Secret & Key Guardian for local-first secure development workflows.
Sentilook is an offline-first CLI scanner for local source and configuration directories. It detects likely secret exposure patterns and produces share-safe HTML, SARIF, and JSONL outputs.
Project owner and maintainer: Viktor Halupka (@goAuD).
- local-first runtime behavior
- masked previews only
- HTML and SARIF reporting
- JSONL audit logging
- Windows, Debian Bookworm, and Fedora workflows
- container-friendly bind-mount testing
From the repository root:
go -C .\app test ./...
.\sentilook.ps1 version
.\sentilook.ps1 scan .\demo\demo-secrets --config .\app\configs\default.yamlgo -C ./app test ./...
./sentilook.sh version
./sentilook.sh scan ./demo/demo-secrets --config ./app/configs/default.yamlThe wrapper scripts keep repo-root paths working even though the Go module lives under app/.
Container smoke example:
docker run --rm -v "$PWD:/workspace" -w /workspace/app golang:1.24-bookworm \
bash -c 'go test ./... && go run ./cmd/sentilook scan ../demo/demo-secrets --config ./configs/strict.yaml --out ./reports || [ "$?" -eq 1 ]'Sentilook is built around one hard rule:
- raw secret values are never printed to console, report, or audit log
- previews are always masked
- Docs index
- Overview
- Installation
- Quickstart
- Security
- Architecture
- CLI reference
- Configuration reference
- Not a cloud SIEM/SOC platform
- Not a secrets vault replacement
- Not a runtime EDR or full DLP product