Skip to content
/ checkmate Public

CheckMate is a pluggable code security analysis tool that provides security analysis for your software and for configuration files associated with the software

License

BSD-3-Clause license
6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

adedayo/checkmate

BranchesTags

Repository files navigation

CheckMate: Hard-Coded Secrets Detection

Go Report Card GitHub release GitHub license

CheckMate Reporting

Overview

Exposed secrets in source code, logs, or configuration files can lead to security breaches. Attackers scan repositories for credentials that grant unauthorized access to critical systems. Even a single leaked API key or password can cause data breaches, service disruptions, and compliance violations. Detecting and removing these risks early is essential for security.

CheckMate is an advanced tool for detecting hard-coded secrets in source code, logs, and configuration files. It employs heuristics such as entropy analysis, structural context, and pattern recognition to identify sensitive information, including:

  • Passwords
  • API keys
  • Encryption keys
  • Other security tokens

Supported file types include configuration formats like YAML and XML, as well as source code in languages such as Java, C/C++, C#, Ruby, Scala, and more.

Installation

Pre-built Binaries

Download the latest pre-built binaries for your operating system from the releases page.

macOS Installation (via Homebrew)

brew tap adedayo/tap
brew install checkmate

Desktop Application

A graphical desktop version of CheckMate is available: CheckMate Desktop Application.

Usage

Command-Line Interface (CLI)

To scan files and directories for secrets, run:

checkmate search <paths to directories and files to scan>

CLI Help

View available options with:

checkmate search --help

Key Command-Line Flags

Flag Description
--calculate-checksums Compute checksums of detected secrets (default: true)
--exclude-tests Skip test files during scanning
-e, --exclusion <file> Use an exclusion YAML configuration file
--json Generate output in JSON format (default: true)
--pdf Generate a PDF report (requires asciidoctor-pdf)
--report-ignored Include ignored files and values in reports
--sensitive-files-only Only search for sensitive files (e.g., certificates, key stores)
-s, --source Include source code evidence in diagnostic results (default: true)
--verbose Enable verbose output (e.g., current file being scanned)

Running CheckMate with Docker

CheckMate can also be run as a Docker container:

Pull the Docker Image

docker pull ghcr.io/adedayo/checkmate

Scan a Local Directory

docker run --rm -v $(pwd):/data adedayo/checkmate search /data

Scan a Git Repository

docker run --rm adedayo/checkmate search https://github.com/example/repository.git

Generating Reports

CheckMate can produce a detailed PDF report. To enable this feature, install Asciidoctor PDF and ensure it's in your $PATH.

Run CheckMate with the --pdf flag:

checkmate search <path> --pdf

A sample report is available here: bad-code-audit.pdf

About

CheckMate is a pluggable code security analysis tool that provides security analysis for your software and for configuration files associated with the software

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

6 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 60

v0.9.5 Latest
Mar 30, 2025
+ 59 releases

Packages

 
 
 

Languages