The Complete Secret Scanner for Cloud-Native Teams

Git repos. Container images. Helm charts. Kubernetes manifests. All in one tool.

$go install github.com/redactyl/redactyl@latest
Read the DocsView on GitHub
redactyl scan
Press ? for help
Redactyl v1.0.0
3 HIGH / 2 MED / 1 LOW
SEV
DETECTOR
PATH
HI
aws-secret-key
my-app.tgz::templates/deployment.yaml:47
HI
private-key
image.tar::sha256:abc/etc/ssl/private.pem:1
HI
github-token
gcr.io/proj/app:v1::sha256:def/.env:3
MD
generic-api-key
values.yaml:23
MD
jwt-token
config.json:89
j/k navigate o open b baseline / search
Scanned in 203ms

Secrets Don't Just Live in Git

They hide in container images, Helm charts, CI/CD artifacts, and nested archives. The things that actually run in production. Redactyl finds them all.

Container Images
Docker & OCI

Stream layers directly from registries like Docker Hub, GCR, ECR, and ACR without pulling to disk.

Helm Charts
.tgz & directories

Parse Chart.yaml, values.yaml, and all templates. Catch secrets in your Kubernetes deployments.

K8s Manifests
Secrets & ConfigMaps

Auto-detect Kubernetes resources. Scan Secrets, ConfigMaps, and env vars in Pods and Deployments.

Nested Archives
zip, tar, tgz, gz

Recursively scan archives within archives. Virtual paths track secrets through every layer.

Virtual Paths

Know exactly where secrets hide, even in deeply nested artifacts

chart.tgz::templates/secret.yaml:47
gcr.io/proj/app:v1::sha256:abc123/etc/app/.env:3
release.zip::bundle.tar.gz::config/keys.json:12

Built for DevSecOps

From interactive exploration to CI/CD automation. Tools that fit your workflow.

Interactive TUI

Vim-style navigation, severity filtering, and bulk actions. Open findings in your editor, baseline known secrets, or export results.

Gitleaks Detection

200+ battle-tested detection rules from the Gitleaks community. We focus on artifact intelligence, not reinventing regex.

Registry Streaming

Scan remote images directly from Docker Hub, GCR, ECR, or ACR. No disk extraction needed. Layers stream into memory.

Remediation Tools

Forward fixes with redact and dotenv commands. History rewriting with git filter-repo integration and safety backups.

Audit Logging

Immutable JSONL audit trail for compliance. Track findings over time with timestamped scan history.

Privacy First

Zero telemetry by default. Self-hosted friendly. Your secrets and source code never leave your infrastructure.

2-5ms
Helm chart scan
100-200ms
100MB container
500 MB/s
Archive throughput
200+
Detection rules

CI/CD Ready

Native integrations for all major CI platforms. SARIF output for GitHub Code Scanning alerts.

GitHub Actions
SARIF + Code Scanning
GitLab CI
Pipeline artifacts
Azure Pipelines
Azure DevOps
Bitbucket
Pipelines
View all CI/CD integrations

Start Scanning in Seconds

Free and open source. No account required. Install with Go and run your first scan.

Get StartedStar on GitHub
Apache 2.0 License
Zero Telemetry
Self-hosted Friendly