Secrets Guard automatically scans your code for sensitive credentials and API keys before sharing with AI assistants or documentation tools. It prevents accidental leakage of secrets by using industry-standard detection tools.
Secrets Guard is enabled by default. Just use CopyTree normally:
copytreeOutput:
🔒 Secrets Guard: 2 files excluded, 3 secrets redacted
📎 144 files [980 KB] copied to clipboard
- Excludes high-risk files entirely (.env, *.pem, credentials.json, etc.)
- Scans file content using Gitleaks for 200+ secret patterns
- Redacts inline secrets with typed markers like
***REDACTED:AWS-ACCESS-KEY*** - Reports findings without exposing the actual secret values
macOS:
brew install gitleaksLinux:
# Download latest release
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.19.0/gitleaks_8.19.0_linux_x64.tar.gz | tar -xz
sudo mv gitleaks /usr/local/bin/Windows:
# Using Chocolatey
choco install gitleaks
# Or Scoop
scoop install gitleaksgitleaks versionNote: If Gitleaks is not installed, Secrets Guard will disable itself automatically and show a warning with installation instructions.
# Explicitly enable (default)
copytree --secrets-guard
# Disable for trusted repos
copytree --no-secrets-guardChoose how secrets are marked:
# Typed mode (default) - shows secret type
copytree --secrets-redact-mode typed
# Output: ***REDACTED:AWS-ACCESS-KEY***
# Generic mode - simple marker
copytree --secrets-redact-mode generic
# Output: ***REDACTED***
# Hash mode - includes hash for debugging
copytree --secrets-redact-mode hash
# Output: ***REDACTED:AWS-ACCESS-KEY:a3f5d9ab***Fail the build if secrets are found:
copytree --fail-on-secretsExit code will be non-zero if any secrets are detected, making it perfect for CI/CD pipelines.
Add to ~/.copytree/config/copytree.js:
module.exports = {
secretsGuard: {
enabled: true,
redactionMode: 'typed',
failOnSecrets: false,
maxFileBytes: 1000000, // 1MB max file size to scan
parallelism: 4, // Concurrent scans
exclude: [
// Additional patterns beyond defaults
'internal-secrets.json',
],
allowlist: [
// Patterns to always allow (e.g., test fixtures)
'**/test/fixtures/**',
'**/examples/**',
],
gitleaks: {
binaryPath: 'gitleaks', // Custom path if needed
configPath: null, // Path to .gitleaks.toml
},
},
};These files are always excluded (never scanned or included):
Environment files:
.env,.env.*,.env.local,.env.production, etc.
Private keys:
*.pem,*.key,*.p12,*.pfx,*.p8id_rsa,id_dsa,id_ecdsa,id_ed25519
Credentials:
credentials.json,secrets.json,auth.json*-credentials.json,*-secrets.json
Service accounts:
service-account-*.jsonfirebase-adminsdk-*.jsongoogle-credentials.json
Keystores:
*.jks,*.keystore,gradle.properties
Config files:
.npmrc,.pypirc,.aws/credentials,.docker/config.json
Terraform:
*.tfstate,*.tfstate.backup
See full list in src/pipeline/stages/SecretsGuardStage.js
Gitleaks detects 200+ patterns including:
- AWS: Access keys (AKIA*, ASIA*), Secret keys
- Google: API keys (AIza*), Service account JSON
- GitHub: Tokens (ghp_, github_pat_)
- Slack: Tokens (xoxb-, xoxp-)
- Private Keys: RSA, DSA, EC, SSH keys
- Database URLs: With embedded credentials
- JWT Tokens: Bearer tokens
- Generic Secrets: High-entropy strings
Add gitleaks:allow comment on the same line:
const testKey = "AKIAIOSFODNN7EXAMPLE"; // gitleaks:allowIn config:
allowlist: [
'**/test/**', // All test files
'**/fixtures/**', // Test fixtures
'**/examples/**', // Example code
'docs/api-examples.md', // Specific files
]Create .gitleaks.toml to customize rules:
# Disable specific rules
[[rules]]
id = "generic-api-key"
enabled = false
# Adjust entropy threshold
[[rules]]
id = "high-entropy-string"
entropy = 5.0 # Increase to reduce false positivesThen configure CopyTree to use it:
gitleaks: {
configPath: './.gitleaks.toml'
}# Default: enabled, redacts inline with typed markers
copytree
# View only files that would be excluded
copytree --dry-run# Working with trusted internal repo
copytree --no-secrets-guard
# Sharing code with AI (paranoid mode)
copytree --secrets-redact-mode generic --fail-on-secrets# GitHub Actions
- name: Check for secrets
run: copytree --fail-on-secrets --dry-run
# GitLab CI
secrets_check:
script:
- copytree --fail-on-secrets --format json -o report.json
artifacts:
paths:
- report.jsonProblem: Secrets Guard disabled with warning
Solution:
# macOS
brew install gitleaks
# Verify
gitleaks versionProblem: Legitimate code being redacted
Solutions:
- Use inline
gitleaks:allowcomments - Add paths to allowlist
- Create custom
.gitleaks.toml - Disable specific rules
Problem: Scanning is slow
Solutions:
// Reduce file size limit
maxFileBytes: 500000, // 500KB
// Increase parallelism
parallelism: 8,
// Skip large files entirely
exclude: ['*.bundle.js', '*.min.js']Problem: Binary files causing errors
Solution: Binary files are automatically skipped. No action needed.
- ✅ Detects 200+ known secret patterns
- ✅ Excludes obviously sensitive files
- ✅ Redacts secrets inline while preserving context
- ✅ Never logs or stores raw secret values
- ✅ Works in-memory (no temp files)
- ❌ Not a substitute for
.gitignore - ❌ Not perfect - false negatives possible
- ❌ Doesn't scan git history
- ❌ Doesn't rotate leaked credentials
- ❌ Doesn't guarantee 100% detection
- Defense in depth: Use Secrets Guard +
.gitignore+.copytreeignore - Review output: Check redactions make sense
- Allowlist sparingly: Only for known-safe test data
- Rotate if leaked: If a secret escapes, rotate it immediately
- Use secret managers: Avoid hardcoded secrets entirely
Need help? Open an issue on GitHub