Skip to content

secox 0.2.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 19 Apr 15:42
· 7 commits to main since this release
0.2.0
90a28df
This commit was signed with the committer’s verified signature.
immanuwell Immanuel Tikhonov
GPG key ID: F7BC234BE02886EE
Verified
Learn about vigilant mode.

secox 0.2.0

The secret scanner that doesn't stop at "you have a problem."

What's in the box

Remediation-first resolve flow — when a commit is blocked, run secox resolve. For each finding: [r] shows the provider's revocation URL and steps, offers to swap the hardcoded value for an env var reference right in the file, then checks git history and hands you the exact git filter-repo command if the secret is baked into old commits. [a] marks it as a false positive and injects a # secox:allow pragma. [s] skips it.

Dangerous filename detection.env*, id_rsa, id_ed25519, *.pem, *.p12, credentials.json, serviceAccountKey.json, terraform.tfvars and more are flagged the moment they hit the staging area, before content is even scanned.

Baseline for legacy repossecox baseline snapshots all current findings so only new secrets block future commits. Commit .secox-baseline.json to share the suppression list with your team.

Lowest false positive rate — three layers: context-aware (skips os.getenv, placeholders, test fixtures), semantic (entropy + bigram humanness filter), and per-provider structural validation (GitHub CRC-32 checksum, AWS entropy guard, JWT header decode).

43 detection rules — AWS, GitHub, Stripe, OpenAI, Anthropic, Slack, GitLab, DigitalOcean, Docker Hub, Shopify, HuggingFace, Databricks, Azure, Twilio, Mailchimp, and more.

Install

Download the binary for your platform below, make it executable, and put it on your $PATH. Then:

secox init   # install the pre-commit hook

Or build from source:

cargo install secox

Verify checksums

sha256sum -c SHA256SUMS.txt
Assets 9
Loading