scan-for-secrets 0.2: Streamline Your Security Workflow with New CLI Options

What Changed in scan-for-secrets 0.2

Simon Willison's open-source secret scanning tool just got a significant update that makes it more practical for daily development workflows. Version 0.2 introduces five key improvements:

1. Streaming results - The CLI now outputs findings as they're discovered instead of waiting until the entire scan completes
2. Multiple directory support - Use -d/--directory multiple times to scan several locations in one command
3. File-specific scanning - New -f/--file option lets you target individual files
4. Enhanced Python API - New scan_directory_iter(), scan_file(), and scan_file_iter() functions
5. Verbose mode - -v/--verbose shows each directory being scanned for progress tracking

Why This Matters for Claude Code Users

For developers using Claude Code daily, secret scanning isn't just a security task—it's part of the development workflow. The previous version's batch processing meant you'd wait for the entire scan to finish before seeing results. With streaming output, you can now:

• Catch issues faster - See secrets as they're found and address them immediately
• Scan larger codebases - No memory bottlenecks from storing all results until completion
• Integrate with other tools - Pipe results directly to other CLI tools or scripts

The multi-directory support is particularly useful for monorepos or projects with multiple components. Instead of running separate scans, you can now:

claude code "scan-for-secrets -d ./src -d ./tests -d ./config"

How to Use It in Your Claude Code Workflow

Quick Security Check Before Commits

Add this to your pre-commit hooks or run it manually before pushing code:

# Scan specific directories that commonly contain secrets
scan-for-secrets -d ./config -d ./env -d ./scripts -v

# Or target specific file types
scan-for-secrets -f docker-compose.yml -f .env.example -f config/production.json

Integrate with Claude Code's Analysis

Use the Python API to build custom security checks that work alongside Claude Code's code analysis:

# In a custom security script you can call from Claude Code
from scan_for_secrets import scan_directory_iter

for result in scan_directory_iter("./src", verbose=True):
    print(f"Found in {result['file']}: {result['secret_type']}")
    # Add Claude Code suggestions for fixing
    print("claude code: Consider moving this to environment variables or a secrets manager")

Monitor Large Projects

For enterprise codebases where scanning might take minutes:

# Stream results to a file while watching progress
scan-for-secrets -d ./ -v | tee scan_results.txt

# Pipe to Claude Code for immediate analysis
scan-for-secrets -d ./src | claude code "Review these potential secrets and suggest fixes:"

The Bigger Picture: Security in AI-Assisted Development

This update follows Simon Willison's continued focus on developer tooling that complements AI-assisted workflows. As Claude Code users, we're generating and modifying code at unprecedented speeds, which increases the risk of accidentally committing secrets. Tools like scan-for-secrets provide the safety net that lets us move fast without breaking things.

The timing is notable given recent security incidents in the AI/developer space. Just days before this release, news broke about The Axios supply chain attack that used targeted social engineering—a reminder that security tools need to be both effective and easy to use in daily workflows.

gentic.news Analysis

This release represents a trend toward streaming-first CLI tools that work better with AI development assistants. When Claude Code suggests a code change or generates new configuration, developers need immediate feedback on security implications—not batch processing that delays the workflow.

The multi-directory scanning aligns with how modern development works: polyglot codebases, monorepos, and microservices architectures mean secrets can be scattered across multiple locations. This update makes scan-for-secrets practical for the exact scenarios where Claude Code is most valuable—complex projects where manual review is impossible.

Notably, this comes amid increased attention on AI and security. Anthropic's Project Glasswing (restricting Claude Mythos to security researchers) shows the industry recognizing that powerful AI tools require correspondingly robust security practices. scan-for-secrets 0.2 provides one piece of that puzzle—a lightweight, integrable tool that fits naturally into the Claude Code workflow rather than requiring separate security processes.

For Claude Code power users, the lesson is clear: security scanning should be as seamless as linting or testing. With these updates, scan-for-secrets moves from "occasional audit tool" to "always-on security companion" that works alongside your AI assistant.