noseyparker

Scan a local directory for secrets

$ noseyparker scan --datastore [db.np] [path/to/directory]

$ noseyparker scan --datastore [db.np] --git-url [https://github.com/user/repo]

$ noseyparker report --datastore [db.np]

$ noseyparker report --datastore [db.np] --format json

$ noseyparker scan --datastore [db.np] --rules [path/to/rules.yml] [path/to/directory]

$ noseyparker rules list

$ noseyparker summarize --datastore [db.np]

noseyparker command [options]

Nosey Parker is a command-line tool for detecting secrets and sensitive information in textual data and Git repositories. It scans source code, configuration files, and commit history to find accidentally committed credentials, API keys, private keys, and other sensitive data.
The tool uses a datastore model where scan results are persisted to a local database, allowing incremental scanning and deduplication of findings. Multiple scans can feed into the same datastore, and reports can be generated at any time from the accumulated data.
Nosey Parker includes over 150 built-in detection rules covering common secret patterns like AWS keys, GitHub tokens, private SSH keys, database connection strings, and more. Custom rules can be defined in YAML format for organization-specific patterns.
The scanner is written in Rust for high performance and can process large codebases quickly. It performs content-aware scanning that understands Git history, examining all commits and branches rather than just the current state.

scan

Scan inputs for secrets and store findings in a datastore.

Report findings from a datastore.

Summarize datastore contents without detailed findings.

Manage and inspect detection rules.

Interact with GitHub for scanning repositories.

Path to the datastore (required for scan/report/summarize).

Clone and scan a Git repository from URL.

Output format for report (human, json, jsonl, sarif).

Path to custom rules file (YAML format).

Skip files larger than specified size.

Number of parallel scanning jobs.

Glob patterns for paths to ignore.

Include blob metadata in findings.

Display help information.

Display version information.

Scan results may include false positives that require manual review. The datastore must be specified for most operations and grows with accumulated findings. Scanning large repositories with full Git history can be memory-intensive. Some detection rules may not catch obfuscated or encoded secrets.

Nosey Parker was created by Praetorian and released as open source in 2023. It was designed as a modern alternative to tools like truffleHog and git-secrets, emphasizing performance and accuracy. The Rust implementation provides significant speed improvements over Python-based alternatives. Development continues actively with regular rule updates and feature additions.

git-secrets(1), trufflehog(1), gitleaks(1), detect-secrets(1)