Engineering
ghost-scan-secrets avatar

ghost-scan-secrets

AI-powered secrets and credentials scanner. Detects hardcoded API keys, passwords, and sensitive data in your codebase with contextual analysis to reduce false positives.

Introduction

The Ghost Security Secrets Scanner is a specialized orchestration agent designed to perform deep security auditing of codebases for leaked sensitive information. It is intended for software engineers, security researchers, and DevSecOps professionals who need to identify hardcoded credentials before they are committed to version control or exploited in production environments. By leveraging the Poltergeist binary, the agent executes pattern-based scanning followed by intelligent AI-driven candidate verification, which distinguishes between genuine security risks and non-sensitive artifacts like example code or mock credentials.

  • Automatically discovers and manages scan outputs in a dedicated repository directory structure.

  • Employs the Poltergeist scanner to identify high-entropy strings and known secret patterns like API keys, tokens, and private keys.

  • Filters scan results using intelligent analysis to ensure context-aware findings, reducing developer fatigue caused by noise.

  • Generates comprehensive findings that include severity ratings, file locations, and tailored remediation guidance.

  • Integrates seamlessly into the Claude Code workflow to allow for quick security posture checks during local development or CI/CD pipelines.

  • The scanner operates on the current working directory but supports path overrides for scanning specific subdirectories or modules.

  • Prerequisite: Requires the Poltergeist binary, which the agent attempts to install automatically via GitHub releases or local fallbacks.

  • Typical input involves a target path, and the output is a detailed set of findings stored in a scan directory (findings/ subdirectory).

  • Users should ideally run this scan as part of a routine security audit, especially after major refactors or before deploying code to public repositories.

  • Constraints include internet connectivity for binary installation, though local fallback locations are supported for air-gapped environments. Ensure your repository context is built via ghost-repo-context for better analysis results.

Repository Stats

Stars
398
Forks
27
Open Issues
1
Language
Shell
Default Branch
main
Sync Status
Idle
Last Synced
May 1, 2026, 09:49 AM
View on GitHub