github secret detector

2025-11-03

building a github secret scanner for telex

yo, so basically, i built a security agent that scans github repos for leaked credentials. works through telex chat or standalone api. here’s how it went.

the problem

people accidentally commit secrets all the time. api keys in config files, aws credentials in setup scripts, database passwords in environment files. usually you only find out when your bill explodes or someone files a security report.

static scanners exist but they’re annoying. you run them once, get flooded with false positives, spend an hour investigating, then forget to run them again. what if you could just ask “hey did i leak anything” in chat?

what i built

a rust service that:

• scans github repos for common secret patterns
• uses gemini to reduce false positives
• talks to you through telex using the a2a protocol
• keeps track of what it’s scanned so you can do incremental checks

you can run it standalone or integrate it into telex as an agent.

tech stack

rust because i wanted something fast and the github/gemini api clients are straightforward

actix-web for the http server

gemini for two things:

1. parsing user intent (“scan this repo” vs “show me status”)
2. analyzing findings and generating helpful responses

a2a protocol to talk to telex

the tricky parts

a2a response format

telex uses this a2a protocol. turns out the docs don’t fully match what telex actually expects. spent way too long getting the response structure right. its important you get the response to match a2a standard exactly

response needs:

• result.kind = "task" not “message”
• result.status with state, timestamp, and the actual message
• result.artifacts array
• result.history with both request and response

secret detection

started with regex patterns for obvious stuff:

• aws keys (start with akia)
• github tokens (ghp_, gho_, etc)
• private keys (begin rsa private key)
• database connection strings

but regex catches everything including examples, test fixtures, and documentation. so i added gemini to analyze findings and filter obvious false positives. cuts down noise significantly.

handling git history

github’s api makes this straightforward. you fetch commits, then fetch each commit’s diff. parse the diff for added lines (ignore deletions, we care about what got committed).

for incremental scans, save the last scanned commit sha and timestamp. next time, only fetch commits since then.

what works well

the conversational interface is nice. you just chat:

“scan https://github.com/user/repo”

agent comes back with:

• what it scanned
• how many commits
• what it found (if anything)
• actual advice on fixing it

no dealing with ci configs or report formats. just chat.

what could be better

currently only scans public repos. private repo support needs proper github app setup with installation tokens. doable but more work.

the regex patterns could be smarter. right now it’s pretty basic pattern matching. could add entropy checking (random-looking strings are more likely to be real secrets).

no web ui. everything happens through chat or curl. fine for me but might be a barrier for others.

src structure

src/
├── main.rs        
├── handlers/
│   └── a2a.rs         
├── models/
│   ├── a2a.rs   
│   ├── scan.rs     
│   └── github.rs   
└── services/
    ├── github.rs   
    ├── scanner.rs    
    ├── gemini.rs  
    └── state.rs     

pretty straightforward. handler receives a2a request, extracts user message, orchestrates the scan, returns a2a response.

deployment

runs on a linode box. set up systemd service, open port 8080, done.

cargo build --release
sudo systemctl start secret-detector

added it to telex with a workflow json that points to the linode ip.

what i learned

read the working examples. especially for telex.

ai integration doesn’t have to be complicated. two simple gemini calls (parse intent, analyze findings) made this way more useful than pure regex.

a2a protocol is actually clean. once you get the format right, it just works. request comes in, you process it, send response back. no websockets, no webhooks, no complicated state management.

try it

code’s on github: github.com/pheonix0x01/secret-detector if its no longer there then ive moved it to my main github (github.com/DavidIfebueme) after im done cleaning the code

you can run it standalone or add it to telex. either way works.

if you use it and find bugs or have ideas, open an issue. or just fork it and build whatever you want.

built this for hng internship. they’re doing interesting stuff with ai agents and integrations.