`gha credential-scan`

Overview

Walks all git repositories under a root directory and detects credentials in .env files, docker-compose configs, certificate files, and hardcoded secrets in source. Outputs CSV or JSON enriched with repo-inventory metadata. Use --no-values for safe sharing.

Usage

python -m src.cli credential-scan [OPTIONS]

Options

Option	Description	Default
`--path DIR`	Root directory to scan	`~/workspace`
`--format {csv,json}`	Output format	`csv`
`--output PATH`	Output file path	`output/credential-scan.csv`
`--enrich/--no-enrich`	Enrich with inventory metadata	Enabled
`--no-values`	Omit credential values for safe sharing	--
`-c, --config PATH`	Path to repo-inventory.yaml for enrichment	Auto-detected
`--update-inventory`	Update repo-inventory.yaml with summaries	--

Scan Targets

.env, .env.* files -- KEY=VALUE pairs
docker-compose*.yml -- environment variables with secret-like names
*.key, *.pem, *.cert -- certificate and key files
Source files -- hardcoded password/token/secret patterns

Prerequisites

Repo: github-automator
Install: pip install -r requirements.txt from repo root

Examples

Scan all repos under workspace

python -m src.cli credential-scan

Scan a specific directory without values

python -m src.cli credential-scan --path ~/workspace/Work/software --no-values

Export as JSON and update inventory

python -m src.cli credential-scan --format json --update-inventory

Overview​

Usage​

Options​

Scan Targets​

Prerequisites​

Examples​

Scan all repos under workspace​

Scan a specific directory without values​

Export as JSON and update inventory​