Deep Scanning

Scan containers, Helm charts, archives, and Kubernetes manifests

Redactyl's deep scanning capabilities let you find secrets in build artifacts, not just source code.

Archive Scanning

Scan zip, tar, and tgz files recursively:

redactyl scan --archives

Redactyl handles nested archives automatically. A secret in release.zip::bundle.tar.gz::config/keys.json will be found and reported with the full virtual path.

Supported Formats

  • .zip - ZIP archives
  • .tar - Tar archives
  • .tar.gz / .tgz - Gzipped tar archives
  • .gz - Gzip compressed files

Container Scanning

Scan Docker images and OCI containers:

# Scan local Docker images
redactyl scan --containers

# Scan a specific image tarball
redactyl scan image.tar

# Scan exported Docker image
docker save myapp:latest | redactyl scan --stdin

What Gets Scanned

  • All filesystem layers
  • Environment variables in config
  • Build arguments (if present in history)
  • Entrypoint and CMD scripts

Virtual Paths

Container findings show the layer and path:

image.tar::sha256:abc123/etc/app/.env:3

Helm Chart Scanning

Scan Helm charts for secrets in values and templates:

# Scan all Helm charts in directory
redactyl scan --helm

# Scan specific chart
redactyl scan ./charts/myapp

# Scan packaged chart
redactyl scan myapp-1.0.0.tgz

What Gets Scanned

  • values.yaml - Default values
  • values-*.yaml - Environment overrides
  • templates/*.yaml - All templates
  • Chart.yaml - Chart metadata

Kubernetes Manifest Scanning

Scan Kubernetes YAML files:

redactyl scan --k8s

Auto-Detection

Redactyl automatically detects Kubernetes resources:

  • Secrets - Base64 decoded and scanned
  • ConfigMaps - All data keys scanned
  • Deployments/Pods - Environment variables scanned
  • ServiceAccounts - Token references flagged

Example Findings

# This will be detected
apiVersion: v1
kind: Secret
metadata:
  name: api-credentials
data:
  api-key: QVdTX0FDQ0VTU19LRVk9QUtJQUlPU0ZPRE5ON0VYQU1QTEU=

Combined Scanning

Scan everything at once:

redactyl scan --archives --containers --helm --k8s

Or use the shorthand:

redactyl scan --deep

Performance

Deep scanning is optimized for speed:

Artifact TypeTypical Speed
Helm chart (50 templates)2-5ms
Container image (100MB)100-200ms
Archive throughput100-500 MB/s
YAML parsing8-10 MB/s

Memory Usage

Redactyl streams content without extracting to disk:

  • Archives are scanned in-memory
  • Container layers are streamed
  • No temp files created

Guardrails

Deep scanning respects guardrails:

# .redactyl.yml
guardrails:
  # Maximum archive depth
  max_archive_depth: 5

  # Maximum file size to scan
  max_file_size: 100MB

  # Skip binary files
  skip_binary: true

Output

Deep scan findings include full virtual paths:

{
  "file": "myapp.tgz::templates/deployment.yaml",
  "line": 47,
  "detector": "aws-secret-key",
  "severity": "high"
}

This makes it easy to locate and fix secrets, even in deeply nested artifacts.

Interactive TUI

Navigate findings with vim-style keyboard shortcuts

Registry Scanning

Scan container images directly from remote registries

On this page

Archive ScanningSupported FormatsContainer ScanningWhat Gets ScannedVirtual PathsHelm Chart ScanningWhat Gets ScannedKubernetes Manifest ScanningAuto-DetectionExample FindingsCombined ScanningPerformanceMemory UsageGuardrailsOutput