Runtime secret detection for production paths

Catch secrets in motion before they land in logs, queues, traces, or payload archives.

Bugiongrep is a lightweight Python library for detecting and masking secrets inside live application traffic. Scan plain text, JSON-like objects, and operational messages without relying on repository-only analysis.

See quick start Browse repository

Built-in detection rules for AWS keys, GitHub tokens, OpenAI keys, passwords, and connection strings
Masking strategies for full redaction, partial masking, and custom policies
Object-aware scanning for nested dictionaries and lists

example runtime scan

from bugiongrep import BugiongrepScanner

scanner = BugiongrepScanner()
text = "GitHub token: ghp_1234567890abcdef1234567890abcdef123"

result = scanner.scan(text)
masked = scanner.scan_and_mask(text)

print(result.secret_count)
print(masked)

# 1
# GitHub token: [REDACTED:token]

1 integration point

Instantiate the scanner once and use it across loggers, middleware, workers, or data pipelines.

3 scanning modes

Scan raw text, return masked output directly, or recurse through JSON-serializable objects.

Rule-driven

Load built-in patterns or bring your own JSON and YAML rule files without changing the API.

Why runtime

Repository scanners help before deploy. Bugiongrep helps after code is already running.

Secrets often surface in operational paths: request logs, debugging traces, third-party payloads, exception messages, or structured job data. Those leaks happen after source code review has ended.

Bugiongrep focuses on that gap. It gives application teams a direct runtime API so sensitive values can be detected, categorized, and masked before they spread into observability systems or storage.

Capabilities

Built for application paths that move fast and fail loudly.

Pattern-backed detection

Uses compiled regex rules with confidence scoring, secret types, subtypes, and severity labels.

Masking with context control

Generate masked text immediately and keep operational outputs useful without exposing raw values.

JSON-like object scanning

Walk nested dictionaries and lists recursively so API payloads and job bodies are handled consistently.

Confidence thresholds

Tune how aggressive detection should be, then filter lower-confidence matches for your environment.

Custom rule loading

Load YAML or JSON rules when your internal token formats go beyond the bundled pattern set.

Drop-in Python API

Keep adoption simple with a small public surface centered around one scanner instance.

Quick start

Install it, scan text, mask results.

pip install bugiongrep

from bugiongrep import BugiongrepScanner

scanner = BugiongrepScanner()

text = "AWS key: AKIAIOSFODNN7EXAMPLE"
result = scanner.scan(text)

if result.has_secrets:
    print(result.secret_count)
    print(scanner.scan_and_mask(text))

Scan runtime text

Inspect log lines, payloads, or error messages before they are emitted or persisted.

Classify the finding

Each match carries a secret type, subtype, confidence score, and source position metadata.

Mask and continue

Return safe output while preserving the surrounding content your team still needs for debugging.

Where it fits

Useful anywhere secrets can escape through application behavior.

APIs and middleware

Mask request bodies, headers, and exception payloads before structured logging or tracing.

Workers and queues

Protect job messages and retry diagnostics where raw payloads often get copied across systems.

ETL and data tooling

Filter connection strings, tokens, and passwords as records move through ingestion pipelines.