Scan Modes

Secrets Hunter can detect secrets in files, git history, and exposed domain paths. The way a given target is collected and processed is called a scan mode.

Each scan mode builds a collection of scan targets: files for filesystem scans, changed file blobs from selected commits for git history scans, and relative URL paths for domain scans.

Scan modes are separated from detection logic. They decide where content comes from, while the detection process decides whether that content contains secrets.

Filesystem Scans

Filesystem scans read files or directories from disk. This is the default scan mode and is used when no git history or domain option is provided.

secrets-hunter .

Git History Scans

Git history scans are enabled with --git-revset. Secrets Hunter uses a git revision expression to select commits, scans changed file blobs from those commits, and reports findings introduced on added lines. This mode requires git to be installed.

secrets-hunter . --git-revset main..HEAD

Domain Scans

Domain scans are enabled with --domain. Secrets Hunter builds a list of commonly exposed relative URL paths, fetches them from the target host, and scans successful text responses.

secrets-hunter --domain example.com

Filesystem scans, git history scans, and domain scans collect individual targets differently, but once text content is collected, it goes through the same detection process.