selfphp/secrets-detector

Detect secrets like API keys, tokens or passwords in PHP projects (e.g. in .env, config, or PHP source). Ideal for CI/CD and pre-commit hooks.

Maintainers

Details

github.com/selfphp/secrets-detector

Source

Issues

Installs: 2

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 0

Forks: 0

Open Issues: 0

pkg:composer/selfphp/secrets-detector

1.0.0 2025-06-08 11:51 UTC

Requires

Requires (Dev)

MIT a063e0ab98d0eec1962fd62c51cd5a5063346525

phpsecuritycomposerciAudittokensecretspre-commitapi-key

This package is auto-updated.

Last update: 2025-10-08 12:51:15 UTC

README

Detect hardcoded secrets like API keys, tokens or passwords in PHP projects โ€“ ideal for CI/CD pipelines, pre-commit hooks, or manual audits.

๐Ÿš€ Features

  • ๐Ÿ” Scans .env, .ini, PHP source and config files for secrets
  • ๐Ÿ“ฆ Composer integration (autoload & CLI)
  • ๐Ÿง  Framework-aware: supports Symfony (APP_SECRET), Laravel (JWT_SECRET), and others
  • โš™๏ธ Configurable scan paths via .secrets-detector.json
  • ๐Ÿ“„ Output formats: JSON, Markdown
  • โœ… CI/CD-ready with exit codes for automated fail conditions

๐Ÿ“ฆ Installation

As a dev dependency:

composer require --dev selfphp/secrets-detector

Or install globally:

composer global require selfphp/secrets-detector

๐Ÿ”ง Usage

php bin/secrets-detector secrets:scan

Options

Option Description
--json=report.json Export results to JSON
--markdown=report.md Export results to Markdown
--fail-on-detect Exit with non-zero code on finding secrets

Example

php bin/secrets-detector secrets:scan --json=report.json --markdown=report.md --fail-on-detect

๐Ÿ›  Configuration

You can define custom include/exclude paths using a .secrets-detector.json file in your project root:

{
  "include": ["src", "config", ".env"],
  "exclude": ["vendor", "tests"]
}

๐Ÿงช Testing

Run all unit tests:

vendor/bin/phpunit --display-deprecations

โœ… CI Integration

See ready-made CI examples in docs/ci:

  • github-actions.yml
  • gitlab-ci.yml
  • bitbucket-pipelines.yml

Each file shows how to run the CLI and fail builds if secrets are detected.

๐Ÿง  Patterns Detected

  • Stripe secrets: sk_live_, sk_test_
  • Bearer tokens: Authorization: Bearer ...
  • AWS credentials: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
  • Database logins: DB_PASSWORD, DB_USERNAME
  • JWT and app secrets: JWT_SECRET, APP_SECRET
  • Google API keys: AIza...
  • Private keys: -----BEGIN PRIVATE KEY-----

(See PatternRegistry for all patterns.)

๐Ÿ“œ License

MIT

๐Ÿ‘ค Author

SELFPHP - Damir Enseleit
https://www.selfphp.de
@SELFPHP