← Back ◬ AI & Machine Learning Apr 05, 2026

scan-for-secrets 0.1

Simon Willison Archived Apr 05, 2026 ✓ Full text saved

Release: scan-for-secrets 0.1 I like publishing transcripts of local Claude Code sessions using my claude-code-transcripts tool but I'm often paranoid that one of my API keys or similar secrets might inadvertently be revealed in the detailed log files. I built this new Python scanning tool to help reassure me. You can feed it secrets and have it scan for them in a specified directory: uvx scan-for-secrets $OPENAI_API_KEY -d logs-to-publish/ If you leave off the -d it defaults to the current dire

Full text archived locally

✦ AI Summary · Claude Sonnet

Simon Willison’s Weblog Subscribe Sponsored by: WorkOS — Production-ready APIs for auth and access control, so you can ship faster. RELEASE scan-for-secrets 0.1 — Scan for secrets in files you plan to share I like publishing transcripts of local Claude Code sessions using my claude-code-transcripts tool but I'm often paranoid that one of my API keys or similar secrets might inadvertently be revealed in the detailed log files. I built this new Python scanning tool to help reassure me. You can feed it secrets and have it scan for them in a specified directory: uvx scan-for-secrets $OPENAI_API_KEY -d logs-to-publish/ If you leave off the -d it defaults to the current directory. It doesn't just scan for the literal secrets - it also scans for common encodings of those secrets e.g. backslash or JSON escaping, as described in the README. If you have a set of secrets you always want to protect you can list commands to echo them in a ~/.scan-for-secrets.conf.sh file. Mine looks like this: llm keys get openai llm keys get anthropic llm keys get gemini llm keys get mistral awk -F= '/aws_secret_access_key/{print $2}' ~/.aws/credentials | xargs I built this tool using README-driven-development: I carefully constructed the README describing exactly how the tool should work, then dumped it into Claude Code and told it to build the actual tool (using red/green TDD, naturally.) Posted 5th April 2026 at 3:27 am Recent articles The Axios supply chain attack used individually targeted social engineering - 3rd April 2026 Highlights from my conversation about agentic engineering on Lenny's Podcast - 2nd April 2026 Mr. Chatterbox is a (weak) Victorian-era ethically trained model you can run on your own computer - 30th March 2026 This is a beat by Simon Willison, posted on 5th April 2026. projects 523 security 594 ai-assisted-programming 371 coding-agents 190 claude-code 103 agentic-engineering 39 Monthly briefing Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments. Pay me to send you less! Sponsor & subscribe Disclosures Colophon © 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026

💬 Team Notes