secrets and proprietary tokens via Shannon entropy analysis – even without a known signature.
Fully Offline
No API calls, no data transmission. Everything runs locally on your machine.
Pre-commit Focused
Built for use as a Git hook. Fast, no history scan, no overhead.
Low False Positives
UUID, hex, placeholder and CSS guards reduce false alarms effectively.
Flexible Configuration
.nosecrets.toml, inline ignores, fingerprint ignores and global allowlists.
Perfect for
Solo Developers
Open Source Projects
Teams & Agencies
CI/CD Pipelines
Security Reviews