Find Secrets Before Attackers Do
Scan for exposed credentials, audit code risk, and integrate security checks into your CI/CD pipeline.
Secret Detection
26+ built-in patterns detect API keys, tokens, passwords, and credentials. Scan working directory, staged files, or git history.
Scanning Modes
Scan all files in working directory
ckb scan-secretsScan only staged files before commit
ckb scan-secrets --stagedScan git history for previously committed secrets
ckb scan-secrets --history$ ckb scan-secrets Scanning for secrets... Found 3 potential secrets: š“ Critical: AWS Access Key File: config/aws.go:23 Match: AKIAIOSFODNN7EXAMPLE š“ Critical: GitHub Token File: scripts/deploy.sh:8 Match: ghp_xxxxxxxxxxxxxxxxxxxx š High: Database Connection String File: .env.example:12 Match: postgres://user:pass@... Scan complete: 3 findings Critical: 2 High: 1 Use --allowlist to suppress false positives
26+ Detection Patterns
Pre-configured patterns for common credential types. Add custom patterns or use external tools like gitleaks and trufflehog.
AKIA[0-9A-Z]{16}ghp_[a-zA-Z0-9]{36}sk_live_[a-zA-Z0-9]+xox[baprs]-[a-zA-Z0-9-]+-----BEGIN RSA PRIVATE KEY-----postgres://.*:.*@jwt[_-]?secretoauth[_-]?tokenExternal Tool Integration
Augment CKB's built-in scanning with specialized tools for deeper analysis.
gitleaks
Git history scanning with pre-commit hooks
ckb scan-secrets --tool=gitleakstrufflehog
Entropy-based secret detection
ckb scan-secrets --tool=trufflehogCustom Patterns
Add your own detection patterns
.ckb/secrets.toml8-Factor Risk Audit
Go beyond secret scanning with comprehensive risk analysis. The auditRisk tool evaluates files across 8 weighted factors.
Complexity
Cyclomatic and cognitive complexity scores
Coverage
Test coverage percentage for the file
Bus Factor
Single-point-of-failure files (one author)
Security Patterns
Presence of auth, crypto, or sensitive code
Staleness
Files unchanged for months (knowledge decay)
Error Patterns
Error handling and panic patterns
Coupling
Co-change frequency with other files
Churn
Volatility and change frequency
$ ckb audit internal/api/
Risk Audit: internal/api/
Overall Risk Score: 72/100 (High)
File Breakdown:
handler.go 85 š“ High
- Complexity: 23 (high)
- Coverage: 45% (low)
- Security patterns: auth, crypto
- Churn: 47 commits in 90 days
middleware.go 68 š Medium
- Bus factor: 1 author
- Staleness: 6 months
routes.go 42 š” Low
- Well tested (89% coverage)
- Low complexity
Recommendations:
1. Add tests for handler.go
2. Review middleware.go ownership
3. Consider splitting handler.goCI/CD Integration
Output formats for GitHub Security tab, GitLab SAST, and custom pipelines.
# SARIF for GitHub/GitLab
ckb scan-secrets --format=sarif > results.sarif
# GitHub Actions
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif# Fail on severity
# Fail build on critical/high findings ckb scan-secrets --fail-on=high # Exit codes: # 0 = No findings above threshold # 1 = Findings exceeded threshold # 2 = Scan error
False Positive Management
Suppress false positives with allowlists. Add patterns, file paths, or specific matches to ignore.
# .ckbsecrets (allowlist)
# Ignore test fixtures path:testdata/** path:**/*_test.go # Ignore example patterns in docs pattern:EXAMPLE_API_KEY pattern:your-api-key-here # Ignore specific line (hash-based) hash:a1b2c3d4e5f6...
Secure your codebase
Start scanning in under a minute. Free for personal use.