Skip to content

Deep Scanning

Redactyl’s deep scanning capabilities let you find secrets in build artifacts, not just source code.

Scan zip, tar, and tgz files recursively:

Terminal window
redactyl scan --archives

Redactyl handles nested archives automatically. A secret in release.zip::bundle.tar.gz::config/keys.json will be found and reported with the full virtual path.

  • .zip - ZIP archives
  • .tar - Tar archives
  • .tar.gz / .tgz - Gzipped tar archives
  • .gz - Gzip compressed files

Scan Docker images and OCI containers:

Terminal window
# Scan local Docker images
redactyl scan --containers
# Scan a specific image tarball
redactyl scan image.tar
# Scan exported Docker image
docker save myapp:latest | redactyl scan --stdin
  • All filesystem layers
  • Environment variables in config
  • Build arguments (if present in history)
  • Entrypoint and CMD scripts

Container findings show the layer and path:

image.tar::sha256:abc123/etc/app/.env:3

Scan Helm charts for secrets in values and templates:

Terminal window
# Scan all Helm charts in directory
redactyl scan --helm
# Scan specific chart
redactyl scan ./charts/myapp
# Scan packaged chart
redactyl scan myapp-1.0.0.tgz
  • values.yaml - Default values
  • values-*.yaml - Environment overrides
  • templates/*.yaml - All templates
  • Chart.yaml - Chart metadata

Scan Kubernetes YAML files:

Terminal window
redactyl scan --k8s

Redactyl automatically detects Kubernetes resources:

  • Secrets - Base64 decoded and scanned
  • ConfigMaps - All data keys scanned
  • Deployments/Pods - Environment variables scanned
  • ServiceAccounts - Token references flagged
# This will be detected
apiVersion: v1
kind: Secret
metadata:
name: api-credentials
data:
api-key: QVdTX0FDQ0VTU19LRVk9QUtJQUlPU0ZPRE5ON0VYQU1QTEU=

Scan everything at once:

Terminal window
redactyl scan --archives --containers --helm --k8s

Or use the shorthand:

Terminal window
redactyl scan --deep

Deep scanning is optimized for speed:

Artifact TypeTypical Speed
Helm chart (50 templates)2-5ms
Container image (100MB)100-200ms
Archive throughput100-500 MB/s
YAML parsing8-10 MB/s

Redactyl streams content without extracting to disk:

  • Archives are scanned in-memory
  • Container layers are streamed
  • No temp files created

Deep scanning respects guardrails:

.redactyl.yml
guardrails:
# Maximum archive depth
max_archive_depth: 5
# Maximum file size to scan
max_file_size: 100MB
# Skip binary files
skip_binary: true

Deep scan findings include full virtual paths:

{
"file": "myapp.tgz::templates/deployment.yaml",
"line": 47,
"detector": "aws-secret-key",
"severity": "high"
}

This makes it easy to locate and fix secrets, even in deeply nested artifacts.