Your First Scan

Let's walk through running your first comprehensive scan with SecScan.

Basic Scan

The simplest way to scan a project:

# Navigate to your project
cd /path/to/your/project

# Run scan
secscan

This will scan:

• All files in the current directory and subdirectories
• Git history (if in a git repository)
• Respect .gitignore patterns

Understanding the Output

Scan Summary

Scanning directory: /home/user/myproject
Respecting .gitignore patterns
Scanning git history...
Processing 156 commits...

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                 SECURITY SCAN RESULTS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Finding Details

Each finding shows:

• Severity Level: HIGH (🔴), MEDIUM (🟡), or LOW (🟢)
• File Path: Where the secret was found
• Line Number: Exact location in the file
• Pattern Type: What kind of secret was detected
• Code Excerpt: Context around the finding

Example:

[HIGH] File: config/database.go:42 (Pattern: PostgreSQL Connection String)
  db_url = "postgresql://admin:p4ssw0rd@localhost/prod"
  Commit: a1b2c3d [2024-11-15] - "Update database config"

Statistics

At the end, you'll see:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                    STATISTICS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Total files scanned:    342
Files with findings:    5
Total findings:         12
High confidence:        4
Medium confidence:      6
Low confidence:         2
Scan duration:          2.34s
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Customizing Your Scan

Skip Git History (Faster)

For large repositories, scanning git history can be slow:

secscan -history=false

Adjust Sensitivity

Reduce false positives by increasing the entropy threshold:

# Default is 4.5, higher values = fewer but more confident findings
secscan -entropy 5.5

Disable Entropy Detection

Only use pattern matching:

secscan -no-entropy

Scan Ignored Files

Include files normally ignored by .gitignore:

secscan -respect-gitignore=false

Export Results

Save findings to a JSON file:

secscan -json scan-results.json

Verbose Output

See detailed scanning progress:

secscan -verbose

Recommended First Scan

For your first scan, we recommend:

secscan -verbose -json initial-scan.json

This will:

• Show you what's being scanned
• Save results for later review
• Use default settings (good balance)

Interpreting Results

What to Fix First

1. HIGH confidence findings - These are almost certainly real secrets

2. Change these credentials immediately

3. Rotate any exposed API keys

4. Update configuration files

5. MEDIUM confidence findings - Review these carefully

6. May be test data or false positives

7. Verify if they're sensitive

8. LOW confidence findings - Usually safe to ignore

9. Often hash values or non-sensitive strings
10. Review if in sensitive files

Common False Positives

SecScan may flag:

• Test fixtures and mock data
• Example configurations in documentation
• Non-sensitive hash values
• Public API keys for testing

To suppress these, use an allowlist (see Configuration Guide).

Next Steps

• 📖 Learn about Basic Usage
• 🔧 Set up Configuration
• 💡 Explore more Examples
• 🚀 Integrate with CI/CD

Tips

Start with History Disabled

For very large repositories, start with -history=false to get a quick overview before scanning the full git history.

Don't Commit Findings

Never commit the JSON output file to your repository - it contains the actual secrets!

Incremental Scanning

For regular scans, consider using -history=false and only scan git history periodically.