Scans source code for high-entropy environment variable leaks and sensitive patterns like API keys, secrets, and database URLs.
- Regex-based detection for common secrets such as:
- API keys
- Database URLs
- AWS keys
- JWT tokens
- and more!
- Shannon entropy scoring to intuitively filter false positives
- Recursive directory scanning
- Supports
.py,.js,.sh,.yml, and.json - CLI interface with optional help menu
Basic scan:
python oleander.py /directory/file/pathShow help menu:
python oleander.py --help[!] test_data/test_secrets.py:4 - Entropy: 4.26 AWS_SECRET_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLEKEY"
[!] test_data/test_secrets.py:10 - Entropy: 4.47 GCP_SECRET: "skfj0293JFLSJFLWJFWLKF"
[!] test_data/test_secrets.py:16 - Entropy: 5.36 jwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoxMjM0fQ.4bdzRHR3Xh8FzU3OG"
1. Scans files in a directory for potentially suspicious variable names (API_KEY, SECRET, etc.,.)
2. Calculates the entropy score using the Shannon entropy formula for matched lines
3. Filters false positives by ignoring low-entropy scores or short strings
The Shannon entropy score assists in the detection of random strings, which is consistent with real secrets structure.
oleander/
├── oleander.py # oleander's CLI interface
├── scanner.py # core scanning logic
├── utils.py # Shannon entropy calculations
├── regex_patterns.py # regex patterns
├── test_data/ # sample test files
├── README.md