Skip to content

Redactyl

The complete secret scanner for cloud-native teams. Git repos, container images, Helm charts, and Kubernetes manifests, all in one tool.

They hide in container images, Helm charts, CI/CD artifacts, and nested archives. The things that actually run in production. Redactyl finds them all, without extracting to disk.

Container Images

Stream layers directly from Docker Hub, GCR, ECR, and ACR. No disk extraction needed.

Helm Charts

Parse Chart.yaml, values.yaml, and every template. Catch secrets in your Kubernetes deployments.

K8s Manifests

Auto-detect Kubernetes resources. Scan Secrets, ConfigMaps, and env vars in Pods and Deployments.

Nested Archives

Recursively scan archives within archives. Virtual paths track secrets through every layer.

Interactive TUI

Vim-style navigation, severity filtering, and bulk actions. Open findings in your editor, baseline known secrets, or export results.

Gitleaks Detection

200+ detection rules from the Gitleaks community. We focus on artifact intelligence, not reinventing regex.

Registry Streaming

Scan remote images directly from any registry. Layers stream into memory, never touching disk.

Remediation Tools

Forward fixes with redact and dotenv commands. History rewriting with git filter-repo integration and safety backups.

Audit Logging

Immutable JSONL audit trail for compliance. Track findings over time with timestamped scan history.

Privacy First

Zero telemetry by default. Self-hosted friendly. Your secrets and source code never leave your infrastructure.

Native integrations for GitHub Actions, GitLab CI, Azure Pipelines, and Bitbucket. SARIF output for GitHub Code Scanning alerts. See the CI/CD integration guides.

Terminal window
# macOS / Linux (Homebrew)
brew install varalys/tap/redactyl
# Go
go install github.com/varalys/redactyl@latest

Then run redactyl scan for your first scan. Free and open source under Apache 2.0, with zero telemetry.